accompanist 1.0.4

AWS WAF log analysis report generator

Introduction

Accomapnist - It's an accompanist on AWS WAF log analysis.

You can analysis AWS WAF log and generate analysis report with only 2 CLI commands.

• The feature & Report Item
  • Histgram of requests
  • Top 5 of below items
    • Blocked or counted rule group
    • URI path
    • IP address
    • Country code
  • The number of requests on specific URI
  • Comment (written by you if you have any comments))

Note

• Target WAF

  • AWS WAFv2
    • Logging: CloudWatch Logs
    • Action: BLOCK or COUNT
  • Third Party WAF
    • Logging: CloudWatch Logs
    • Action: BLOCK or COUNT

• Requirement of Client Environment

  • IAM Role/User: including permissions to execute as follows
    • (1) start_query of Logs Insights
    • (2) get_query_result of Logs Insights
    • The example role is noted the last

Install

pip install accompanist

Usage

1. Create configuration file (JSON format) including 3 elements below

(e.g.) config.json

{
  "log_group": "aws-waf-logs-foo-bar",
  "target_uri": [
    "/foo",
    "/bar"
  ],
  "comment": [
    "- note 1",
    "- note 2",
    "-",
    "-",
    "-"
  ]
}

2. Get query result

(e.g.) To get BLOCK log for 3 days

accompanist listen --action BLOCK --days 3

3. Generate report (PDF format)

accompanist play

Uninstall

pip uninstall accompanist

Index

IAM Role with minimum permissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CWLI",
            "Effect": "Allow",
            "Action": [
                "logs:StartQuery",
                "logs:GetQueryResults"
            ],
            "Resource": "*"
        }
    ]
}

In the "Resource", you should consider to squeeze only needed ARNs as well.