Post

AWS Advanced Threat Intelligence

Posted Updated
By Hamza Nakabi
1 min read
AWS Advanced Threat Intelligence

Dynamic WAF Rule Generation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21

def lambda_handler(event, context):
guardduty_findings = event['detail']['findings']
waf = boto3.client('wafv2')

    for finding in guardduty_findings:
        if finding['Type'] == 'UnauthorizedAccess:EC2/SSHBruteForce':
            ip_set = waf.get_ip_set(
                Name='blocked_ips',
                Scope='REGIONAL'
            )
            new_ips = ip_set['IPSet']['Addresses'] + [finding['Resource']['InstanceDetails']['IpAddress']]
            
            waf.update_ip_set(
                Name='blocked_ips',
                Addresses=new_ips,
                LockToken=ip_set['LockToken']
            )
    ```

## Security Hub Automation Framework

Resources: SecurityAutomationRole: Type: AWS::IAM::Role Properties: AssumeRolePolicyDocument: Version: ‘2012-10-17’ Statement:

  • Effect: Allow Principal: Service: [lambda.amazonaws.com] Action: [‘sts:AssumeRole’] ManagedPolicyArns:
  • arn:aws:iam::aws:policy/AWSWAFFullAccess

```

AWS Security
detection aws
This post is licensed under CC BY 4.0 by the author.