AWS WAF Integration

Block malicious IPs using AWS Web Application Firewall (WAF) IP sets.

Prerequisites

AWS account
AWS WAF v2 configured
IAM credentials with WAF permissions
An existing IP set in WAF

Required IAM Permissions

Create an IAM policy with these permissions:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "wafv2:GetIPSet",
        "wafv2:UpdateIPSet",
        "wafv2:ListIPSets"
      ],
      "Resource": "*"
    }
  ]
}

Minimal Permissions (Recommended)

For production, restrict to specific resources:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "wafv2:GetIPSet",
        "wafv2:UpdateIPSet"
      ],
      "Resource": "arn:aws:wafv2:us-east-1:123456789012:regional/ipset/webdecoy-blocklist/*"
    },
    {
      "Effect": "Allow",
      "Action": "wafv2:ListIPSets",
      "Resource": "*"
    }
  ]
}

Creating an IP Set

Before configuring the integration, create an IP set in AWS WAF:

For Regional WAF (ALB, API Gateway)

Go to AWS WAF Console
Select your region
Go to IP sets
Click Create IP set
Configure:

Field Value
Name webdecoy-blocklist
Region Your application’s region
IP version IPv4
Click Create IP set
Copy the IP set ID

Field	Value
Name	`webdecoy-blocklist`
Region	Your application’s region
IP version	IPv4

For CloudFront (Global)

Go to AWS WAF Console
Switch to Global (CloudFront)
Go to IP sets
Click Create IP set
Configure:

Field Value
Name webdecoy-blocklist-global
Region Global (CloudFront)
IP version IPv4
Click Create IP set
Copy the IP set ID

Field	Value
Name	`webdecoy-blocklist-global`
Region	Global (CloudFront)
IP version	IPv4

Setting Up Integration

Go to Integrations → AWS WAF
Click Add AWS WAF Integration
Enter credentials:

Field Description
Access Key ID AWS IAM access key
Secret Access Key AWS IAM secret key
Region AWS region (e.g., us-east-1)
Configure IP set:

Field Description
IP Set ID WAF IP set ID
IP Set Name Name for reference
Scope REGIONAL or CLOUDFRONT
Click Connect

Field	Description
Access Key ID	AWS IAM access key
Secret Access Key	AWS IAM secret key
Region	AWS region (e.g., `us-east-1`)

Field	Description
IP Set ID	WAF IP set ID
IP Set Name	Name for reference
Scope	`REGIONAL` or `CLOUDFRONT`

Scope Options

Scope	Use Case
`REGIONAL`	ALB, API Gateway, AppSync
`CLOUDFRONT`	CloudFront distributions

Creating a WAF Rule

After setting up the IP set, create a rule to block IPs:

In AWS Console

Go to AWS WAF → Web ACLs
Select your Web ACL
Go to Rules
Click Add rules → Add my own rules
Configure:

Field Value
Rule type IP set
Name webdecoy-block-rule
IP set Select your IP set
Action Block
Click Add rule

Field	Value
Rule type	IP set
Name	`webdecoy-block-rule`
IP set	Select your IP set
Action	Block

Rule Priority

Place the WebDecoy block rule early in your rule list for fastest blocking.

Blocking Rules in WebDecoy

Configure when to add IPs to the block list:

Go to Integrations → AWS WAF → Rules
Click Add Rule
Configure:

Setting Description
Rule Type Block All or Block by Score
Decoy Which decoy triggers blocking
Score Threshold Minimum score (if by score)
Click Create Rule

Setting	Description
Rule Type	Block All or Block by Score
Decoy	Which decoy triggers blocking
Score Threshold	Minimum score (if by score)

Recommended Settings

Scenario	Score Threshold
High security	50+
Standard	70+
Conservative	85+

How It Works

Detection Created (score: 85)
        │
        ▼
AWS WAF Rule Evaluated
        │
        ├── Score >= Threshold? → Yes
        │
        ▼
Update IP Set via AWS API
        │
        ├── Add IP: 192.168.1.100/32
        │
        ▼
WAF Rule Blocks IP
        │
        ▼
Future requests from IP are blocked

IP Set Limits

Be aware of AWS WAF limits:

Limit	Value
IPs per IP set	10,000
IP sets per region	100
IP sets per Web ACL	10

WebDecoy automatically manages IP set size:

Old entries are removed when approaching limits
IPs are removed after configured duration

Managing Blocked IPs

View Blocked IPs

Go to Integrations → AWS WAF
Click View Blocked IPs
See:
- IP address
- Block reason
- Added timestamp
- Manual unblock option

Unblock an IP

From WebDecoy:

Find IP in blocked list
Click Unblock
IP is removed from AWS WAF IP set

From AWS Console:

Go to WAF → IP sets
Select your IP set
Remove the IP address

Multiple Regions

For applications in multiple regions, create separate integrations:

Integration	Region	IP Set
US East	us-east-1	webdecoy-blocklist-use1
EU West	eu-west-1	webdecoy-blocklist-euw1
Global	CloudFront	webdecoy-blocklist-global

Best Practices

Do’s

✅ Use minimal IAM permissions
✅ Create dedicated IP set for WebDecoy
✅ Monitor IP set size
✅ Set reasonable score thresholds
✅ Test blocking before production

Don’ts

❌ Use root AWS credentials
❌ Share IP set with other tools
❌ Set threshold too low
❌ Forget to create WAF rule for IP set

Troubleshooting

”Access Denied” Error

Verify IAM permissions include required actions
Check credentials are correct
Ensure region matches IP set region
For CloudFront, use CLOUDFRONT scope

”IP Set Not Found” Error

Verify IP set ID is correct
Check region matches
Ensure scope (REGIONAL/CLOUDFRONT) is correct
Verify IP set exists in AWS console

IPs Not Being Blocked

Verify integration is connected (green status)
Check blocking rule is enabled in WebDecoy
Verify WAF rule exists for the IP set
Check Web ACL is associated with your resource
Verify rule priority in Web ACL

IP Set Full

Increase IP set limit (contact AWS)
Reduce block duration
Increase score threshold
WebDecoy auto-removes oldest entries

Cost Considerations

AWS WAF pricing:

Web ACL: $5/month
Rule: $1/month
Requests: $0.60 per million

The WebDecoy integration doesn’t add significant cost beyond existing WAF usage.

Next Steps

Cloudflare - Alternative WAF integration
Datadog - Monitoring integration
Overview - All integrations