The purpose of this Lambda function is to contact third party IP reputation list providers and update the existing
WAFv2 IP sets.
This Lambda function is part of the AWS WAF Security Automations project.
See the AWS docs for reference.
AWS Architecture Diagram
- AWS WAF contains the WAFv2 HTTP Flood blocklist IP set which is used as a block list for the IP addresses detected by the HTTP Flood Detection Lambda function.
- This Lambda function will be triggered by a time-based CloudWatch trigger.
- Then it will first contact third party IP reputation list providers and build two IP lists, an 'attacker' IP reputation list and a 'malware' IP reputation list.
- Then it will update the two IP sets in WAFv2 with the newly discovered IP reputation lists.
AWS IAM Diagram 
UML Class Diagram
You will need the following dependencies installed on your system before getting started:
- AWS SAM CLI -
brew install aws-sam-cli - Docker
- Python3.8 -
brew install python3.8 - Pytest -
pip3 install pytest
Use the Makefile to setup:
make install
To build the application:
sam build
To run and test function locally using docker:
sam local invoke
To run all tests:
python3.8 -m pytest ./tests/ -sv
To run unit tests only:
python3.8 -m pytest ./tests/unit -sv
To run integration tests only:
python3.8 -m pytest ./tests/integration -sv