Skip to content
/ aws-waf-ip-block Public

This lambda function checks waf logs and completely blocks malicious ip address.

7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

emreoztoprak/aws-waf-ip-block

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
README.md
README.md
 
 
wafautomation.py
wafautomation.py
 
 

Repository files navigation

AWS-WAF-IP-Block

alt text

First of all to do this, you must have enabled the Waf logging and then created a table from these logs in the Athena.

Two AWS documentation explaining how to do these operations.

https://docs.aws.amazon.com/waf/latest/developerguide/logging.html

https://docs.aws.amazon.com/athena/latest/ug/waf-logs.html

Now we can query our waf logs on Athena. This query will give us IP addresses whose requests have been blocked more than 100 times.

SELECT httpRequest.clientIp,
COUNT (*) count
FROM waf_logs
WHERE action='BLOCK'
GROUP BY httpRequest.clientIp
HAVING COUNT(*) > 100
ORDER BY count DESC

Another thing is that you have to create an IP set and add it to the web acl. After you can use this ip set in the lambda function.

https://engineering.teknasyon.com/blocking-malicious-ip-using-aws-waf-2e5c4ed2defb

About

This lambda function checks waf logs and completely blocks malicious ip address.

Resources

Readme
Activity

Stars

7 stars

Watchers

3 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages