fbpx

How to use Amazon GuardDuty and AWS WAF v2 to automatically block suspicious hosts

In this post, we’ll share an automation pattern that you can use to automatically detect and block suspicious hosts that are attempting to access your Amazon Web Services (AWS) resources. The automation will rely on Amazon GuardDuty to generate findings about the suspicious hosts, and then you can respond to those findings by programmatically updating AWS WAF to block the host from accessing your workloads.

   <p>You should implement security measures across your AWS resources by using a holistic approach that incorporates controls across multiple areas. In the <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-security-incident-response-guide/aws-security-incident-response-guide.pdf#aws-caf-security-perspective" target="_blank" rel="noopener">AWS CAF Security Perspective</a> section of the AWS Security Incident Response Guide, we define these controls across four categories:</p> 
   <ul> 
    <li><strong>Directive controls</strong> — Establish the governance, risk, and compliance models the environment will operate within</li> 
    <li><strong>Preventive controls</strong> — Protect your workloads and mitigate threats and vulnerabilities</li> 
    <li><strong>Detective controls</strong> — Provide full visibility and transparency over the operation of your deployments in AWS</li> 
    <li><strong>Responsive controls</strong> — Drive remediation of potential deviations from your security baselines</li> 
   </ul> 
   <p>Security automation is a key principle outlined in the Response Guide. It helps reduce operational overhead and creates repeatable, predictable approaches to monitoring and responding to events. AWS services provide the building blocks to create powerful patterns for the automated detection and remediation of threats against your AWS environments. You can configure automated flows that use both detective and responsive controls and might also feed into preventative controls to help mitigate risks in the future. Depending on the type of source event, you can automatically invoke specific actions, such as modifying access controls, terminating instances, or revoking credentials.</p> 
   <p>The patterns highlighted in this post provide an example of how to automatically remediate detected threats. You should modify these patterns to suit your defined requirements, and test and validate them before deploying them in a production environment.</p> 
   <h2>AWS services used for the example pattern</h2> 
   <p><a href="https://aws.amazon.com/guardduty/" target="_blank" rel="noopener">Amazon GuardDuty</a> is a continuous security monitoring and threat detection service that incorporates threat intelligence, anomaly detection, and machine learning to help protect your AWS resources, including your AWS accounts. <a href="https://aws.amazon.com/eventbridge/" target="_blank" rel="noopener">Amazon EventBridge</a> delivers a near-real-time stream of system events that describe changes in AWS resources. Amazon GuardDuty sends events to <a href="https://aws.amazon.com/cloudwatch/" target="_blank" rel="noopener">Amazon CloudWatch</a> when a change in the findings takes place. In the context of GuardDuty, such changes include newly generated findings and subsequent occurrences of these findings. You can quickly set up rules to match events generated by GuardDuty findings in EventBridge events and route those events to one or more target actions. The pattern in this post routes matched events to <a href="https://aws.amazon.com/lambda/" target="_blank" rel="noopener">AWS Lambda</a>, which then updates <a href="https://aws.amazon.com/waf/" target="_blank" rel="noopener">AWS WAF</a> <a href="https://docs.aws.amazon.com/waf/latest/developerguide/web-acl.html" target="_blank" rel="noopener">web access control lists (web ACLs)</a> and <a href="https://aws.amazon.com/vpc/" target="_blank" rel="noopener">Amazon Virtual Private Cloud (Amazon VPC)</a> <a href="https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html" target="_blank" rel="noopener">network access control lists (network ACLs)</a>. AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, security, or excess resource consumption. It supports both <a href="https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups.html" target="_blank" rel="noopener">managed rules</a> as well as a powerful rule language for <a href="https://docs.aws.amazon.com/waf/latest/developerguide/waf-user-created-rule-groups.html" target="_blank" rel="noopener">custom rules</a>. A network ACL is stateless and is an optional layer of security for your VPC that helps you restrict specific inbound and outbound traffic at the subnet level.</p> 
   <h2>Pattern overview</h2> 
   <p>This example pattern assumes that Amazon GuardDuty is enabled in your AWS account. If it isn’t enabled, you can <a href="https://aws.amazon.com/guardduty/pricing/" target="_blank" rel="noopener">learn more about the free trial and pricing</a>, and follow the steps in the <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_settingup.html" target="_blank" rel="noopener">GuardDuty documentation</a> to configure the service and start monitoring your account. The example code will only work in the us-east-1 AWS Region due to the use of <a href="https://aws.amazon.com/cloudfront/" target="_blank" rel="noopener">Amazon CloudFront</a> and web ACLs within the template.</p> 
   <p>Figure 1 shows how the <a href="https://aws.amazon.com/cloudformation/" target="_blank" rel="noopener">AWS CloudFormation</a> template creates the sample pattern.</p> 
   <div id="attachment_28892" class="wp-caption aligncenter"> 
    <img aria-describedby="caption-attachment-28892" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img1-4-1024x449-1.png" alt="Figure 1: How the CloudFormation template works" width="760" class="size-large wp-image-28892"> 
    <p id="caption-attachment-28892" class="wp-caption-text">Figure 1: How the CloudFormation template works</p> 
   </div> 
   <p>Here’s how the pattern works, as shown in the diagram:</p> 
   <ol> 
    <li>A GuardDuty finding is generated due to suspected malicious activity.</li> 
    <li>An EventBridge event is configured to filter for GuardDuty finding types by using <a href="https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-event-patterns.html" target="_blank" rel="noopener">event patterns</a>.</li> 
    <li>A Lambda function is invoked by the EventBridge event and parses the GuardDuty finding.</li> 
    <li>The Lambda function checks the Amazon DynamoDB state table for an existing entry that matches the identified host. If state data is not found in the table for the identified host, a new entry is created in the <a href="https://aws.amazon.com/dynamodb/" target="_blank" rel="noopener">Amazon DynamoDB</a> state table.</li> 
    <li>The Lambda function creates a web ACL rule inside AWS WAF and updates a subnet network ACL.</li> 
    <li>A notification email is sent through <a href="https://aws.amazon.com/sns/" target="_blank" rel="noopener">Amazon Simple Notification Service (SNS)</a>.</li> 
   </ol> 
   <p>A second Lambda function runs on a 5-minute recurring schedule and removes entries that are past the configurable retention period from <a href="https://docs.aws.amazon.com/waf/latest/APIReference/API_IPSet.html" target="_blank" rel="noopener">AWS WAF IPSets</a> (an IPSet is a list that contains the blocklisted IPs or CIDRs), VPC network ACLs, and the DynamoDB table.</p> 
   <h2>GuardDuty prefix patterns and findings</h2> 
   <p>The EventBridge event rule provided by the example automation uses the following seven prefix patterns, which allow coverage for 36 GuardDuty <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" target="_blank" rel="noopener">finding types</a>. These specific finding types are of a network nature, and so we can use AWS WAF to block them. Be sure to read through the full list of finding types in the <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" target="_blank" rel="noopener">GuardDuty documentation</a> to better understand what GuardDuty can report findings for. The covered findings are as follows:</p> 
   <ol> 
    <li>UnauthorizedAccess:EC2 
     <ul> 
      <li>UnauthorizedAccess:EC2/MaliciousIPCaller.Custom</li> 
      <li>UnauthorizedAccess:EC2/MetadataDNSRebind</li> 
      <li>UnauthorizedAccess:EC2/RDPBruteForce</li> 
      <li>UnauthorizedAccess:EC2/SSHBruteForce</li> 
      <li>UnauthorizedAccess:EC2/TorClient</li> 
      <li>UnauthorizedAccess:EC2/TorRelay</li> 
     </ul> </li> 
    <li>Recon:EC2 
     <ul> 
      <li>Recon:EC2/PortProbeEMRUnprotectedPort</li> 
      <li>Recon:EC2/PortProbeUnprotectedPort</li> 
      <li>Recon:EC2/Portscan</li> 
     </ul> </li> 
    <li>Trojan:EC2 
     <ul> 
      <li>Trojan:EC2/BlackholeTraffic</li> 
      <li>Trojan:EC2/BlackholeTraffic!DNS</li> 
      <li>Trojan:EC2/DGADomainRequest.B</li> 
      <li>Trojan:EC2/DGADomainRequest.C!DNS</li> 
      <li>Trojan:EC2/DNSDataExfiltration</li> 
      <li>Trojan:EC2/DriveBySourceTraffic!DNS</li> 
      <li>Trojan:EC2/DropPoint</li> 
      <li>Trojan:EC2/DropPoint!DNS</li> 
      <li>Trojan:EC2/PhishingDomainRequest!DNS</li> 
     </ul> </li> 
    <li>Backdoor:EC2 
     <ul> 
      <li>Backdoor:EC2/C&amp;CActivity.B</li> 
      <li>Backdoor:EC2/C&amp;CActivity.B!DNS</li> 
      <li>Backdoor:EC2/DenialOfService.Dns</li> 
      <li>Backdoor:EC2/DenialOfService.Tcp</li> 
      <li>Backdoor:EC2/DenialOfService.Udp</li> 
      <li>Backdoor:EC2/DenialOfService.UdpOnTcpPorts</li> 
      <li>Backdoor:EC2/DenialOfService.UnusualProtocol</li> 
      <li>Backdoor:EC2/Spambot</li> 
     </ul> </li> 
    <li>Impact:EC2 
     <ul> 
      <li>Impact:EC2/AbusedDomainRequest.Reputation</li> 
      <li>Impact:EC2/BitcoinDomainRequest.Reputation</li> 
      <li>Impact:EC2/MaliciousDomainRequest.Reputation</li> 
      <li>Impact:EC2/PortSweep</li> 
      <li>Impact:EC2/SuspiciousDomainRequest.Reputation</li> 
      <li>Impact:EC2/WinRMBruteForce</li> 
     </ul> </li> 
    <li>CryptoCurrency:EC2 
     <ul> 
      <li>CryptoCurrency:EC2/BitcoinTool.B</li> 
      <li>CryptoCurrency:EC2/BitcoinTool.B!DNS</li> 
     </ul> </li> 
    <li>Behavior:EC2 
     <ul> 
      <li>Behavior:EC2/NetworkPortUnusual</li> 
      <li>Behavior:EC2/TrafficVolumeUnusual</li> 
     </ul> </li> 
   </ol> 
   <p>When activity occurs that generates one of these GuardDuty finding types and is then matched by the EventBridge event rule, an entry is created in the target web ACLs and subnet network ACLs to deny access from the suspicious host, and then a notification is sent to an email address by this pattern’s Lambda function. Blocking traffic from the suspicious host helps to mitigate potential threats while you perform additional investigation and remediation. For more information, see <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_remediate.html#compromised-ec2" target="_blank" rel="noopener">Remediating a compromised EC2 instance</a>.</p> 
   <h2>Solution deployment</h2> 
   <p>To deploy the solution, you’ll do the following steps. Each step is described in more detail in the sections that follow.</p> 
   <ol> 
    <li>Download the required files.</li> 
    <li>Create your <a href="https://aws.amazon.com/s3/" target="_blank" rel="noopener">Amazon Simple Storage Service (Amazon S3)</a> bucket and upload the .zip files.</li> 
    <li>Deploy the CloudFormation template.</li> 
    <li>Create and test the Lambda function for a GuardDuty finding event.</li> 
    <li>Confirm the entry for the test event in the VPC network ACL.</li> 
    <li>Confirm the entry in the AWS WAF IP sets.</li> 
    <li>Confirm the SNS notification email alert.</li> 
    <li>Apply the AWS WAF web ACLs to resources.</li> 
   </ol> 
   <h3>Step 1: Download the required files</h3> 
   <p>Download the following four files from the <a href="https://github.com/aws-samples/amazon-guardduty-waf-acl" target="_blank" rel="noopener">amazon-guardduty-waf-acl</a> GitHub code repository:</p> 
   <ol> 
    <li><a href="https://raw.githubusercontent.com/aws-samples/amazon-guardduty-waf-acl/master/templates/guarddutytoacl.template" target="_blank" rel="noopener">CloudFormation template</a> – Copy and save the linked raw text, using the file name <span>guarddutytoacl.template</span> on your local file system.</li> 
    <li><a href="https://raw.githubusercontent.com/aws-samples/amazon-guardduty-waf-acl/master/templates/gd2acl_test_event.json" target="_blank" rel="noopener">JSON event test file</a> – Copy and save the linked raw text, using the file name <span>gd2acl_test_event.json</span> on your local file system.</li> 
    <li><a href="https://github.com/aws-samples/amazon-guardduty-waf-acl/blob/master/artifacts/guardduty_to_acl_lambda_wafv2.zip" target="_blank" rel="noopener">guardduty_to_acl_lambda_wafv2.zip</a> – Choose the <strong>Download</strong> button on the GitHub page and save the .zip file to your local file system.</li> 
    <li><a href="https://github.com/aws-samples/amazon-guardduty-waf-acl/blob/master/artifacts/prune_old_entries_wafv2.zip" target="_blank" rel="noopener">prune_old_entries_wafv2.zip</a> – Choose the <strong>Download</strong> button on the GitHub page and save the .zip file to your local file system.</li> 
   </ol> 
   <h3>Step 2: Create your S3 bucket and upload .zip files</h3> 
   <p>For this step, create an S3 bucket with public access blocked, and then upload the Lambda .zip files to the newly created S3 bucket.</p> 
   <h4>To create your S3 bucket and upload .zip files</h4> 
   <ol> 
    <li><a href="https://docs.aws.amazon.com/AmazonS3/latest/userguide/create-bucket-overview.html" target="_blank" rel="noopener">Create an S3 bucket</a> in the us-east-1 Region.</li> 
    <li>Upload the .zip files <span>guardduty_to_acl_lambda_wafv2.zip</span> and <span>prune_old_entries_wafv2.zip</span> that you saved to your local file system in Step 1 to the newly created S3 bucket.</li> 
   </ol> 
   <h3>Step 3: Deploy the CloudFormation template</h3> 
   <p>For this step, deploy the CloudFormation template only to the us-east-1 Region within the AWS account where GuardDuty findings are to be monitored.</p> 
   <h4>To deploy the CloudFormation template</h4> 
   <ol> 
    <li><a href="https://console.aws.amazon.com/console/home" target="_blank" rel="noopener">Sign in to the AWS Management Console</a>, choose the CloudFormation service, and set <strong>N.Virginia (us-east-1)</strong> as the Region.</li> 
    <li>Choose <strong>Create stack</strong>, and then choose <strong>With new resources (standard)</strong>.</li> 
    <li>When the <strong>Create stack</strong> landing page is presented, make sure that <strong>Template is ready</strong> is selected in the <strong>Prepare template</strong> section. In the <strong>Template source</strong> section, choose <strong>Upload a template file</strong>.</li> 
    <li>Choose the <strong>Choose file</strong> button and browse to the location where the <span>guarddutytoacl.template</span> file was saved on your local file system. Select the file, choose <strong>Open</strong>, and then choose <strong>Next</strong>.</li> 
    <li>On the <strong>Specify stack details</strong> page, provide the following input parameters. You can modify the default values to customize the pattern for your environment.<br><table width="100%"> 
      <tbody> 
       <tr> 
        <td width="30%"><strong>Input parameter</strong></td> 
        <td width="70%"><strong>Input parameter description</strong></td> 
       </tr> 
       <tr> 
        <td width="30%">Notification email</td> 
        <td width="70%">The email address to receive notifications. Must be a valid email address.</td> 
       </tr> 
       <tr> 
        <td width="30%">Retention time, in minutes</td> 
        <td width="70%">How long to retain IP addresses in the blocklist (in minutes). The default is 12 hours.</td> 
       </tr> 
       <tr> 
        <td width="30%">S3 bucket for artifacts</td> 
        <td width="70%">The S3 bucket with artifact files (Lambda functions, templates, HTML files, and so on). Keep the default value for deployment into the N. Virginia Region.</td> 
       </tr> 
       <tr> 
        <td width="30%">S3 path to artifacts</td> 
        <td width="70%">The path in the S3 bucket that contains artifact files. Keep the default value for deployment into the N. Virginia Region.</td> 
       </tr> 
       <tr> 
        <td width="30%">CloudFrontWebACL</td> 
        <td width="70%">Create CloudFront Web ACL? If set to true, a CloudFront IP set will be created automatically.</td> 
       </tr> 
       <tr> 
        <td width="30%">RegionalWebACL</td> 
        <td width="70%">Create Regional Web ACL? If set to true, a Regional IP set will be created automatically.</td> 
       </tr> 
      </tbody> 
     </table> <p>Figure 2 shows an example of the values entered on this page.</p> 
     <div id="attachment_28893" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28893" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img2-5-984x1024-1.png" alt="Figure 2: CloudFormation parameters on the Specify stack details page" width="720" class="size-large wp-image-28893"> 
      <p id="caption-attachment-28893" class="wp-caption-text">Figure 2: CloudFormation parameters on the Specify stack details page</p> 
     </div> </li> 
    <li>Enter values for all of the input parameters, and then choose <strong>Next</strong>.</li> 
    <li>On the <strong>Configure stack options</strong> page, accept the defaults, and then choose <strong>Next</strong>.</li> 
    <li>On the <strong>Review</strong> page, confirm the details, check the box acknowledging that the template will require capabilities for AWS::IAM::Role, and then choose <strong>Create Stack</strong>. <p>The stack normally requires no more than 3–5 minutes to complete.</p> </li> 
    <li>While the stack is being created, check the email inbox that you specified for the <strong>Notification email address</strong> parameter. Look for an email message with the subject “AWS Notification – Subscription Confirmation”. Choose the link in the email to confirm the subscription to the SNS topic. You should see a message similar to the following. 
     <div id="attachment_28894" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28894" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img3-3.png" alt="Figure 3: Subscription confirmation" width="720" class="size-full wp-image-28894"> 
      <p id="caption-attachment-28894" class="wp-caption-text">Figure 3: Subscription confirmation</p> 
     </div> </li> 
   </ol> 
   <p>When the <strong>Status</strong> field for the CloudFormation stack changes to <strong>CREATE_COMPLETE</strong>, as shown in Figure 4, the pattern is implemented and is ready for testing.</p> 
   <div id="attachment_28895" class="wp-caption aligncenter"> 
    <img aria-describedby="caption-attachment-28895" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img4-3-1024x131-1.png" alt="Figure 4: The stack status is CREATE_COMPLETE" width="760" class="size-large wp-image-28895"> 
    <p id="caption-attachment-28895" class="wp-caption-text">Figure 4: The stack status is CREATE_COMPLETE</p> 
   </div> 
   <h3>Step 4: Create and test the Lambda function for a GuardDuty finding event</h3> 
   <p>After the CloudFormation stack has completed deployment, you can test the functionality by using a Lambda test event.</p> 
   <h4>To create and run a Lambda GuardDuty finding test event</h4> 
   <ol> 
    <li>In the AWS Management Console, choose <strong>Services</strong> &gt; <strong>VPC</strong> &gt; <strong>Subnets</strong> and locate a subnet that is suitable for testing the pattern.</li> 
    <li>On the <strong>Details</strong> tab, copy the <strong>subnet ID</strong> to the clipboard or to a text editor. 
     <div id="attachment_28896" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28896" loading="lazy" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img5-3.png" alt="Figure 5: The subnet ID value on the Details tab" width="712" height="696" class="size-full wp-image-28896"> 
      <p id="caption-attachment-28896" class="wp-caption-text">Figure 5: The subnet ID value on the Details tab</p> 
     </div> </li> 
    <li>In the AWS Management Console, choose <strong>Services</strong> &gt; <strong>CloudFormation</strong> &gt; <strong>GuardDutytoACL stack</strong>. On the <strong>Outputs</strong> tab for the stack, look for the <strong>GuardDutytoACLLambda</strong> entry. 
     <div id="attachment_28897" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28897" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img6-3-1024x431-1.png" alt="Figure 6: The GuardDutytoACLLambda entry on the Outputs tab" width="720" class="size-large wp-image-28897"> 
      <p id="caption-attachment-28897" class="wp-caption-text">Figure 6: The GuardDutytoACLLambda entry on the Outputs tab</p> 
     </div> </li> 
    <li>Choose the link for the entry, and you’ll be redirected to the Lambda console, with the Lambda <strong>Code source</strong> page already open. 
     <div id="attachment_28898" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28898" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img7-2-1024x539-1.png" alt="Figure 7: The Lambda function open in the Lambda console" width="720" class="size-large wp-image-28898"> 
      <p id="caption-attachment-28898" class="wp-caption-text">Figure 7: The Lambda function open in the Lambda console</p> 
     </div> </li> 
    <li>In the middle of the <strong>Code source</strong> menu, in the <strong>Test</strong> dropdown list, locate and select the <strong>Configure test event</strong> option. 
     <div id="attachment_28899" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28899" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img8-2.png" alt="Figure 8: Select Configure test event from the dropdown list" width="720" class="size-full wp-image-28899"> 
      <p id="caption-attachment-28899" class="wp-caption-text">Figure 8: Select Configure test event from the dropdown list</p> 
     </div> </li> 
    <li>To facilitate testing, we’ve provided a test event file. On the <strong>Configure test event</strong> page, do the following: 
     <ol> 
      <li>For <strong>Event name</strong>, enter a name.</li> 
      <li>In the body of the <strong>Event JSON</strong> field, paste the <a href="https://raw.githubusercontent.com/aws-samples/amazon-guardduty-waf-acl/master/templates/gd2acl_test_event.json" target="_blank" rel="noopener">provided test event JSON</a>, overwriting the existing contents.</li> 
      <li>Update the value of <span>SubnetId key</span> (line 35) to the value of the subnet ID that you chose in Step 1 of this procedure.</li> 
      <li>Choose <strong>Save</strong>.</li> 
     </ol> 
     <div id="attachment_28900" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28900" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img9-2.png" alt="Figure 9: Update the value of the subnetId key" width="720" class="size-full wp-image-28900"> 
      <p id="caption-attachment-28900" class="wp-caption-text">Figure 9: Update the value of the subnetId key</p> 
     </div> </li> 
    <li>Choose <strong>Test</strong> to invoke the Lambda function with the test event. You should see the message “Status: succeeded” at the top of the execution results, similar to what is shown in Figure 10. 
     <div id="attachment_28901" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28901" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img10-2-1024x450-1.png" alt="Figure 10: The Test button and the “succeeded” message" width="720" class="size-large wp-image-28901"> 
      <p id="caption-attachment-28901" class="wp-caption-text">Figure 10: The Test button and the “succeeded” message</p> 
     </div> </li> 
   </ol> 
   <h3>Step 5: Confirm the entry in the VPC network ACL</h3> 
   <p>In this step, you’ll confirm that the DENY entry was created in the network ACL. This pattern is configured to create up to 10 entries in an ACL, ranging between rule numbers 71 and 80. Because network ACL rules are processed in order, it’s important that the DENY rule is placed before the ALLOW rule.</p> 
   <h4>To confirm the entry in the VPC network ACL</h4> 
   <ol> 
    <li>In the AWS Management Console, choose <strong>Services</strong> &gt; <strong>VPC</strong> &gt; <strong>Subnets</strong>, and locate the subnet you provided for the test event.</li> 
    <li>Choose the <strong>network ACL</strong> link and confirm that the new DENY entry was generated from the test event. 
     <div id="attachment_28902" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28902" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img11-2-1024x371-1.png" alt="Figure 11: Check the entry from the test event on the Network tab" width="720" class="size-large wp-image-28902"> 
      <p id="caption-attachment-28902" class="wp-caption-text">Figure 11: Check the entry from the test event on the Network tab</p> 
     </div> <p>Note that VPC network ACL entries are created in the rule number range between 71 and 80. Older entries are aged out to create a “sliding window” of blocked hosts.</p> </li> 
   </ol> 
   <h3>Step 6: Confirm the entry in the AWS WAF IP sets and blocklists</h3> 
   <p>Next, verify that the entry was added to the CloudFront AWS WAF IP set and to the Application Load Balancer (ALB) AWS WAF IP set.</p> 
   <h4>To confirm the entry in the AWS WAF IP set and blocklist</h4> 
   <ol> 
    <li>In the AWS Management Console, choose <strong>Services</strong> &gt; <strong>WAF &amp; Shield &gt; Web ACLs</strong>, and then set the selected Region to <strong>Global (CloudFront)</strong>.</li> 
    <li>Find and select the web ACL name that starts with <span>CloudFrontBlockListWeb</span>. In the <strong>Rule</strong> view, on the <strong>Rules</strong> tab, select the rule named <span>CloudFrontBlocklistIPSetRule</span>. Note that <span>198.51.100.0/32</span> appears as an entry in the rule. 
     <div id="attachment_28903" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28903" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img12-2-955x1024-1.png" alt="Figure 12: Confirm that the IP address was added" width="720" class="size-large wp-image-28903"> 
      <p id="caption-attachment-28903" class="wp-caption-text">Figure 12: Confirm that the IP address was added</p> 
     </div> </li> 
    <li>In the AWS Management Console, on the left navigation menu, choose <strong>Web ACLs, and </strong>then set the selected Region to <strong>US East (N. Virginia)</strong>.</li> 
    <li>Find and select the web ACL name that starts with RegionalBlocklistACL. In the <strong>Rule</strong> view, on the <strong>Rules</strong> tab, select the rule named RegionalBlocklistIPSetRule. Note that 198.51.100.0/32 appears as an entry in the rule. 
     <div id="attachment_28904" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28904" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img13-1-896x1024-1.png" alt="Figure 13: Make sure that the IP address was added" width="720" class="size-large wp-image-28904"> 
      <p id="caption-attachment-28904" class="wp-caption-text">Figure 13: Make sure that the IP address was added</p> 
     </div> </li> 
   </ol> 
   <p>There might be specific host addresses that you want to prevent from being added to the blocklist. You can do this within GuardDuty by using a trusted IP list. Trusted IP lists consist of IP addresses that you have allowlisted for secure communication with your AWS infrastructure and applications. GuardDuty doesn’t generate findings for IP addresses on trusted IP lists. For more information, see <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload_lists.html" target="_blank" rel="noopener">Working with trusted IP lists and threat lists</a>.</p> 
   <h3>Step 7: Confirm the SNS notification email</h3> 
   <p>Finally, verify that the SNS notification was sent to the email address you set up.</p> 
   <h4>To confirm receipt of the SNS notification email</h4> 
   <ul> 
    <li>Review the email inbox that you specified for the <strong>AdminEmail</strong> parameter and look for a message with the subject line “AWS GD2ACL Alert”. The contents of the message from SNS should be similar to the following. 
     <div id="attachment_28905" class="wp-caption aligncenter"> 
      <img aria-describedby="caption-attachment-28905" src="https://www.infracom.com.sg/wp-content/uploads/2023/03/img14-1.png" alt="Figure 14: SNS message example" width="720" class="size-full wp-image-28905"> 
      <p id="caption-attachment-28905" class="wp-caption-text">Figure 14: SNS message example</p> 
     </div> </li> 
   </ul> 
   <h3>Step 8: Apply the AWS WAF web ACLs to resources</h3> 
   <p>The final task is to associate the web ACL with the CloudFront distributions and Application Load Balancers that you want to automatically update with this pattern. To learn how to do this, see <a href="https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-associating-aws-resource.html" target="_blank" rel="noopener">Associating or disassociating a web ACL with an AWS resource</a>.</p> 
   <p>You can also use <a href="https://aws.amazon.com/firewall-manager/" target="_blank" rel="noopener">AWS Firewall Manager</a> to associate the web ACLs. AWS Firewall Manager can simplify your AWS WAF administration and maintenance tasks across multiple accounts and resources. With Firewall Manager, you set up your firewall rules just once. The service automatically applies your rules across your accounts and resources, even as you add new resources.</p> 
   <h2>Conclusion</h2> 
   <p>In this post, you’ve learned how to use Lambda to automatically update AWS WAF and VPC network ACLs in response to GuardDuty findings. With just a few steps, you can use this sample pattern to help mitigate threats by blocking communication with suspicious hosts. You can explore additional possible patterns by using <a href="https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_finding-types-active.html" target="_blank" rel="noopener">GuardDuty finding types</a> and Amazon EventBridge <a href="https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/Create-CloudWatch-Events-Rule.html" target="_blank" rel="noopener">target actions</a>. This pattern’s code is <a href="https://github.com/aws-samples/amazon-guardduty-waf-acl" target="_blank" rel="noopener">available on GitHub</a>. Feel free to play around with the code to add more GuardDuty findings to this pattern and also to build bigger and better patterns! Make sure to modify the patterns in this post to suit your defined requirements, and test and validate them before deploying them in a production environment.</p> 
   <p>If you have comments about this blog post, you can submit them in the <strong>Comments</strong> section below. If you have questions about using this pattern, start a thread in the <a href="https://forums.aws.amazon.com/forum.jspa?forumID=288" target="_blank" rel="noopener">GuardDuty</a>, <a href="https://forums.aws.amazon.com/forum.jspa?forumID=207" target="_blank" rel="noopener">AWS WAF</a>, or <a href="https://forums.aws.amazon.com/forum.jspa?forumID=138" target="_blank" rel="noopener">CloudWatch</a> forums, or <a href="https://console.aws.amazon.com/support/home" target="_blank" rel="noopener">contact AWS Support</a>.</p> 
   <p><strong>Want more AWS Security news? Follow us on <a title="Twitter" href="https://twitter.com/AWSsecurityinfo" target="_blank" rel="noopener noreferrer">Twitter</a>.</strong></p> 

   <!-- '"` -->