Hello Cloud Security Community
My customer is asking if there is a way in WAF to block all traffic coming from Amazon AWS IPs. I know there is a way to do that for EC2 like that:
Technically, it is possible to block requests coming from Amazon AWS by using the network list you have highlighted in the screenshot. However, you wont get the visibility of exact requests blocked by this network list only.
There is a way to create a custom rule that matches on this network list and denies the requests. That way, you can keep a track of mitigated traffic from Amazon on a daily/weekly/monthly basis.
In the most recent portal release, custom rule creator has been made available. However, you can not match on a network list there.
If your interest inclines towards blocking the traffic, then network list should suffice. For advanced reporting, contact the security PS team to get a custom rule created.
Thank you for the response.
Can you confirm if the EC2 network ip list has the IP's that is got from resolving *.amazonaws.com?
Also, can you confirm if the rule needs to be added in WAF config as the layout in the screenshot looks unfamiliar to me.
The EC2 IP list is updated by the WAF engineering team, which in my opinion uses the Edgescape database to update the network list. It may not be a direct result of resolving *.amazonaws.com
The rule needs to be added in WAF as an advanced metadata. The screenshot I have added is from the new Custom Rule creator utility available in WAF.
Hello Aniket Amdekar, Yair Greenbaum, and Anupama Shettigar:
Actually the "Ec2 Akamai Network List" list is updated programmatically by our Cloud Security Intelligence platform. I don't believe it has anything to do with DNS resolution.
We only provide an Akamai network list of EC2 IP's, but you can find the whole list of AWS IP's here AWS IP Address Ranges - Amazon Web Services. You could then create a new Network List with all the Amazon AWS IP's from that resource (or everything except EC2 and just use Akamai's EC2 list) and apply it to the firewall policy. The customer could write a script to pull down the AWS IP Range JSON and use the Akamai Network List API to update the list programatically.
Can you look into Anupama's question? Customer would like to get this resolved ASAP
Thanks a lot for the followup.
Retrieving data ...