Overview

When you have started using AWS WAF with managed rules, you could encounter false positives. In this post, we will take a look at a way to avoid false positives by adding specific IP addresses to the whitelist to allow requests and adding IP addresses that sent requests containing attacks to the blacklist to block them. In addition, we will look at a way to change the rule action to Count mode when there are false positives.

Whitelist

Usages

• When you want to allow company IP address
• False positives occured with managed rules and it was confirmed that requester is a legitimate user

What to do

1. Create a new whitelist
2. Add IP address to the whitelist applied to the Web ACL

Allow Requests from Specific IP Addresses in AWS WAF

Blacklist

Usages

• When you want to block known malicious IP address
• When there are frequent requests from specific IP address that seems like an attack upon log analysis

What to do

1. Create a new blacklist
2. Add IP address to the blacklist applied to the Web ACL

Block Attacks from Specific IP Addresses in AWS WAF

Count mode

Usages

• When you want to block known malicious IP address
• When there are frequent requests from specific IP address that seems like an attack upon log analysis

What to do

• Change the rule action to Count mode

Change a Specific Rule to Count Mode in AWS WAF

Conclusion

We have looked at how to allow requests by using a whitelist when certain IP addresses are blocked due to false positives and how to block requests by using a blacklist when you receive attacks from specific IP addresses.
You need to determine the cause in case of false positives, but you can quickly respond to the situation by adding legitimate users to a whitelist while you investigate the false positives, so please consider utilizing the methods explained in the post.