Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List

0

Hi AWS team,

We’re a small company building out our infrastructure on AWS and recently implemented most of the automations detailed in the following AWS Blog Post: How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Our Security and Compliance Department are not comfortable with automatically removing the blocked CIDR addresses from the WAF without being reviewed by a SOC engineer. They are requesting the ability to run a job periodically and on demand to extract all of the current CIDR Blocks in the WAFs themselves. They don’t want to rely on a buffer like the DynamoDB database.

How can we implement something like this as simply as possible?

JPC
已提问 8 个月前243 查看次数
1 回答
0

Hi - I believe the following may work if you're team is comfortable calling API's with the CLI, Custom Program, or Scripting. Fortunately the WAF implements a robust API that can be used with multiple callers.

  1. Use the ListIPSets API call from the WAF library to retrieve the full list of IPSets currently active in the WAF.
  2. Iterate through the returned list of IPSets calling the GetIPSet API with the ID, Name, and Scope of each IPSet.
  3. The addresses are available in the returned ‘Addresses’ JSON Array.
  4. Note: The GetIPSet call will also return a ‘lock token’. This token is used to protect you or your program from overwriting changes that occurred since the last time you retrieved the IPSet. In an application like yours where you are not modifying the IPSet this can be ignored..

Good luck - I hope this helps!

JPC
已回答 8 个月前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则