Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List

Question

Hi AWS team,

We’re a small company building out our infrastructure on AWS and recently implemented most of the automations detailed in the following AWS Blog Post:  [How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts](https://aws.amazon.com/blogs/security/how-to-use-amazon-guardduty-and-aws-web-application-firewall-to-automatically-block-suspicious-hosts/)

Our Security and Compliance Department are not comfortable with automatically removing the blocked CIDR addresses from the WAF without being reviewed by a SOC engineer.  They are requesting the ability to run a job periodically and on demand to extract all of the current CIDR Blocks in the WAFs themselves.  They don’t want to rely on a buffer like the DynamoDB database.

How can we implement something like this as simply as possible?

Answer

Hi - I believe the following may work if you're team is comfortable calling API's with the CLI, Custom Program, or Scripting.
Fortunately the WAF implements a robust API that can be used with multiple callers.

1.	Use the ListIPSets API call from the WAF library to retrieve the full list of IPSets currently active in the WAF.
2.	Iterate through the returned list of IPSets calling the GetIPSet API with the ID, Name, and Scope of each IPSet.
3.	The addresses are available in the returned ‘Addresses’ JSON Array.
4.	Note:  The GetIPSet call will also return a ‘lock token’.  This token is used to protect you or your program from overwriting changes that occurred since the last time you retrieved the IPSet.  In an application like yours where you are not modifying the IPSet this can be ignored..

Good luck - I hope this helps!

Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List

Relevant content