{"id":602,"date":"2020-12-30T00:52:01","date_gmt":"2020-12-30T05:52:01","guid":{"rendered":"https:\/\/blog.mzimmerer.com\/?p=602"},"modified":"2020-12-30T00:55:27","modified_gmt":"2020-12-30T05:55:27","slug":"update-aws-wafv2-with-all-pubips-in-account","status":"publish","type":"post","link":"https:\/\/blog.mzimmerer.com\/?p=602","title":{"rendered":"Update aws WAFv2 with all PubIps in Account"},"content":{"rendered":"\n
Quick POC here, I may update later… But probably not. The idea here is that I might want a WAF rule to auto-permit public IPs from my own account, and I might want this to dynamically update. This Python code can be leveraged in a Lambda function that can be called two different ways:<\/p>\n\n\n\n
Cron Job in CloudWatch Events to trigger a lambda every 5-10-15 minutes or whatever works<\/li>
More ideally, a CloudWatch Event that looks for any Interface Association adds\/removal API calls and triggers the Lambda<\/li><\/ul>\n\n\n\n
If I get around to refining this a little more I may detail the latter here and maybe make a cloudformation stack. For now, here is the core issue solved. Get all Pub IPs in account, and update a WAF rule with that output.<\/p>\n\n\n\n
import boto3\nimport json\n\n# Define IP-Set Info\nwafIpName='Local-Account_IPSet'\nwafIpSetId='09b16840-689d-4c57-b977-92d119d7bd6d'\nwafIpSetScope='REGIONAL'\n\n\n# Define credential session\nclient = boto3.client('wafv2')\n# Get all pub ips from all regions in account, return <list>\ndef pullPubIps():\n session = boto3.session.Session()\n client = boto3.client('ec2')\n regions = [region['RegionName'] for region in client.describe_regions()['Regions']]\n foundIps = []\n appendCidr = '\/32'\n for region in regions:\n ec2 = session.resource('ec2', region_name=region)\n for vpc in ec2.vpcs.all():\n for eni in vpc.network_interfaces.all():\n if eni.association_attribute:\n foundIps.append(eni.association_attribute['PublicIp'])\n formatIps = [ip + appendCidr for ip in foundIps]\n return formatIps\n# Get Lock Token for defined IP Set\ndef getLockToken():\n lockToken = client.get_ip_set(Id=wafIpSetId,Scope=wafIpSetScope,Name=wafIpName)['LockToken']\n return lockToken\n\n# Push Updated IpSet\ndef pushIpSet():\n response = client.update_ip_set(\n Name=wafIpName,\n Scope=wafIpSetScope,\n Id=wafIpSetId,\n Addresses=pullPubIps(),\n LockToken=getLockToken()\n )\n return response\n\npushIpSet()<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Quick POC here, I may update later… But probably not. The idea here is that I might want a WAF rule to auto-permit public IPs from my own account, and I might want this to dynamically update. This Python code can be leveraged in a Lambda function that can be…<\/p>\n