Add deny list using AWS WAF - Research Service Workbench on AWS
Step 1: Create web ACLStep 2: Create a deny list IP set Step 3: Add a deny list rule

Add deny list using AWS WAF

AWS WAF allows setting rate limits and regular rules based on IP addresses. Follow these instructions to deny a set of IP addresses from accessing the solution.

Note

Use the main account to add a deny list.

Step 1: Create web ACL

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. In the navigation pane, under AWS WAF, choose Web ACLs.

  3. Choose Create Web ACL.

  4. For Name, enter the name that you will use to identify this web ACL.

  5. (Optional) For Description - optional, enter a longer description for the web ACL.

  6. For CloudWatch metric name, change the default name if applicable. Follow the console guidance for valid characters. The name cannot contain special characters, white spaces, or metric names reserved for AWS WAF, including All and Default_Action.

  7. For Resource type, choose Regional resources. Select the region that RSW is deployed in.

  8. For Associated AWS resources, choose Add AWS resources.

  9. In the Add AWS resources dialog box, choose Application Load Balancer.

  10. Select the Application Load Balancer deployed as part of the solution's CloudFormation stack. The name of the Application Load Balancer can be found by searching for the key MainAccountLoadBalancerArnOutput in the RSW Cloudformation stack Outputs.

  11. Choose Next.

  12. In Add rules and rule groups, choose Next.

  13. In Set rule priority, choose Next.

  14. In Configure metrics, choose Next.

  15. In Review and create web ACL, choose Create web ACL.

Step 2: Create a deny list IP set

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. In the navigation pane, under AWS WAF, choose IP sets. and then Create IP set.

  3. Choose Create IP set.

  4. For IP set name, enter DenyList.

  5. For Region, choose the region where you deployed the solution.

  6. For IP addresses, add the IP addresses you would like to deny.

  7. Choose Create IP set.

Step 3: Add a deny list rule

  1. Open the web ACL created previously.

  2. Choose the Rules tab.

  3. From Add rules, choose Add my rules and rule groups.

  4. For Rule type, choose Rule builder.

  5. For Rule builder, choose Rule visual editor.

  6. For Name, enter DenyListRule.

  7. For Type, choose Regular rule.

  8. For If a request, choose matches the statement.

  9. For Inspect under Statement, choose Originate from an IP address in.

  10. For IP set, choose DenyList.

  11. For Action, choose Block.

  12. Choose Add rule.

Additional rules can be added to block or limit access to the solution's APIs as required for compliance or user needs. For more information, see AWS WAF rules.