How to Use Amazon GuardDuty and AWS WAF v2 to Automatically Block Suspicious Hosts


 Amazon GuardDuty


As the scale of cyberthreats is on a gradual rise, staying one step ahead of potential threats is crucial. Amazon Web Services (AWS) provides a powerful suite of security tools, and two key services, Amazon GuardDuty and AWS Web Application Firewall (WAF) version 2, can work in tandem to automatically block suspicious hosts and protect your AWS resources. Here, we will examine how to set up this dynamic duo for enhanced security. 


What are Amazon GuardDuty & AWS WAF v2 

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and unauthorized behavior. It uses machine learning and threat intelligence to identify potential threats, such as unusual API calls, suspicious network traffic, and unauthorized access attempts. 

AWS Web Application Firewall (WAF) version 2 is a managed service that helps protect web applications from common web exploits. It can inspect incoming web traffic and block requests that match predefined conditions, allowing you to filter out malicious traffic before it reaches your applications. 


The Benefits of Combining GuardDuty and AWS WAF v2 

By combining Amazon GuardDuty's threat detection capabilities with AWS WAF v2's request filtering, you can automatically take action against suspicious hosts, enhancing your overall security posture. Here is how it works: 

  • GuardDuty Detects Suspicious Activity: Amazon GuardDuty continuously analyzes events and logs to identify potentially malicious behavior. 
  • GuardDuty Generates Findings: When GuardDuty identifies suspicious activity, it generates findings that provide details about the potential threat. 
  • AWS WAF v2 Blocks Malicious Hosts: By using AWS WAF v2, you can create rules that block specific IP addresses or IP ranges associated with the suspicious activity identified by GuardDuty. 
  • Automatic Remediation: When GuardDuty findings trigger a rule in AWS WAF v2, the corresponding IP addresses are automatically blocked, preventing them from accessing your applications or resources. 


Step-by-Step Guide to Setting Up Automatic Blocking 

Now, let's dive into the practical steps to set up this automated threat response system: 

Step 1: Enable Amazon GuardDuty 

  • Log in to your AWS Management Console. 
  • Navigate to the Amazon GuardDuty console. 
  • Click 'Get started' to enable GuardDuty in your AWS account. 
  • Configure the necessary settings, including enabling the 'GuardDuty Detector.' 

Step 2: Create an AWS WAF v2 WebACL 

  • In the AWS WAF console, create a new WebACL. 
  • Define the conditions that will trigger automatic blocking. This may include specific IP addresses, IP ranges, or patterns associated with suspicious behavior. 
  • Configure your WebACL to deny requests from these conditions. 


Step 3: Set Up a Lambda Function 

  • Create an AWS Lambda function that can be triggered by GuardDuty findings. 
  • In the Lambda function, write code to parse GuardDuty findings and extract the relevant IP addresses. 
  • Use the AWS SDK to update the AWS WAF v2 WebACL with the IP addresses extracted from GuardDuty findings. 
  • Ensure that the Lambda function has the necessary permissions to update the WebACL. 


Step 4: Create a CloudWatch Event Rule 

  • Create a CloudWatch Event Rule that listens for GuardDuty findings. 
  • Configure the rule to trigger the Lambda function you created in step 3 when specific findings are detected. 


Step 5: Test and Monitor 

  • Test the setup by simulating a threat or by using a known malicious IP address. 
  • Monitor the system for automatic blocking and investigate the blocked IP addresses to confirm that they match the suspicious activity. 
  • Fine-tune your rules and Lambda function as needed to reduce false positives and improve accuracy. 


By combining the capabilities of Amazon GuardDuty and AWS WAF v2, you can create a robust automated security system that detects and responds to threats in real-time. This proactive approach to security helps protect your AWS resources and applications from potential attacks, allowing you to focus on growing your business with confidence in your cloud infrastructure's security. Cybersecurity is an ongoing process, and it's essential to stay vigilant and continuously adapt your security measures to emerging threats.  

Leave a Reply

Your email address will not be published.