1 Answer
- Newest
- Most votes
- Most comments
0
Hi Scot, inside of Amazon IP reputation List you can use 03 rules:
- AWSManagedIPReputationList - Inspects for IP addresses that have been identified as bots.
- AWSManagedReconnaissanceList - Inspects for connections from IP addresses that are performing reconnaissance against AWS resources.
- AWSManagedIPDDoSList - Inspects for IP addresses that have been identified as actively engaging in DDoS activities.
All of these rules are based on AWS IP Reputation List rule group that are based on Amazon internal threat intelligence. https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html
In case that you want to control your own IP list you can create your own rules and rule groups. https://docs.aws.amazon.com/waf/latest/developerguide/waf-user-created-rule-groups.html
answered a year ago
Relevant content
- asked 2 years ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
My main question was related to AWSManagedIPReputationLIst. It appears you are not basing that on reputation at all, but just that something behaves like a BOT. I have seen others questioning this as well, identifying cases where legitimate BOTs, like ones owned by Google for indexing purposes, are being blocked. I really need something that is blocking known bad IPs, not just blocking all BOTs. Do you have a managed rule set that does that?
Before using any managed rule group in production, it is recommended to test it in a non-production environment according to the guidance (https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-testing.html). Follow the testing and tuning guidance when you add a rule group to your web ACL, to test a new version of a rule group, and whenever a rule group isn't handling your web traffic as you need it to. Using this best practice you can evaluate if it is blocking any BOT IP that should not be blocked bases on your requirements.