Blocking Malicious IP Using AWS WAF
If you have a public web app you have to deal with security and protect from common web attacks. With AWS WAF you can protect your AWS resources like API Gateway, Application Load Balancer and Cloudfront Distribution.
Emre Oztoprak
If you have a public web app you have to deal with security and protect from common web attacks. With AWS WAF you can protect your AWS resources like API Gateway, Application Load Balancer and Cloudfront Distribution.
Let’s assume you are using AWS WAF, create Web ACL and associated with your Application Load Balancer. You added some managed and some custom rules to this Web ACL. And let’s say you want another rule like this if more than 100 requests for an ip address are blocked, you want to block that ip address permanently.

To do this, you must have enabled the Waf logging and then created a table from these logs in the Athena.
If you don’t know how to enable WAF logs here to AWS documentation.
And create table from WAF logs in Athena.
Now we can query our waf logs on Athena. This query will give us IP addresses whose requests have been blocked more than 100 times.
COUNT (*) count
FROM waf_logs
WHERE action='BLOCK'
GROUP BY httpRequest.clientIp
HAVING COUNT(*) > 100
ORDER BY count DESC
Before writing lambda function we are gonna create ip set and using this ip set in the Web ACL.
In the WAF console click IP sets and Create IP set.


Now we are gonna add this ip set our Web ACL. Choose your Web ACL and click Rules. After that click “Add my own rules and rule groups”.



Now we are ready to write lambda function.

And i am gonna add Eventbridge trigger to trigger my lambda function every 3 hours. You can choose any time period of you want.
Here i am at Eventbridge console and i click Rules and Create rule.




Our function is ready. It will run every 3 hours, going to check waf logs and block malicious ip address. And don’t forget to change function timeout.
Here to lambda function. Have a nice day :)
Upvote
Emre Oztoprak
DevOps Engineer @teknasyon | AWS Certified Solutions Architect | AWS Community Builder

Related Articles