In the last post I covered off how to create a REGIONAL WAF in CDK. In this post I’m going to create a CLOUDFRONT WAF. This is a little bit more involved. I’m going to assume that your application stack is not in us-east-1 and thus we’ll need to create another stack in us-east-1. This is going to use several of the tricks we discussed in an earlier post. Existing Let’s say you have an existing stack that has a CloudFront distribution in it. Read more

AWS CDK Doesn’t yet have a highlevel WAFv2 construct. Using the learnings I’ve recently discussed, I’ve created two constructs. One you can use for REGIONAL WAFs and one for CLOUDFRONT WAFs. AWS CDK seems to be moving towards an approach of having cross regional resources created via custom resources, but this doesn’t exist for WAF yet, and I’ve had mixed results. In this post we will first start with the REGIONAL solution. Read more

I love security and love to keep my systems security. I have been using capabilities such as SPF and DKIM records and more recently DMARC records and ensuring I have quality SSL setup on my web server and testing using https://www.ssllabs.com/ssltest/ and ensuring I have quality headers too and test using https://securityheaders.com/. Now that Route 53 supports DNSSEC (https://datatracker.ietf.org/doc/html/rfc4033) I figured it was about time I enabled it. You can find some information about DNSSEC and enabling on your domain by following the AWS blog post: https://aws. Read more

A few people asked me about Mutual Authentication, and I also wanted to see if I could get Internet access working. I’m starting with a VPC that has 3 subnets in 3 AZs (for 9 subnets in total). 3 of the subnets are marked “public” and have the default route via the IGW. In these 3 public subnets lives 3 NAT Gateways. The other 6 subnets (named app and db) have default routes via the NAT Gateways. Read more

Back around re:Invent some very observent people picked up on a slide about an AWS Client VPN being available. Which was interesting because no one had seen a blog or any release information about it. Not long (about 2 weeks) after re:Invent the AWS Client VPN made an appearance. This was great news. But it seemed maybe it was a little bit less than MVP and was rushed out due to the false starts. Read more