[4.1.0] - 2025-07-30

[4.1.0] - 2025-07-30

Added

• Added CDK support
• Added WAF rate based rule parameters in HTTP Flood Custom Rule
• Added lambda power tools for tracing and logging

Changed

• Updated the poetry version
• Updated dependencies to address jinja2 CVE-2024-56201
• Updated dependencies: botocore, boto3, responses, coverage, certifi, charset-normalizer, pluggy, s3transfer, typing-extensions, pytest-mock, freezegun, urllib3
• Updated dependencies to address cryptography CVE-2024-12797
• Updated dependency version of requests CVE-2024-47081
• Updated deployment scripts based on CDK changes
• Updated datetime deprecated method for utcnow() to now(datetime.UTC)
• Updated bad bot component behavior with improved log parsing support and detection logic
• Updated waflib api, remove redundant calls
• Removed http request based approach for IP detection and added WAF log based analysis to find ip for bad bot
• Updated temporary folders restrictions

Fixed

• Fixed invalid CRON expression Github issue 261
• Fixed Honeypot detecting IP address with CloudFront Github issue 250
• Fixed CloudFormation Drift for WebACL nested stack Github issue 257

Removed

• Removed old stack templates
• Access handler and Amazon API Gateway resources

[4.0.6] - 2024-12-17

[4.0.6] - 2024-12-17

Changed

• Update the lambda to python 3.12

Fixed

• Added a check for payload for logging before sanitizing and logging Github issue 274

[4.0.5] - 2024-10-24

[4.0.5] - 2024-10-24

Changed

• Add poetry.lock to pin dependency versions for Python code
• Adapt build scripts to use Poetry for dependency management
• Replace native Python logger with aws_lambda_powertools logger

[4.0.4] - 2024-09-23

Fixed

• Patched dependency version of requests to 2.32.3 to mitigate CVE-2024-3651
• Pinned all dependencies to specific versions for reproducable builds and enable security scanning
• Allow to install latest version of urllib3 as transitive dependency

v4.0.3

[4.0.3] - 2023-10-25

Fixed

• Patched urllib3 vulnerability as it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. For more details: CVE-2023-43804

v4.0.2

[4.0.2] - 2023-09-11

Fixed

• Update trademarked name. From aws-waf-security-automations.zip to security-automations-for-aws-waf.zip
• Refactor to reduce code complexity
• Patched requests package vulnerability leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For more details: CVE-2023-32681 Github issue 248

v4.0.1

Fixed

• Updated gitignore files to resolve the issue for missing files #243, #244, #245

v4.0.0

Added

• Added support for 10 new AWS Managed Rules rule groups (AMR)
• Added support for country and URI configurations in HTTP Flood Athena log parser
• Added support for user-defined S3 prefix for application access log bucket
• Added support for CloudWatch log retention period configuration
• Added support for multiple solution deployments in the same account and region
• Added support for exporting CloudFormation stack output values
• Replaced the hard coded amazonaws.com with {AWS::URLSuffix} in BadBotHoneypot API endpoint

Fixed

• Avoid account-wide API Gateway logging setting change by deleting the solution stack GitHub issue 213
• Avoid creating a new logging bucket for an existing app access log bucket that already has logging enabled

v3.2.5

[3.2.5] - 2023-04-18

Patched

• Patch s3 logging bucket settings
• Updated the timeout for requests

v3.2.4

[3.2.4] - 2023-02-06

Changed

• Upgraded pytest to mitigate CVE-2022-42969
• Upgraded requests and subsequently certifi to mitigate CVE-2022-23491