By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I allow a dynamic IP address from a provider or partner when using the anonymous IP list in AWS WAF?

0

Dear all,

I am facing issues with the partner sending requests to our resource that the anonymous IP list rule has blocked. As per checking, our partner is using dynamic IP so it's challenging to whitelist their IP. Do you have any advice to filter better than whitelist?

Thank you for your answer.

Topics
Security, Identity, & Compliance
Tags
AWS WAF
Language
English
Sreyny
asked 2 years ago849 views
1 Answer
1

Hi, if possible, you may want your partner to add a custom header or a query string parameter (what come after the ? in URL) that you agree upon in the request as per https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-regex-conditions.html

Then, you filter on the presence of this header. This has some limitations as some hacker may fake the specific header of param that you add.

So, optimal solution is provided by the "Intelligent Threat API" but it's more demanding sincet his API needs to integrated in the application. See https://docs.aws.amazon.com/waf/latest/developerguide/waf-js-challenge-api.html

Your use case will dictate the amount of work that you want / can inject in your new WAF filtering

Best, Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 2 years ago
  • Sreyny
    2 years ago

    Thank Didier for your answer,

    Based on your command the custom is possible to set but it's related to the security lake if the hacker can fake the header param and Intelligent Threat API it's related to extra cost.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content