Merge pull request #8 from ZDF-OSS/feature/add_dashboards

feat: adding cloud watch dashboard and bumb deps

Author: AyoubUmoru

.github/workflows/upgrade-main.yml

@@ -8,6 +8,7 @@ const project = new awscdk.AwsCdkConstructLibrary({
   author: 'ZeroDotFive',
   authorAddress: 'ayoub.umoru@zerodotfive.com',
   cdkVersion: '2.84.0',
+  majorVersion: 1,
   defaultReleaseBranch: 'main',
   authorOrganization: true,
   jsiiVersion: '~5.0.0',

.projen/tasks.json

@@ -25,6 +25,12 @@ Third-party Language Deprecation: language version is only supported until its E
 
 * AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic (https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html)
 
+* Cloud Watch Dashboards with AWS Logs Insights
+  
+
+
+![dashboard](/assets/dashboard.png)
+
 
 ***AWS Managed Rules***
 AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic. You have the option of selecting one or more rule groups from AWS Managed Rules for each web ACL, up to the maximum web ACL capacity unit (WCU) limit.
@@ -71,6 +77,7 @@ When you use a geo match statement just for the region and country labels that i
 
       priority: 100,
       resourceArn: lb.loadBalancerArn,
+      // Switching on CloudWatch Logs also provisions a CloudWatch Dashboard
       enableCloudWatchLogs: true,
     });
 ```

.projenrc.ts

@@ -0,0 +1,117 @@
+import * as cdk from 'aws-cdk-lib';
+import { LogQueryVisualizationType, LogQueryWidget } from 'aws-cdk-lib/aws-cloudwatch';
+import * as cw from 'aws-cdk-lib/aws-cloudwatch';
+import * as logs from 'aws-cdk-lib/aws-logs';
+import { Construct } from 'constructs';
+
+export interface IDashboardProps {
+  cloudwatchLogName: string;
+}
+
+export class CloudWatchWAFDashboard extends Construct {
+  constructor(scope: Construct, id: string, props: IDashboardProps) {
+    super(scope, id);
+
+    new logs.QueryDefinition(this, 'waf-qd-allowed-requests', {
+      queryDefinitionName: 'Allowed requests by country',
+      logGroups: [
+        logs.LogGroup.fromLogGroupName(
+          this,
+          'log-group-blocked',
+          props.cloudwatchLogName,
+        ),
+      ],
+      queryString: new logs.QueryString({
+        stats: 'count(*) as countries by httpRequest.country',
+        filterStatements: ['action = "ALLOW"'],
+      }),
+    });
+    new logs.QueryDefinition(this, 'waf-qd-blocked-requests', {
+      queryDefinitionName: 'Blocked requests by country',
+      logGroups: [
+        logs.LogGroup.fromLogGroupName(
+          this,
+          'log-group-allowed',
+          props.cloudwatchLogName,
+        ),
+      ],
+      queryString: new logs.QueryString({
+        stats: 'count(*) as countries by httpRequest.country',
+        filterStatements: ['action = "BLOCKED"'],
+      }),
+    });
+
+    const blockedWidget = new LogQueryWidget({
+      title: 'Blocked requests by Country',
+      height: 12,
+      width: 12,
+      logGroupNames: [props.cloudwatchLogName],
+      view: LogQueryVisualizationType.PIE,
+      queryLines: [
+        'filter action = "BLOCK"',
+        'stats count(*) as countries by httpRequest.country',
+      ],
+    });
+    const allowedWidget = new LogQueryWidget({
+      title: 'Allowed requests by Country',
+      height: 12,
+      width: 12,
+      logGroupNames: [props.cloudwatchLogName],
+      view: LogQueryVisualizationType.PIE,
+      queryLines: [
+        'filter action = "ALLOW"',
+        'stats count(*) as countries by httpRequest.country',
+      ],
+    });
+    const blockedCount = new LogQueryWidget({
+      title: 'Rules blocking requests',
+      height: 8,
+      width: 12,
+      logGroupNames: [props.cloudwatchLogName],
+      view: LogQueryVisualizationType.TABLE,
+      queryLines: [
+        'filter action = "BLOCK"',
+        'stats count(*) as blockded by terminatingRuleId as rule',
+      ],
+    });
+
+    const blockedAgents = new LogQueryWidget({
+      title: 'Top 30 Blocked User-Agents',
+      height: 8,
+      width: 12,
+      logGroupNames: [props.cloudwatchLogName],
+      view: LogQueryVisualizationType.TABLE,
+      queryLines: [
+        'fields @timestamp, @message',
+        'parse @message /(?i)"name":"user-agent","value":"(?<httpRequestUserAgent>[^"]+)/',
+        'filter action == "ALLOW"',
+        'stats count() as count by httpRequestUserAgent as UserAgent',
+        'sort by count desc',
+      ],
+    });
+    const allowedAgents = new LogQueryWidget({
+      title: 'Top 30 Allowed User-Agents',
+      height: 8,
+      width: 12,
+      logGroupNames: [props.cloudwatchLogName],
+      view: LogQueryVisualizationType.TABLE,
+      queryLines: [
+        'fields @timestamp, @message',
+        'parse @message /(?i)"name":"user-agent","value":"(?<httpRequestUserAgent>[^"]+)/',
+        'filter action == "BLOCK"',
+        'stats count() as count by httpRequestUserAgent as UserAgent',
+        'sort by count desc',
+      ],
+    });
+    const dashboard = new cw.Dashboard(this, 'Dash', {
+      defaultInterval: cdk.Duration.days(7),
+    });
+
+    dashboard.addWidgets(blockedWidget);
+    dashboard.addWidgets(allowedWidget);
+    dashboard.addWidgets(blockedCount);
+    dashboard.addWidgets(blockedAgents);
+    dashboard.addWidgets(allowedAgents);
+
+  }
+}

API.md

@@ -6,6 +6,7 @@ import { NodejsFunction } from 'aws-cdk-lib/aws-lambda-nodejs';
 import { RetentionDays } from 'aws-cdk-lib/aws-logs';
 import { Provider } from 'aws-cdk-lib/custom-resources';
 import { Construct } from 'constructs';
+import { CloudWatchWAFDashboard } from './components/dashboard';
 import { WafRulesGeoBlock } from './components/waf-rule-geoblock';
 import { WafRulesManagedBuilder } from './components/waf-rule-managed';
 
@@ -21,7 +22,7 @@ export interface ICdkWafGeoLibProps {
   priority: number;
   /** Deprecated: -  use enableGeoBlocking Switch to control if the rule should block or count incomming requests. */
   block?: boolean;
-  /** Sends logs to a CloudWatch LogGroup with a retention on it. */
+  /** Sends logs to a CloudWatch LogGroup with a retention on it. If enabled you also get a CloudWatch Dashboard.*/
   enableCloudWatchLogs?: boolean;
   /** Name of the CloudWatch LogGroup where requests are stored. */
   cloudWatchLogGroupName?: string;
@@ -54,8 +55,8 @@ export interface ICdkWafGeoLibProps {
   enableAWSMangedRulePHPProtect?: boolean;
   /** The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups. */
   enableAWSMangedRuleWorkpressProtect?: boolean;
-
 }
+
 export class CdkWafGeoLib extends Construct {
   public readonly customResourceResult?: string;
   constructor(scope: Construct, id: string, props: ICdkWafGeoLibProps) {
@@ -185,12 +186,14 @@ export class CdkWafGeoLib extends Construct {
           },
         },
       );
+
       this.customResourceResult = customResourceResult.getAttString('Result');
       new wafv2.CfnWebACLAssociation(this, 'WAFAssociation', {
         resourceArn: props.resourceArn,
         webAclArn: cfnWebACL.attrArn,
       });
       // END
+      new CloudWatchWAFDashboard(this, 'waf-cloudwatch-dashboard', { cloudwatchLogName: log_group.logGroupName });
     }
   }
 }