updated security file

Helenaden · Helenaden · commit 5b0dbb6b006f · 2025-08-18T11:32:38.000+01:00
diff --git a/rds.tf b/rds.tf
@@ -43,4 +43,12 @@ resource "aws_db_instance" "database-instance" {
   db_name  = "webappdb"
   # amazonq-ignore-next-line
   skip_final_snapshot = true
+
+  # Enable log exports to CloudWatch
+  enabled_cloudwatch_logs_exports = [
+    "audit",
+    "error",
+    "general",
+    "slowquery"
+  ]
 }
diff --git a/security.tf b/security.tf
@@ -125,11 +125,13 @@ resource "aws_wafv2_web_acl" "web_acl" {
   # This rule is a pre-configured rule set from AWS
   # that protects against common exploits like SQLi and XSS.
   rule {
-    name     = "AWS-AWSManagedRulesCommonRuleSet"
+    # Use a unique name for this rule
+    name     = "CommonRuleSet"
     priority = 1
     statement {
       managed_rule_group_statement {
         vendor_name = "AWS"
+        # This is the correct managed rule group name from AWS
         name        = "AWSManagedRulesCommonRuleSet"
       }
     }
@@ -139,18 +141,20 @@ resource "aws_wafv2_web_acl" "web_acl" {
     }
     visibility_config {
       cloudwatch_metrics_enabled = true
-      metric_name                = "CommonRuleSet"
+      metric_name                = "CommonRuleSetMetrics" # Must be unique
       sampled_requests_enabled   = true
     }
   }
 
-  # Rule to protect against Log4j2 vulnerabilities
+  # Rule to protect against Log4j2 vulnerabilities and other bad inputs
   rule {
-    name     = "AWS-AWSManagedRulesKnownBadInputsRuleSet"
+    # Use a unique name for this rule
+    name     = "KnownBadInputs"
     priority = 2
     statement {
       managed_rule_group_statement {
         vendor_name = "AWS"
+        # This is the correct managed rule group name from AWS
         name        = "AWSManagedRulesKnownBadInputsRuleSet"
       }
     }
@@ -159,7 +163,7 @@ resource "aws_wafv2_web_acl" "web_acl" {
     }
     visibility_config {
       cloudwatch_metrics_enabled = true
-      metric_name                = "KnownBadInputsRuleSet"
+      metric_name                = "KnownBadInputsMetrics" # Must be unique
       sampled_requests_enabled   = true
     }
   }
@@ -175,4 +179,4 @@ resource "aws_wafv2_web_acl" "web_acl" {
 resource "aws_wafv2_web_acl_association" "web_acl_assoc" {
   resource_arn = aws_lb.web_alb.arn
   web_acl_arn  = aws_wafv2_web_acl.web_acl.arn
-}
+}

Original file line number	Diff line number	Diff line change
`@@ -125,11 +125,13 @@ resource "aws_wafv2_web_acl" "web_acl" {`
`125`	`125`	`# This rule is a pre-configured rule set from AWS`
`126`	`126`	`# that protects against common exploits like SQLi and XSS.`
`127`	`127`	`rule {`
`128`		`- name = "AWS-AWSManagedRulesCommonRuleSet"`
	`128`	`+ # Use a unique name for this rule`
	`129`	`+ name = "CommonRuleSet"`
`129`	`130`	`priority = 1`
`130`	`131`	`statement {`
`131`	`132`	`managed_rule_group_statement {`
`132`	`133`	`vendor_name = "AWS"`
	`134`	`+ # This is the correct managed rule group name from AWS`
`133`	`135`	`name = "AWSManagedRulesCommonRuleSet"`
`134`	`136`	`}`
`135`	`137`	`}`
`@@ -139,18 +141,20 @@ resource "aws_wafv2_web_acl" "web_acl" {`
`139`	`141`	`}`
`140`	`142`	`visibility_config {`
`141`	`143`	`cloudwatch_metrics_enabled = true`
`142`		`- metric_name = "CommonRuleSet"`
	`144`	`+ metric_name = "CommonRuleSetMetrics" # Must be unique`
`143`	`145`	`sampled_requests_enabled = true`
`144`	`146`	`}`
`145`	`147`	`}`
`146`	`148`
`147`		`- # Rule to protect against Log4j2 vulnerabilities`
	`149`	`+ # Rule to protect against Log4j2 vulnerabilities and other bad inputs`
`148`	`150`	`rule {`
`149`		`- name = "AWS-AWSManagedRulesKnownBadInputsRuleSet"`
	`151`	`+ # Use a unique name for this rule`
	`152`	`+ name = "KnownBadInputs"`
`150`	`153`	`priority = 2`
`151`	`154`	`statement {`
`152`	`155`	`managed_rule_group_statement {`
`153`	`156`	`vendor_name = "AWS"`
	`157`	`+ # This is the correct managed rule group name from AWS`
`154`	`158`	`name = "AWSManagedRulesKnownBadInputsRuleSet"`
`155`	`159`	`}`
`156`	`160`	`}`
`@@ -159,7 +163,7 @@ resource "aws_wafv2_web_acl" "web_acl" {`
`159`	`163`	`}`
`160`	`164`	`visibility_config {`
`161`	`165`	`cloudwatch_metrics_enabled = true`
`162`		`- metric_name = "KnownBadInputsRuleSet"`
	`166`	`+ metric_name = "KnownBadInputsMetrics" # Must be unique`
`163`	`167`	`sampled_requests_enabled = true`
`164`	`168`	`}`
`165`	`169`	`}`
`@@ -175,4 +179,4 @@ resource "aws_wafv2_web_acl" "web_acl" {`
`175`	`179`	`resource "aws_wafv2_web_acl_association" "web_acl_assoc" {`
`176`	`180`	`resource_arn = aws_lb.web_alb.arn`
`177`	`181`	`web_acl_arn = aws_wafv2_web_acl.web_acl.arn`
`178`		`-}`
	`182`	`+}`