Problem With "Anonymous IP List"

I've been through a recent battle with AWS support and eventually they did acknowledge that they can check the lists to verify whether your IP addresses are on the list or not. Theoretically they may be able to remove them though the lists are fed dynamically from external lists which AWS does not control. Essentially AWS just blindly trusts external reputation lists and categorization sources to feed their internal lists so they genuinely can't prevent your IP addresses from being listed again but they can at least verify whether your IPs are currently on the list, which is helpful to a degree.

If you can get them to verify that, you can then check external list sources that AWS may use. Unfortunately AWS has chosen not to be transparent about those sources so you may have to simply contact every 'IP Quality' or 'IP Reputation' list service around the internet to check if they have your IP addresses listed. Also make sure to make your reverse DNS for your IP addresses correct so it indicates the IP addresses for use by general internet service users as opposed to hosting servers, etc.

The same goes for the HostingProviderIPList which has no clear definition of how an IP address qualifies to be on the list, nor how to correct or remove it. It is apparently based only on some kind of reputation information from unnamed 3rd party sources. A big red flag is that AWS IPs are apparently not on the HostingProviderIPList, which seems like an obvious oversite since AWS is obviously one of the largest Hosting Providers on the internet.

The sad reality is that the Anonymous IP list and HostingProviderIPList are nearly pointless for use by most web application/service users because they block random IP addresses with no ability to know why or recourse to have IP addresses removed from the lists. Unless you want to spend days adding every potential legitimate user/customer to an allow list, you should probably not use them unless your application is extremely limited in user scope. In which case you might as well just block everyone and only allow your known users.

AWS WAF does not have a way to add/remove an IP from its database manually (even internally/backend). The IPs automatically get added/removed to/from the database based on various checks performed on the IPs. If the IP is/was subject to some activities/behaviours that could detect/classify it as a Hosting Provider IP, then it would have been added in the database at that time, and when such activities are stopped from this IP, the IP will automatically be removed from the database (which is not immediate and may take long time due to how the system/algorithm works).

Instead of going through the path of getting these IPs removed from the AWS database, I would suggest to follow the below Knowledge Center article to allow the legitimate IPs (your IPs).

https://repost.aws/knowledge-center/waf-allow-ip-using-reputation-anon-list

I hope it helps.