AWS WAF Security Automations
AWS WAF Security Automations

Appendix A: Component Details

As described in the Architecture Overview, three of the solution’s components use AWS Lambda functions to inspect IP addresses and add them to the AWS WAF block list. The follow sections explain each of these functions in more detail.

Log Parser

The Log Parser AWS Lambda function helps protect against HTTP floods, scanners, and probes.

        Log Parser flow

Figure 3: Log Parser flow

  1. As Amazon CloudFront or an Application Load Balancer receives requests on behalf of your web application, it sends access logs to an Amazon S3 bucket.

  2. Each time a new access log is stored in the Amazon S3 bucket, the Log Parser Lambda function is triggered.

  3. The Lambda function analyzes the log data to identify IP addresses that have generated more errors than the defined threshold, and then updates an AWS WAF IP Set condition to block those IP addresses for a customer-defined period of time.

IP List Parser

The IP Lists Parser AWS Lambda function helps protect against known attackers identified in third-party IP reputation lists.

        IP Lists Parser flow

Figure 4: IP Lists Parser flow

  1. An hourly Amazon CloudWatch event triggers the IP Lists Parser Lambda function.

  2. The Lambda function gathers and parses data from three sources:

  3. The Lambda function updates the AWS block list with the most current IP addresses.

Access Handler

The Access Handler AWS Lambda function inspects requests to the honeypot endpoint in order to extract their source IP address.

        Access Handler and the honeypot endpoint flow

Figure 5: Access Handler and the honeypot endpoint

  1. Embed the honeypot endpoint in your website and update your robots exclusion standard, as described in Step 3. Embed the Honeypot Link in Your Web Application (Optional)

  2. When a content scraper or bad bot accesses the honeypot endpoint, it triggers the Access Handler Lambda function.

  3. The Lambda function intercepts and inspects the request headers to extract the IP address of the source that accessed the trap endpoint.

  4. The Lambda function updates an AWS WAF IP Set condition to block those IP addresses.