Skip to content

Update aws WAFv2 with all PubIps in Account

Quick POC here, I may update later… But probably not. The idea here is that I might want a WAF rule to auto-permit public IPs from my own account, and I might want this to dynamically update. This Python code can be leveraged in a Lambda function that can be called two different ways:

  • Cron Job in CloudWatch Events to trigger a lambda every 5-10-15 minutes or whatever works
  • More ideally, a CloudWatch Event that looks for any Interface Association adds/removal API calls and triggers the Lambda

If I get around to refining this a little more I may detail the latter here and maybe make a cloudformation stack. For now, here is the core issue solved. Get all Pub IPs in account, and update a WAF rule with that output.
import boto3
import json

# Define IP-Set Info

# Define credential session
client = boto3.client('wafv2')
# Get all pub ips from all regions in account, return <list>
def pullPubIps():
    session = boto3.session.Session()
    client = boto3.client('ec2')
    regions = [region['RegionName'] for region in client.describe_regions()['Regions']]
    foundIps = []
    appendCidr = '/32'
    for region in regions:
        ec2 = session.resource('ec2', region_name=region)
        for vpc in ec2.vpcs.all():
            for eni in vpc.network_interfaces.all():
                if eni.association_attribute:
    formatIps = [ip + appendCidr for ip in foundIps]
    return formatIps
# Get Lock Token for defined IP Set
def getLockToken():
    lockToken = client.get_ip_set(Id=wafIpSetId,Scope=wafIpSetScope,Name=wafIpName)['LockToken']
    return lockToken

# Push Updated IpSet
def pushIpSet():
    response = client.update_ip_set(
    return response