Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List

0

Hi AWS team,

We’re a small company building out our infrastructure on AWS and recently implemented most of the automations detailed in the following AWS Blog Post: How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Our Security and Compliance Department are not comfortable with automatically removing the blocked CIDR addresses from the WAF without being reviewed by a SOC engineer. They are requesting the ability to run a job periodically and on demand to extract all of the current CIDR Blocks in the WAFs themselves. They don’t want to rely on a buffer like the DynamoDB database.

How can we implement something like this as simply as possible?

JPC
posta 8 mesi fa248 visualizzazioni
1 Risposta
0

Hi - I believe the following may work if you're team is comfortable calling API's with the CLI, Custom Program, or Scripting. Fortunately the WAF implements a robust API that can be used with multiple callers.

  1. Use the ListIPSets API call from the WAF library to retrieve the full list of IPSets currently active in the WAF.
  2. Iterate through the returned list of IPSets calling the GetIPSet API with the ID, Name, and Scope of each IPSet.
  3. The addresses are available in the returned ‘Addresses’ JSON Array.
  4. Note: The GetIPSet call will also return a ‘lock token’. This token is used to protect you or your program from overwriting changes that occurred since the last time you retrieved the IPSet. In an application like yours where you are not modifying the IPSet this can be ignored..

Good luck - I hope this helps!

JPC
con risposta 8 mesi fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande