IP reputation rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

IP reputation rule groups

IP reputation rule groups block requests based on their source IP address.

Note

These rules use the source IP address from the web request origin. If you have traffic that goes through one or more proxies or load balancers, the web request origin will contain the address of the last proxy, and not the originating address of the client.

Choose one or more of these rule groups if you want to reduce your exposure to bot traffic or exploitation attempts, or if you are enforcing geographic restrictions on your content. For bot management, see also Amazon WAF Bot Control rule group.

The rule groups in this category don't provide versioning or SNS update notifications.

Amazon IP reputation list managed rule group

VendorName: AWS, Name: AWSManagedRulesAmazonIpReputationList, WCU: 25

Note

The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.

If you need more information than you find here, contact the Amazon Web Services Support Center.

The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.

This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. Amazon WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.

Rule name Description and label
AWSManagedIPReputationList

Inspects for IP addresses that have been identified as actively engaging in malicious activities. Amazon WAF collects the IP address list from various sources, including MadPot, a threat intelligence tool that Amazon uses to protect customers from cybercrime. For more information about MadPot, see https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime.

Rule action: Block

Label: awswaf:managed:aws:amazon-ip-list:AWSManagedIPReputationList

AWSManagedReconnaissanceList

Inspects for connections from IP addresses that are performing reconnaissance against Amazon resources.

Rule action: Block

Label: awswaf:managed:aws:amazon-ip-list:AWSManagedReconnaissanceList

AWSManagedIPDDoSList

Inspects for IP addresses that have been identified as actively engaging in DDoS activities.

Rule action: Count

Label: awswaf:managed:aws:amazon-ip-list:AWSManagedIPDDoSList

Anonymous IP list managed rule group

VendorName: AWS, Name: AWSManagedRulesAnonymousIpList, WCU: 50

Note

The information that we publish for the rules in the Amazon Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.

If you need more information than you find here, contact the Amazon Web Services Support Center.

The Anonymous IP list rule group contains rules to block requests from services that permit the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and web hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.

This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. Amazon WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.

Rule name Description and label
AnonymousIPList

Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services.

Rule action: Block

Label: awswaf:managed:aws:anonymous-ip-list:AnonymousIPList

HostingProviderIPList

Inspects for a list of IP addresses from web hosting and cloud providers, which are less likely to source end-user traffic. The IP list does not include Amazon IP addresses.

Rule action: Block

Label: awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList