How do I allow a legitimate IP address when using the IP reputation list or anonymous IP list in AWS WAF?

6 minute read
0

My legitimate requests are being blocked by an Amazon IP reputation list managed rule group or Anonymous IP list managed rule group. How do I allow my IP address in AWS WAF?

Short description

Legitimate requests might be blocked by one of the following AWS managed rule groups:

To allow a specific IP address or addresses, use one of the following methods to resolve this problem:

  • Scope-down statements to narrow the scope of the requests that the rule evaluates. Choose this option for addressing logic in a single rule group.
  • Labels on web requests to allow a rule that matches the request to communicate the match results to rules that are evaluated later in the same web ACL. Choose this option to reuse the same logic across multiple rules.

Resolution

Option 1: Using scope-down statements

First, create an IP set.

  1. Open the AWS WAF console.
  2. In the navigation pane, choose IP sets, and then choose Create IP set.
  3. Enter an IP set name and Description - optional for the IP set. For example: MyTrustedIPs.
    Note: You can't change the IP set name after you create the IP set.
  4. For Region, choose the AWS Region where you want to store the IP set. To use an IP set in web ACLs that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  5. For IP version, choose the version you want to use.
  6. For IP addresses, enter one IP address or IP address range per line that you want to allow in CIDR notation.
    Note: AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
    Examples:
    To specify the IPv4 address 192.168.0.26, enter 192.168.0.26/32.
    To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter 0:0:0:0:0:ffff:c000:22c/128.
    To specify the range of IPv4 addresses from 192.168.20.0 to 192.168.20.255, enter 192.168.20.0/24.
    To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter 2620:0:2d0:200::/64.
  7. Review the settings for the IP set. If it matches your specifications, choose Create IP set.

Then, add a scope-down statement to the specific AWS Managed Rule blocking your requests.

  1. In the navigation pane, under AWS WAF, choose Web ACLs.
  2. For Region, select the AWS Region where you created your web ACL.
    Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. In the web ACL Rules tab, choose the specific AWS Managed Rule group that is blocking your request, and then choose Edit.
  5. For Scope-down statement - optional, choose the Enable scope-down statement.
  6. For If a request, choose doesn't match the statement (NOT).
  7. On Statement, for Inspect, choose Originates from IP address in.
  8. For IP Set, choose the IP Set you created earlier. For example: MyTrustedIPs.
  9. For IP address to use as the originating address, choose Source IP address.
  10. Choose Save rule.

Option 2: Using labels on web requests

First, create an IP set.

  1. Open the AWS WAF console.
  2. In the navigation pane, choose IP sets, and then choose Create IP set.
  3. Enter an IP set name and Description - optional for the IP set. For example: MyTrustedIPs.
    Note: You can't change the IP set name after you create the IP set.
  4. For Region, choose the AWS Region where you want to store the IP set. To use an IP set in web ACLs that protect Amazon CloudFront distributions, you must use Global (CloudFront).
  5. For IP version, choose the version you want to use.
  6. For IP addresses, enter one IP address or IP address range per line that you want to allow in CIDR notation.
    Note: AWS WAF supports all IPv4 and IPv6 CIDR ranges except for /0.
    Examples:
    To specify the IPv4 address 192.168.0.26, enter 192.168.0.26/32.
    To specify the IPv6 address 0:0:0:0:0:ffff:c000:22c, enter 0:0:0:0:0:ffff:c000:22c/128.
    To specify the range of IPv4 addresses from 192.168.20.0 to 192.168.20.255, enter 192.168.20.0/24.
    To specify the range of IPv6 addresses from 2620:0:2d0:200:0:0:0:0 to 2620:0:2d0:200:ffff:ffff:ffff:ffff, enter 2620:0:2d0:200::/64.
  7. Review the settings for the IP set. If it matches your specifications, choose Create IP set.

Then, change rule actions to count in a rule group.

  1. In the web ACL page Rules tab, select the AWS Managed rule group blocking your request, and then choose Edit.
  2. In the Rules section for the rule group, do one of the following:
    For AWSManagedIPReputationList, turn on Count.
    For AnonymousIPList Rule, turn on Count.
  3. Choose Save rule.

Finally, create a rule with higher numeric priority than the specific AWS Managed Rule blocking the request.

  1. In the navigation pane, under AWS WAF, choose Web ACLs.
  2. For Region, choose the AWS Region where you created your web ACL. Note: Select Global if your web ACL is set up for Amazon CloudFront.
  3. Select your web ACL.
  4. Choose Rules.
  5. Choose Add Rules, and then choose Add my own rules and rule groups.
  6. For Name, enter a rule name, and then choose Regular Rule.
  7. For If a request, choose matches all the statements (AND).
  8. On Statement 1:
    For Inspect, choose Has a label.
    For Match scope, choose Label.
    For Match key, select either awswaf:managed:aws:amazon-ip-list:AWSManagedIPReputationList or awswaf:managed:aws:anonymous-ip-list:AnonymousIPList based on that Managed Rule that was blocking your request
  9. On Statement 2:
    For Negate statement (NOT), choose Negate statement results.
    For Inspect, choose Originates from IP address in.
    For IP set, choose the IP set you created earlier.
    For IP address to use as the originating address, choose Source IP address.
  10. For Action, choose Block.
  11. Choose Add Rule.
  12. For Set rule priority, move the rule below the AWS Managed Rule that was blocking the request.
  13. Choose Save.

Important: It’s a best practice to test rules in a non-production environment with the Action set to Count. Evaluate the rule using Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When you're satisfied that the rule does what you want, change the Action to Block.


Related information

How can I detect false positives caused by AWS Managed Rules and add them to a safe list?

AWS OFFICIAL
AWS OFFICIALUpdated 2 years ago