All notable changes to this project will be documented in this file. The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Updated cryptography to version 46.0.7 to address CVE-2026-26007, CVE-2026-34073, and CVE-2026-39892
- Updated werkzeug to version 3.1.6 to address CVE-2026-27199
- Updated minimatch to version 3.1.5 to address CVE-2026-26996
- Updated aws-cdk-lib to version 2.248.0 to address CVE-2025-69873, CVE-2026-27903, CVE-2026-33532, and CVE-2026-33750
- Updated flatted to version 3.4.2 to address CVE-2026-32141 and CVE-2026-33228
- Updated picomatch to versions 2.3.2 and 4.0.4 to address CVE-2026-33671 and CVE-2026-33672
- Updated brace-expansion to versions 1.1.13 and 5.0.5 to address CVE-2026-33750
- Updated requests to version 2.33.1 to address insecure temp file reuse in extract_zipped_paths()
- Updated urllib3 to version 2.6.3 to address CVE-2026-21441
- Updated werkzeug to version 3.1.5 to address CVE-2026-21860
- Updated urllib3 to version 2.6.1 to address CVE-2025-66418 and CVE-2025-66471
- Updated js-yaml to version 4.1.1 to address CVE-2025-64718
- Updated werkzeug to version 3.1.4 to address CVE-2025-66221
- Added CDK support
- Added WAF rate based rule parameters in HTTP Flood Custom Rule
- Added lambda power tools for tracing and logging
- Updated the poetry version
- Updated dependencies to address jinja2 CVE-2024-56201
- Updated dependencies: botocore, boto3, responses, coverage, certifi, charset-normalizer, pluggy, s3transfer, typing-extensions, pytest-mock, freezegun, urllib3
- Updated dependencies to address cryptography CVE-2024-12797
- Updated dependency version of requests CVE-2024-47081
- Updated deployment scripts based on CDK changes
- Updated datetime deprecated method for utcnow() to now(datetime.UTC)
- Updated bad bot component behavior with improved log parsing support and detection logic
- Updated waflib api, remove redundant calls
- Updated temporary folders restrictions
- Changed metrics collection services
- Fixed invalid CRON expression Github issue 261
- Fixed Honeypot detecting IP address with CloudFront Github issue 250
- Fixed CloudFormation Drift for WebACL nested stack Github issue 257
- Removed old stack templates
- Removed access handler and Amazon API Gateway resources
- Removed http request based approach for IP detection and added WAF log based analysis to find ip for bad bot
- Removed Service Catalog AppRegistry integration
- Update the lambda to python 3.12
- Added a check for payload for logging before sanitizing and logging Github issue 274
- Add poetry.lock to pin dependency versions for Python code
- Adapt build scripts to use Poetry for dependency management
- Replace native Python logger with aws_lambda_powertools logger
- Patched dependency version of
requeststo2.32.3to mitigate CVE-2024-3651 - Pinned all dependencies to specific versions for reproducable builds and enable security scanning
- Allow to install latest version of
urllib3as transitive dependency
- Patched urllib3 vulnerability as it is possible for a user to specify a Cookie header and unknowingly leak information via HTTP redirects to a different origin if that user doesn't disable redirects explicitly. For more details: CVE-2023-43804
- Update trademarked name. From aws-waf-security-automations.zip to security-automations-for-aws-waf.zip
- Refactor to reduce code complexity
- Patched requests package vulnerability leaking Proxy-Authorization headers to destination servers when redirected to an HTTPS endpoint. For more details: CVE-2023-32681 Github issue 248
- Updated gitignore files to resolve the issue for missing files Github issue 244 Github issue 243 Github issue 245
- Added support for 10 new AWS Managed Rules rule groups (AMR)
- Added support for country and URI configurations in HTTP Flood Athena log parser
- Added support for user-defined S3 prefix for application access log bucket
- Added support for CloudWatch log retention period configuration
- Added support for multiple solution deployments in the same account and region
- Added support for exporting CloudFormation stack output values
- Replaced the hard coded amazonaws.com with {AWS::URLSuffix} in BadBotHoneypot API endpoint
- Avoid account-wide API Gateway logging setting change by deleting the solution stack GitHub issue 213
- Avoid creating a new logging bucket for an existing app access log bucket that already has logging enabled
- Patch s3 logging bucket settings
- Updated the timeout for requests
- Upgraded pytest to mitigate CVE-2022-42969
- Upgraded requests and subsequently certifi to mitigate CVE-2022-23491
- Add region as prefix to application attribute group name to avoid conflict with name starting with AWS.
- Added AppRegistry integration
- Added support for configuring oversize handling for requests components
- Added support for configuring sensitivity level for SQL injection rule
- Added IP retention support on Allowed and Denied IP Sets
- Bug fixes
- Replaced s3 path-style with virtual-hosted style
- Added partition variable to all ARNs
- Updated bug report
- Added an option to deploy AWS Managed Rules for WebACL on installation
- Upgraded from WAF classic to WAFV2 API
- Eliminated dependency on NodeJS and use Python as the standardized programming language
- Implemented Athena optimization: added partitioning for CloudFront, ALB and WAF logs and Athena queries
- Fixed potential DoS vector within Bad Bots X-Forward-For header
- Fixed README file to accurately reflect script params
- Upgraded from Python 3.7 to 3.8
- Changed RequestThreshold min limit from 2000 to 100
- Fixed error handling of intermittent issue: (WAFStaleDataException) when calling the UpdateWebACL
- Upgrade from Node 8 to Node 10 for Lambda function