Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List


Hi AWS team,

We’re a small company building out our infrastructure on AWS and recently implemented most of the automations detailed in the following AWS Blog Post: How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Our Security and Compliance Department are not comfortable with automatically removing the blocked CIDR addresses from the WAF without being reviewed by a SOC engineer. They are requesting the ability to run a job periodically and on demand to extract all of the current CIDR Blocks in the WAFs themselves. They don’t want to rely on a buffer like the DynamoDB database.

How can we implement something like this as simply as possible?

질문됨 8달 전239회 조회
1개 답변

Hi - I believe the following may work if you're team is comfortable calling API's with the CLI, Custom Program, or Scripting. Fortunately the WAF implements a robust API that can be used with multiple callers.

  1. Use the ListIPSets API call from the WAF library to retrieve the full list of IPSets currently active in the WAF.
  2. Iterate through the returned list of IPSets calling the GetIPSet API with the ID, Name, and Scope of each IPSet.
  3. The addresses are available in the returned ‘Addresses’ JSON Array.
  4. Note: The GetIPSet call will also return a ‘lock token’. This token is used to protect you or your program from overwriting changes that occurred since the last time you retrieved the IPSet. In an application like yours where you are not modifying the IPSet this can be ignored..

Good luck - I hope this helps!

답변함 8달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠