Amazon GuardDuty IP Block List Automation - Implement periodic logging of the current Block List

0

Hi AWS team,

We’re a small company building out our infrastructure on AWS and recently implemented most of the automations detailed in the following AWS Blog Post: How to use Amazon GuardDuty and AWS Web Application Firewall to automatically block suspicious hosts

Our Security and Compliance Department are not comfortable with automatically removing the blocked CIDR addresses from the WAF without being reviewed by a SOC engineer. They are requesting the ability to run a job periodically and on demand to extract all of the current CIDR Blocks in the WAFs themselves. They don’t want to rely on a buffer like the DynamoDB database.

How can we implement something like this as simply as possible?

JPC
已提問 8 個月前檢視次數 249 次
1 個回答
0

Hi - I believe the following may work if you're team is comfortable calling API's with the CLI, Custom Program, or Scripting. Fortunately the WAF implements a robust API that can be used with multiple callers.

  1. Use the ListIPSets API call from the WAF library to retrieve the full list of IPSets currently active in the WAF.
  2. Iterate through the returned list of IPSets calling the GetIPSet API with the ID, Name, and Scope of each IPSet.
  3. The addresses are available in the returned ‘Addresses’ JSON Array.
  4. Note: The GetIPSet call will also return a ‘lock token’. This token is used to protect you or your program from overwriting changes that occurred since the last time you retrieved the IPSet. In an application like yours where you are not modifying the IPSet this can be ignored..

Good luck - I hope this helps!

JPC
已回答 8 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南