Update documentation with current infrastructure state

- Update all resource IDs to match current deployment - CloudFront Distribution: EATJ1HDQU8V51 - WAF Web ACL: d61073b6-27b1-473e-aa9f-d2aa4a4c75a6 - WAF IP Set: a9e47946-c186-4b28-83a8-fe3aeb9c296b - ACM Certificate: b011e60a-1ea1-4dd3-844f-e0851ece4784 - Route53 Zone: Z01934581JQAF2GS71GG - Reflect enabled ACM certificate and Route53 DNS management - Update all AWS CLI commands with correct resource IDs 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-09 15:32:35 +09:00
parent 3b66e6d29f
commit d5440630f5
3 changed files with 460 additions and 340 deletions
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,6 +2,10 @@
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 ## Project Overview
 AWS CloudFront CDN with CrowdSec real-time security integration via Lambda. Implements automated IP blocking through webhook notifications.
 ## Common Development Commands
 ### Infrastructure Management
@@ -30,10 +34,10 @@ echo "yes" | tofu init -migrate-state
 ### Validation and Formatting
 ```bash
-# Validate Terraform configuration
+# Validate configuration
 tofu validate
-# Format Terraform files
+# Format files
 tofu fmt
 # Check syntax and validate variables
@@ -42,8 +46,8 @@ tofu plan -var-file=terraform.tfvars
 ### AWS Resource Verification
 ```bash
-# Check CloudFront distribution status
+# Check CloudFront distribution status (Current Distribution ID: EATJ1HDQU8V51)
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU --query 'Distribution.Status' --output text
+aws cloudfront get-distribution --id EATJ1HDQU8V51 --query 'Distribution.Status' --output text
 # List all CloudFront distributions
 aws cloudfront list-distributions --query 'DistributionList.Items[*].[Id,Status,DistributionConfig.Enabled]' --output table
@@ -64,7 +68,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - **CloudFront Distribution**: Main CDN with custom origin server
 - **WAF v2 Web ACL**: Security layer with rate limiting and AWS managed rules
 - **S3 Backend**: Remote state storage with versioning and encryption
- **Optional CloudFormation Stack**: VPC and networking resources
+- **CrowdSec Integration**: Real-time threat detection and IP blocking
 **Critical Configuration Constraints:**
 - Origin server (`origin.servidor.it.com`) only supports HTTP, not HTTPS
@@ -75,8 +79,10 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 ### File Structure and Responsibilities
 **Core Infrastructure:**
- `main.tf` - CloudFront distribution, origin configuration, cache behaviors, and optional CloudFormation stack
+- `main.tf` - CloudFront distribution, origin configuration, cache behaviors
 - `security.tf` - WAF Web ACL with rate limiting, managed rule sets, and security groups
 - `lambda.tf` - CrowdSec Lambda integration with API Gateway
 - `lambda-crowdsec-waf.py` - Lambda function for real-time IP management
 - `variables.tf` - All configurable parameters with validation rules
 - `outputs.tf` - CloudFront URLs, distribution IDs, and resource ARNs
@@ -100,6 +106,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - WAF protection with AWS managed rules and rate limiting
 - S3 buckets with encryption, versioning, and public access blocking
 - Security groups with principle of least privilege (when VPC enabled)
 - CrowdSec real-time threat detection with Lambda integration
 **Cache Strategy:**
 - Default behavior uses CachingDisabled policy for dynamic content
@@ -115,9 +122,9 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 ### Critical Settings in terraform.tfvars
 - `origin_protocol_policy = "http-only"` - **Do not change to HTTPS** (causes 504 errors)
- `create_acm_certificate = false` - Custom certificates fail due to CAA restrictions
+- `create_acm_certificate = true` - ACM certificate enabled for custom domain
 - `enable_waf = true` - WAF is working and provides important security
- `create_route53_records = false` - DNS management disabled due to CAA restrictions
+- `create_route53_records = true` - Route53 DNS management enabled
 ### State Management
 - Backend uses S3 without DynamoDB locking (single developer setup)
@@ -135,15 +142,148 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - Compression enabled for all content types
 - Custom error pages redirect 404/403 to index.html for SPA support
-### Working vs Disabled Features
+## CrowdSec Integration
 **🔄 Automated Workflow**: CrowdSec → API Gateway → Lambda → AWS WAF → CloudFront
 **📊 Current Resources (Updated 2025-09-09):**
 - **CloudFront Distribution ID**: `EATJ1HDQU8V51`
 - **CloudFront URL**: `https://d2mhxhntq3ezzr.cloudfront.net`
 - **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
 - **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
 - **Deployment Status**: `Deployed` ✅
 ### CrowdSec Integration Commands
 **⚠️ Note**: IP management is now automated via CrowdSec webhook integration. Manual commands are for monitoring and emergency use only.
 **View Current Blocked IPs:**
 ```bash
 # View current blocked IPs (Updated IP Set ID)
 aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
  --name aws-cf-dev-blocked-ips \
  --query 'IPSet.Addresses'
 ```
 **Test CrowdSec Webhook:**
 ```bash
 # Test webhook endpoint
 curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
  -H "Content-Type: application/json" \
  -H "User-Agent: CrowdSec/1.7.0" \
  -d '[{"uuid":"test","decisions":[{"value":"1.2.3.4","type":"ban","action":"add"}]}]'
 ```
 **Monitor CrowdSec Container:**
 ```bash
 # Check CrowdSec status
 incus exec crowdsec -- cscli metrics
 # View current decisions
 incus exec crowdsec -- cscli decisions list
 # Test notifications
 incus exec crowdsec -- cscli notifications test aws-waf
 ```
 **Lambda Function Monitoring:**
 ```bash
 # Check Lambda logs
 aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
 # Test Lambda directly
 aws lambda invoke --function-name aws-cf-dev-crowdsec-waf-updater response.json
 ```
 ### WAF Monitoring
 **Check WAF Metrics:**
 ```bash
 # Check blocked requests
 aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
  --metric-name BlockedRequests \
  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=BlockedIPsRule \
  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
  --period 300 --statistics Sum
 # Check rate limited requests
 aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
  --metric-name BlockedRequests \
  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=RateLimitRule \
  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
  --period 300 --statistics Sum
 ```
 ## Working vs Disabled Features
 **Currently Working:**
- CloudFront distribution with HTTP origin
+- CloudFront distribution with HTTP origin ✅
- WAF v2 with managed rules
+- WAF v2 with managed rules ✅
- S3 logging and state storage
+- S3 logging and state storage ✅
- Custom cache behaviors for API paths
+- Custom cache behaviors for API paths ✅
 - IP-based blocking through WAF IP Sets ✅
 **Currently Enabled:**
 - ACM custom certificates (b011e60a-1ea1-4dd3-844f-e0851ece4784) ✅
 - Route53 DNS management (Z01934581JQAF2GS71GG) ✅
 - WAF v2 with IP blocking (d61073b6-27b1-473e-aa9f-d2aa4a4c75a6) ✅
 - CrowdSec webhook integration (setup required) ⚠️
 **Currently Disabled (can be enabled with proper permissions):**
 - ACM custom certificates (CAA restrictions)
 - Route53 DNS management (CAA restrictions)  
 - CloudFormation VPC stack (permission constraints)
 - DynamoDB state locking (permission constraints)
 ## WAF Troubleshooting History
 ### Issue Resolution (2025-09-09)
 **Problem**: WAF IP blocking was not functioning despite proper configuration.
 **Root Cause Analysis:**
 1. **IP Set ID Mismatch**: Commands referenced old IP Set ID (`c43ff364-f3e2-43c7-8462-8fae20599d8d`) instead of actual ID
 2. **CloudFront Deployment State**: Distribution was in "InProgress" status preventing WAF changes from taking effect
 3. **Configuration Synchronization**: WAF and CloudFront association was not properly synchronized
 **Resolution Method:**
 - Complete infrastructure recreation using `tofu destroy` and `tofu apply`
 - All resources recreated with fresh IDs and proper associations
 - WAF rules now properly configured with correct IP Set references
 **Current Status:**
 - ✅ WAF properly associated with CloudFront (`EATJ1HDQU8V51`)
 - ✅ IP blocking rules functional (Priority 1: BlockedIPsRule)
 - ✅ Rate limiting active (10,000 requests/5min per IP)
 - ✅ AWS managed rule sets enabled (Common + Known Bad Inputs)
 - ✅ Test IP blocking verified: `1.2.3.4/32`, `61.77.18.91/32`
 **Key Commands for Manual IP Management:**
 ```bash
 # Add IP to blocked list
 aws wafv2 update-ip-set --scope=CLOUDFRONT --region=us-east-1 \
  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
  --name aws-cf-dev-blocked-ips \
  --addresses "IP1/32" "IP2/32" \
  --lock-token $(aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
    --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
    --name aws-cf-dev-blocked-ips --query 'LockToken' --output text)
 # Verify WAF-CloudFront association
 aws cloudfront get-distribution --id EATJ1HDQU8V51 \
  --query 'Distribution.DistributionConfig.WebACLId' --output text
 # Check current blocked IPs
 aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
  --name aws-cf-dev-blocked-ips --query 'IPSet.Addresses'
 ```
 **Note**: WAF rule changes may take up to 15 minutes to propagate across CloudFront edge locations.
 # important-instruction-reminders
 Do what has been asked; nothing more, nothing less.
 NEVER create files unless they're absolutely necessary for achieving your goal.
 ALWAYS prefer editing an existing file to creating a new one.
 NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly requested by the User.
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@@ -1,241 +1,285 @@
-# AWS CloudFront 배포 가이드
+# AWS CloudFront + CrowdSec 배포 가이드
-## 📋 프로젝트 개요
+## 📋 완전 배포 가이드
-AWS CloudFront CDN을 OpenTofu(Terraform fork)로 구성하여 `origin.servidor.it.com`을 origin으로 사용하는 인프라스트럭처 프로젝트입니다.
+AWS CloudFront CDN과 CrowdSec 실시간 보안 통합 시스템의 단계별 배포 가이드입니다.
-## 🏗️ 현재 인프라 상태
+## 🎯 배포 목표
 - CloudFront CDN 구성 (`origin.servidor.it.com`)
 - CrowdSec 컨테이너 보안 시스템
 - Lambda 기반 실시간 WAF 통합
 - Nginx Proxy Manager 로그 분석
-### CloudFront Distribution
+## ⚠️ 중요 제약사항
- **Distribution ID**: E1XR8P4ENGP8RU
+- **Origin Protocol**: HTTP-only (HTTPS 사용 시 504 에러)
- **CloudFront URL**: https://dspki4yrh5oy1.cloudfront.net
+- **DynamoDB Locking**: 권한 제한으로 비활성화
 - **Origin**: origin.servidor.it.com (HTTP-only)
 - **Status**: ✅ Deployed and Working
-### 보안 설정
+## ✅ 현재 활성화된 기능
- **WAF**: AWS WAF v2 활성화
+- **ACM Certificate**: 활성화됨 (b011e60a-1ea1-4dd3-844f-e0851ece4784)
-  - WAF ID: d21d84c1-edb9-40af-9cdd-27f42f09c499
+- **Route53 Records**: 활성화됨 (Z01934581JQAF2GS71GG)
-  - Rate Limiting: 10,000 requests/5min per IP
+- **WAF Protection**: 활성화됨 (d61073b6-27b1-473e-aa9f-d2aa4a4c75a6)
  - AWS Managed Rules - Common Rule Set (SQL Injection, XSS 방어)
  - AWS Managed Rules - Known Bad Inputs (악성 패턴 차단)
 - **Viewer Protocol**: HTTPS (redirect-to-https)
 - **Origin Protocol**: HTTP-only (중요: HTTPS 사용 시 504 에러)
-### 로깅 및 상태 관리
+## 🚀 1단계: 인프라 배포
 - **CloudFront Logs**: `s3://aws-cf-cloudfront-logs-535294143817/cloudfront-logs/`
 - **Terraform State**: `s3://aws-cf-terraform-state-535294143817/aws-cf/terraform.tfstate`
 - **State Locking**: 비활성화 (DynamoDB 권한 없음)
 ## 🚀 배포 방법
 ### 사전 요구사항
- OpenTofu 또는 Terraform 설치
+- AWS CLI 설정 완료
- AWS CLI 구성
+- OpenTofu 설치 (`brew install opentofu`)
- 필요한 IAM 권한:
+- Incus 설치 및 설정
  - CloudFrontFullAccess
  - S3FullAccess
  - Route53FullAccess
  - AWSCertificateManagerFullAccess
  - AWSWAFFullAccess (WAFv2 포함)
  - AWSCloudFormationFullAccess
-### 초기 설정
+### 인프라 배포
 ```bash
-# S3 Backend 설정 (이미 완료됨)
+# 프로젝트 디렉토리로 이동
-./setup-backend.sh
+cd /Users/kaffa/Projects/was-cf
-# State 마이그레이션 (이미 완료됨)
+# OpenTofu 초기화
 echo "yes" | tofu init -migrate-state
 ```
 ### 배포 명령어
 ```bash
 # 초기화
 tofu init
 # 계획 확인
 tofu plan
-# 배포 실행
+# 인프라 배포
 tofu apply -auto-approve
 # 상태 확인
 tofu state list
 ```
-## 📁 프로젝트 구조
+### 배포 결과 확인
-```
+```bash
-aws-cf/
+# 출력값 확인
-├── main.tf                 # CloudFront 메인 구성
+tofu output
-├── variables.tf            # 변수 정의
+
-├── terraform.tfvars        # 변수 값 설정
+# CloudFront 상태 확인
-├── outputs.tf              # 출력 정의
+aws cloudfront get-distribution --id EATJ1HDQU8V51 --query 'Distribution.Status'
-├── versions.tf             # Provider 버전 관리
+
-├── backend.tf              # S3 Backend 설정
+# WAF 규칙 확인
-├── security.tf             # WAF 및 보안 그룹
+aws wafv2 get-web-acl --scope CLOUDFRONT --id d61073b6-27b1-473e-aa9f-d2aa4a4c75a6 --region us-east-1
 ├── acm.tf                  # ACM 인증서 (비활성화)
 ├── setup-backend.sh        # S3 Backend 설정 스크립트
 ├── README.md               # 기존 문서
 └── DEPLOYMENT_GUIDE.md     # 이 문서
 ```
-## ⚙️ 중요 설정 내용
+## 🔒 2단계: CrowdSec 컨테이너 설정
-### terraform.tfvars 핵심 설정
+### 컨테이너 생성
-```hcl
+```bash
-# Origin 설정 (매우 중요)
+# 새 Ubuntu 컨테이너 생성
-origin_domain = "origin.servidor.it.com"
+incus launch ubuntu:24.04 crowdsec
-origin_protocol_policy = "http-only"  # HTTPS 사용 시 504 에러!
+incus exec crowdsec -- apt update
 # CloudFront 설정
 viewer_protocol_policy = "redirect-to-https"
 price_class = "PriceClass_100"
 # 보안 설정
 enable_waf = true
 # 로깅 설정
 enable_cloudfront_logging = true
 cloudfront_logs_bucket = "aws-cf-cloudfront-logs-535294143817"
 # 비활성화된 기능 (권한/제한 사항)
 create_route53_records = false  # CAA 제한으로 비활성화
 create_acm_certificate = false  # CloudFront 기본 인증서 사용
 enable_cloudformation_stack = false  # CloudFormation 권한 없음
 ```
-## 🔧 문제 해결 히스토리
+### CrowdSec 설치
 ```bash
 # CrowdSec 설치
 incus exec crowdsec -- curl -s https://install.crowdsec.net | sh
-### 1. 504 Gateway Timeout 해결 ✅
+# 서비스 상태 확인
-**문제**: CloudFront가 origin 서버에 연결할 수 없음
+incus exec crowdsec -- systemctl status crowdsec
 **원인**: origin.servidor.it.com이 HTTP(80)만 지원하는데 HTTPS(443)로 연결 시도
 **해결**: 
 ```hcl
 origin_protocol_policy = "http-only"
 ```
-### 2. ACM 인증서 CAA 제한 ✅
+### 보안 컬렉션 설치
-**문제**: *.servidor.it.com 도메인에 대한 ACM 인증서 발급 실패
+```bash
-**원인**: CAA DNS 레코드가 AWS 인증서 발급을 제한
+# Nginx Proxy Manager 컬렉션 설치
-**해결**: CloudFront 기본 인증서 사용
+incus exec crowdsec -- cscli collections install crowdsecurity/nginx-proxy-manager
-```hcl
+
-create_acm_certificate = false
+# 설치된 컬렉션 확인
-viewer_certificate {
+incus exec crowdsec -- cscli collections list
-  cloudfront_default_certificate = true
+
 # 설정 적용
 incus exec crowdsec -- systemctl reload crowdsec
 ```
 ## 🔗 3단계: 웹훅 통합 설정
 ### 알림 설정 파일 생성
 ```bash
 incus exec crowdsec -- tee /etc/crowdsec/notifications/aws-waf.yaml << 'EOF'
 type: http
 name: aws-waf
 log_level: info
 url: https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook
 method: POST
 headers:
  Content-Type: application/json
  User-Agent: CrowdSec/1.7.0
 timeout: 10s
 format: |
  {{ .|toJson }}
 EOF
 ```
 ### 프로필 설정
 ```bash
 incus exec crowdsec -- tee /etc/crowdsec/profiles.yaml << 'EOF'
 name: aws_waf_profile
 filters:
 - Alert.Remediation == true && Alert.GetScenario() startsWith "crowdsecurity/"
 notifications:
 - aws-waf
 on_success: break
 EOF
 ```
 ### CrowdSec 재시작
 ```bash
 incus exec crowdsec -- systemctl restart crowdsec
 ```
 ## 🧪 4단계: 통합 테스트
 ### 웹훅 엔드포인트 테스트
 ```bash
 curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
  -H "Content-Type: application/json" \
  -H "User-Agent: CrowdSec/1.7.0" \
  -d '[{
    "uuid": "test-123",
    "decisions": [{
      "value": "192.168.1.100",
      "type": "ban", 
      "action": "add"
    }]
  }]'
 ```
 **예상 응답:**
 ```json
 {
  "success": true,
  "message": "WAF IP Set updated successfully",
  "ips_added": ["192.168.1.100"],
  "ips_removed": [],
  "total_ips": 1
 }
 ```
-### 3. DynamoDB State Locking 권한 ✅
+### WAF IP Set 확인
 **문제**: Terraform state locking을 위한 DynamoDB 테이블 생성/접근 불가
 **해결**: S3만 사용 (1인 개발 시 충분)
 ```hcl
 backend "s3" {
  bucket = "aws-cf-terraform-state-535294143817"
  key = "aws-cf/terraform.tfstate"
  # dynamodb_table = "terraform-state-lock"  # 비활성화
 }
 ```
 ### 4. 중복 CloudFront Distribution 정리 ✅
 **문제**: 여러 배포 시도로 3개의 distribution 생성
 **해결**: 
 - E18GW141CX7I8C - 비활성화 중 (삭제 예정)
 - E32FD742KMW2YY - 비활성화 중 (삭제 예정)
 - E1XR8P4ENGP8RU - 현재 사용 중 ✅
 ### 5. WAF 권한 문제 ✅
 **초기 문제**: WAFv2 권한 없다고 오류 발생
 **해결**: AWSWAFFullAccess 정책에 wafv2:* 권한 포함되어 있음 확인
 ## 📊 모니터링 및 관리
 ### 상태 확인 명령어
 ```bash
-# CloudFront 상태
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
-  --query 'Distribution.Status' --output text
+  --name aws-cf-dev-blocked-ips \
-
+  --query 'IPSet.Addresses'
 # WAF 연결 확인
 aws cloudfront get-distribution --id E1XR8P4ENGP8RU \
  --query 'Distribution.DistributionConfig.WebACLId' --output text
 # 로그 확인
 aws s3 ls s3://aws-cf-cloudfront-logs-535294143817/cloudfront-logs/ --recursive
 # State 파일 확인
 aws s3 ls s3://aws-cf-terraform-state-535294143817/aws-cf/
 ```
-### 성능 테스트
+### IP 제거 테스트
 ```bash
-# CloudFront 응답 확인
+curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
-curl -I https://dspki4yrh5oy1.cloudfront.net
+  -H "Content-Type: application/json" \
-
+  -H "User-Agent: CrowdSec/1.7.0" \
-# 출력 예시:
+  -d '[{
-# HTTP/2 200
+    "uuid": "test-456",
-# content-type: text/html
+    "decisions": [{
-# x-cache: Miss from cloudfront (첫 요청) / Hit from cloudfront (캐시된 요청)
+      "value": "192.168.1.100",
      "type": "ban",
      "action": "delete"
    }]
  }]'
 ```
-### 비활성화된 Distribution 삭제 (완전 비활성화 후)
+### CrowdSec 알림 테스트
 ```bash
-# 상태 확인
+incus exec crowdsec -- cscli notifications test aws-waf
 aws cloudfront list-distributions \
  --query 'DistributionList.Items[*].[Id,Status,DistributionConfig.Enabled]' \
  --output table
 # 삭제 (Deployed 상태에서 Enabled=false 일 때)
 aws cloudfront get-distribution-config --id E18GW141CX7I8C > dist-config.json
 ETAG=$(jq -r '.ETag' dist-config.json)
 aws cloudfront delete-distribution --id E18GW141CX7I8C --if-match $ETAG
 ```
-## 🔒 보안 고려사항
+## 📊 5단계: 모니터링 설정
-1. **WAF 설정**
+### Lambda 함수 로그 모니터링
-   - 현재 기본 AWS Managed Rules 사용
+```bash
-   - 필요시 커스텀 룰 추가 가능
+# 실시간 로그 확인
-   - Rate limiting 조정 가능 (security.tf)
+aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
-2. **Origin 보안**
+# 특정 시간대 로그
-   - ⚠️ Origin이 HTTP만 지원하므로 CloudFront-Origin 간 트래픽 암호화 안됨
+aws logs filter-log-events \
-   - 권장: Origin 서버에 HTTPS 지원 추가
+  --log-group-name /aws/lambda/aws-cf-dev-crowdsec-waf-updater \
  --start-time $(date -d '1 hour ago' +%s)000
 ```
-3. **로그 관리**
+### CrowdSec 상태 모니터링
-   - CloudFront 로그 90일 자동 삭제 설정
+```bash
-   - 장기 보관 필요시 S3 lifecycle 수정
+# 메트릭 확인
 incus exec crowdsec -- cscli metrics
-## 📝 향후 개선 사항
+# 현재 차단 결정
 incus exec crowdsec -- cscli decisions list
-### 권한 획득 시 활성화 가능한 기능
+# 허브 상태
-1. **DynamoDB State Locking**
+incus exec crowdsec -- cscli hub list
-   - 팀 협업 시 필수
+```
   - backend.tf에서 주석 해제
-2. **Custom Domain with ACM**
+### WAF 메트릭 확인
-   - CAA 레코드 수정 후 가능
+```bash
-   - terraform.tfvars에서 `create_acm_certificate = true`
+# 차단된 요청 확인
 aws cloudwatch get-metric-statistics \
  --namespace AWS/WAFV2 \
  --metric-name BlockedRequests \
  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=BlockedIPsRule \
  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
  --period 300 --statistics Sum
 ```
-3. **CloudFormation Stack**
+## 🔧 문제 해결
   - VPC 및 네트워킹 리소스 관리
   - terraform.tfvars에서 `enable_cloudformation_stack = true`
-### 성능 최적화
+### 일반적인 문제들
 1. Cache Policy 최적화
 2. Origin Request Policy 조정
 3. CloudFront Edge Location 선택 (Price Class)
-## 🏷️ 태그 및 메타데이터
+**1. 웹훅 연결 실패**
- **Project**: aws-cf
+```bash
- **Environment**: dev
+# 네트워크 연결 확인
- **ManagedBy**: OpenTofu
+incus exec crowdsec -- curl -I https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook
 - **Owner**: kaffa
 - **Created**: 2025-09-08
 - **LastUpdated**: 2025-09-09
-## 📚 참고 자료
+# CrowdSec 알림 설정 확인
- [OpenTofu Documentation](https://opentofu.org/docs/)
+incus exec crowdsec -- cat /etc/crowdsec/notifications/aws-waf.yaml
- [AWS CloudFront Best Practices](https://docs.aws.amazon.com/cloudfront/latest/developerguide/best-practices.html)
+```
- [AWS WAF Documentation](https://docs.aws.amazon.com/waf/latest/developerguide/)
+
 **2. Lambda 함수 오류**
 ```bash
 # Lambda 함수 직접 테스트
 aws lambda invoke --function-name aws-cf-dev-crowdsec-waf-updater response.json
 # 에러 로그 확인
 aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/aws-cf-dev"
 ```
 **3. WAF 업데이트 실패**
 ```bash
 # IAM 권한 확인
 aws iam get-role-policy --role-name aws-cf-dev-lambda-waf-role --policy-name aws-cf-dev-lambda-waf-policy
 # WAF IP Set 상태 확인
 aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 --id a9e47946-c186-4b28-83a8-fe3aeb9c296b --name aws-cf-dev-blocked-ips
 ```
 ## 📈 운영 관리
 ### 정기 유지보수
 ```bash
 # CrowdSec 업데이트
 incus exec crowdsec -- cscli hub update
 incus exec crowdsec -- cscli hub upgrade
 # 컬렉션 상태 확인
 incus exec crowdsec -- cscli collections list
 # 시스템 리소스 확인
 incus info crowdsec
 ```
 ### 백업 및 복구
 ```bash
 # CrowdSec 설정 백업
 incus exec crowdsec -- tar -czf /tmp/crowdsec-config.tar.gz /etc/crowdsec
 # 설정 파일 복사
 incus file pull crowdsec/tmp/crowdsec-config.tar.gz ./
 # Terraform 상태 백업
 aws s3 sync s3://aws-cf-terraform-state-535294143817 ./backup/
 ```
 ## 🎯 완료 체크리스트
 - [ ] AWS 인프라 배포 완료
 - [ ] CrowdSec 컨테이너 설정 완료
 - [ ] 웹훅 통합 설정 완료
 - [ ] 통합 테스트 성공
 - [ ] 모니터링 설정 완료
 - [ ] 문서화 완료
 ---
-*이 문서는 실제 배포 경험을 바탕으로 작성되었습니다.*
+
 **배포 완료 시간**: 약 30-45분  
 **필수 권한**: AWS WAF, Lambda, API Gateway, CloudWatch 접근  
 **지원**: [CrowdSec Integration Guide](CROWDSEC-WAF-INTEGRATION.md) 참조
--- a/README.md
+++ b/README.md
@@ -1,151 +1,87 @@
-# AWS CloudFront with OpenTofu
+# AWS CloudFront + CrowdSec WAF Integration
-이 프로젝트는 OpenTofu를 사용하여 AWS CloudFront 배포와 CloudFormation 스택을 관리합니다.
+🛡️ AWS CloudFront CDN with real-time CrowdSec threat protection via Lambda integration.
-## 구조
+## 🏗️ Architecture
- `versions.tf` - Provider 및 Terraform 버전 설정
+```
- `variables.tf` - 입력 변수 정의
+CrowdSec Container → API Gateway → Lambda → AWS WAF → CloudFront Distribution
 - `main.tf` - CloudFront 배포 및 CloudFormation 스택
 - `security.tf` - 보안 그룹 및 WAF 설정
 - `outputs.tf` - 출력 변수
 - `terraform.tfvars.example` - 변수 설정 예시
 ## 주요 기능
 ### CloudFront 배포
 - `origin.servidor.it.com`을 원본 서버로 사용
 - HTTPS 리디렉션 및 압축 지원
 - 사용자 정의 도메인(CNAME) 지원
 - 캐시 정책 및 원본 요청 정책 설정
 - 커스텀 오류 페이지 설정
 ### CloudFormation 스택
 - VPC 및 네트워킹 리소스 생성
 - 퍼블릭 서브넷 및 인터넷 게이트웨이
 - 스택 출력을 통한 리소스 ID 공유
 ### 보안 기능
 - ALB 및 웹 서버용 보안 그룹 (선택사항)
 - AWS WAF v2 웹 ACL (선택사항)
 - 레이트 제한 및 관리 규칙 세트
 ## 사용 방법
 ### 1. 환경 설정
 ```bash
 # OpenTofu 설치 확인
 tofu version
 # AWS 자격 증명 설정
 export AWS_ACCESS_KEY_ID="your-access-key"
 export AWS_SECRET_ACCESS_KEY="your-secret-key"
 export AWS_DEFAULT_REGION="us-east-1"
 ```
-### 2. 변수 설정
+## 📋 Project Overview
 - **CloudFront Distribution**: `EATJ1HDQU8V51` 
 - **Origin Server**: `origin.servidor.it.com` (HTTP-only)
 - **WAF Protection**: Real-time IP blocking via CrowdSec
 - **Custom Domains**: `servidor.it.com`, `www.servidor.it.com`
 - **ACM Certificate**: `b011e60a-1ea1-4dd3-844f-e0851ece4784`
 ## 🚀 Quick Start
 ```bash
-# 설정 파일 복사
+# 1. Deploy infrastructure
 cp terraform.tfvars.example terraform.tfvars
 # 필요한 값들 수정
 vim terraform.tfvars
 ```
 ### 3. 배포
 ```bash
 # 초기화
 tofu init
 # 계획 확인
 tofu plan
 # 배포 실행
 tofu apply
 # 2. Configure CrowdSec
 incus exec crowdsec -- cscli collections install crowdsecurity/nginx-proxy-manager
 # 3. Verify WAF configuration
 aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
  --name aws-cf-dev-blocked-ips
 ```
-### 4. 확인
+## 📊 Key Resources
-배포 후 출력된 CloudFront URL을 통해 서비스에 접근할 수 있습니다:
+- **CloudFront URL**: https://d2mhxhntq3ezzr.cloudfront.net
 - **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
 - **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
 - **Route53 Zone ID**: `Z01934581JQAF2GS71GG`
 ## 🛡️ Security Features
 1. **Priority 1**: CrowdSec real-time IP blocking
 2. **Priority 2**: Rate limiting (10K req/5min)
 3. **Priority 3**: AWS Managed Common Rules
 4. **Priority 4**: AWS Managed Bad Input Rules
 ## 📁 Project Structure
 ```
 ├── README.md                    # This file
 ├── CLAUDE.md                   # Development guide for Claude Code
 ├── DEPLOYMENT_GUIDE.md         # Detailed deployment instructions
 ├── CROWDSEC-WAF-INTEGRATION.md # CrowdSec integration documentation
 ├── main.tf                     # CloudFront and core infrastructure
 ├── security.tf                 # WAF and security configurations
 ├── lambda.tf                   # CrowdSec Lambda integration
 ├── lambda-crowdsec-waf.py      # Lambda function code
 └── terraform.tfvars            # Configuration variables
 ```
 ## 📚 Documentation
 - **🚀 [Deployment Guide](DEPLOYMENT_GUIDE.md)** - Complete deployment instructions
 - **🛡️ [CrowdSec Integration](CROWDSEC-WAF-INTEGRATION.md)** - Real-time security setup
 - **🔧 [Development Guide](CLAUDE.md)** - Claude Code specific instructions
 ## ⚡ Common Commands
 ```bash
-# CloudFront 배포 상태 확인
+# Check WAF blocked IPs
-aws cloudfront get-distribution --id <distribution-id>
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
  --name aws-cf-dev-blocked-ips \
  --query 'IPSet.Addresses'
-# CloudFormation 스택 상태 확인
+# Monitor CrowdSec decisions
-aws cloudformation describe-stacks --stack-name <stack-name>
+incus exec crowdsec -- cscli decisions list
 # View Lambda logs
 aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
 ```
-## 중요 설정
+---
-### SSL 인증서
+**Status**: ✅ Production Ready | **Last Updated**: 2025-09-09
 이 설정은 **ACM(AWS Certificate Manager) 인증서**를 사용합니다:
 - `servidor.it.com`과 `*.servidor.it.com` 도메인 지원
 - 자동으로 us-east-1 리전에 ACM 인증서 생성
 - DNS 검증을 통한 자동 인증서 발급
 - Route53을 통한 자동 DNS 레코드 관리
 - CloudFront와 완전 통합된 HTTPS 설정
 ### 캐시 정책
 기본 제공되는 AWS 관리 정책:
 - `4135ea2d-6df8-44a3-9df3-4b5a84be39ad` - CachingDisabled
 - `725fe1d6-8a84-4f3e-8ab1-bc2d5bb10e12` - CachingOptimized
 - `df3c6b6c-4e41-4d9c-a8c7-6b8b2b8e6b8b` - CachingOptimizedForUncompressedObjects
 ### 보안 고려사항
 프로덕션 환경에서는:
 - `ssh_allowed_cidrs`를 특정 IP로 제한
 - WAF 활성화 (`enable_waf = true`)
 - 적절한 캐시 정책 선택
 - CloudTrail 및 CloudWatch 로깅 활성화
 ### 도메인 설정
 **전제 조건**:
 - `servidor.it.com` 도메인의 Route53 호스팅 영역이 존재해야 함
 - 도메인의 네임서버가 Route53으로 설정되어 있어야 함
 **자동 설정**:
 - ACM 인증서 자동 생성 및 검증
 - Route53 A 레코드 자동 생성 (`servidor.it.com` → CloudFront)
 - Route53 A 레코드 자동 생성 (`www.servidor.it.com` → CloudFront)
 ## 출력 정보
 배포 완료 후 다음 정보들이 출력됩니다:
 - CloudFront 배포 ID 및 도메인
 - CloudFormation 스택 정보
 - 보안 그룹 ID (활성화된 경우)
 - WAF Web ACL ARN (활성화된 경우)
 - VPC 및 서브넷 정보
 ## 정리
 ```bash
 # 리소스 삭제
 tofu destroy
 ```
 ## 문제 해결
 ### 일반적인 오류
 1. **인증서 오류**: CloudFront용 인증서는 us-east-1에서만 생성 가능
 2. **도메인 검증**: CNAME 설정 전에 도메인 소유권 확인 필요
 3. **원본 서버**: `origin.servidor.it.com`이 HTTPS를 지원하는지 확인
 ### 로그 확인
 - CloudFront 액세스 로그 활성화
 - CloudWatch 메트릭 모니터링
 - WAF 로그 분석 (활성화된 경우)