This guide details how to consume the IP-based Indicators of Compromise (IOCs) that have been observed attacking AWS infrastructure.
- Introduction
- Prerequisites
- Understanding the IOCs
- Integrating IOCs with AWS Services
- Automating IOC Updates
- Contact and Support
The IOCs provided in this repository consist of IP addresses that have been identified as sources of malicious activity against AWS services. They can be used to detect potential threats and enhance security measures.
- Active AWS account with appropriate permissions.
- Understanding of AWS security services and features.
- Familiarity with network security and incident response concepts.
The IOCs are structured by date and contain lists of IP addresses. Each IP is provided with context on the nature of the observed attack where available.
You can use these IP-based IOCs with services such as AWS WAF, Amazon GuardDuty, or VPC Flow Logs for monitoring and protection.
- Select AWS Service: Choose an AWS service that supports IP-based monitoring or blocking.
- Import IOCs: Upload the list of malicious IPs to the service, following the specific guidelines provided by AWS for that service.
- Configure Monitoring or Blocking: Set the service to alert you when traffic is detected from these IPs or to block them outright.
- Respond to Incidents: Establish a response plan for alerts generated due to IOC detection.
To maintain up-to-date security, automate the import of new IOCs:
- AWS Lambda: Use Lambda to periodically check the repository for updated IOC lists and import them into your chosen AWS service.
- CloudWatch Events: Trigger your Lambda function in response to scheduled events to refresh the IOCs.
For questions or assistance with these IOCs, please open an issue in the GitHub repository or contact via me[at]himanshuanand.com.