If you have a public web app you have to deal with security and protect from common web attacks. With AWS WAF you can protect your AWS resources like API Gateway, Application Load Balancer and Cloudfront Distribution.

Let’s assume you are using AWS WAF, create Web ACL and associated with your Application Load Balancer. You added some managed and some custom rules to this Web ACL. And let’s say you want another rule like this if more than 100 requests for an ip address are blocked, you want to block that ip address permanently.

To do this, you must have enabled the Waf logging and then created a table from these logs in the Athena.

If you don’t know how to enable WAF logs here to AWS documentation.

Logging web ACL traffic information
You can enable logging to get detailed information about traffic that is analyzed by your web ACL. Information that is…docs.aws.amazon.com

And create table from WAF logs in Athena.

Querying AWS WAF Logs
AWS WAF logs include information about the traffic that is analyzed by your web ACL, such as the time that AWS WAF…docs.aws.amazon.com

Now we can query our waf logs on Athena. This query will give us IP addresses whose requests have been blocked more than 100 times.

SELECT httpRequest.clientIp,
COUNT (*) count
FROM waf_logs
WHERE action='BLOCK'
GROUP BY httpRequest.clientIp
HAVING COUNT(*) > 100
ORDER BY count DESC

Before writing lambda function we are gonna create ip set and using this ip set in the Web ACL.

In the WAF console click IP sets and Create IP set.

Now we are gonna add this ip set our Web ACL. Choose your Web ACL and click Rules. After that click “Add my own rules and rule groups”.

Now we are ready to write lambda function.

And i am gonna add Eventbridge trigger to trigger my lambda function every 3 hours. You can choose any time period of you want.

Here i am at Eventbridge console and i click Rules and Create rule.

Our function is ready. It will run every 3 hours, going to check waf logs and block malicious ip address. And don’t forget to change function timeout.

Here to lambda function. Have a nice day :)

https://github.com/emreoztoprak/AWS-WAF-IP-Block