When an IP address makes more calls to Cerberus than the rate limit, the rate limiting Lambda adds the offending IP address to the Auto Block Set to blacklist this IP address, unless this IP already exists in either Manual Block Set or White List Set.
White List Set, Manual Block Set, and Auto Block Set are created as part of the WAF stack. You can add or delete IP addresses or ranges in the AWS console or via AWS CLI.
The priorities of the IP sets are White List Set > Manual Block Set > Auto Block Set.
When multiple Cerberus environments exist, you may need the IDs of the IP sets to find the correct one in WAF. The IDs of these sets can be found in CloudFormation.
Limit Cerberus traffic to a corporate network
The rate limiting Lambda is only needed if your stack is on the open internet. You can ensure only traffic from corporate network is allowed by:
- Blacklisting all IP addresses. Note that AWS WAF does not allow 0.0.0.0/0, so you’ll have to use a workaround like for example this code snippet for IPv4
- Add only your IP addresses to the whitelist
Check if an IP address is blocked by rate limiting Lambda
In the AWS console:
- Navigate to Services -> CloudFormation
- Find the [environment name]-cerberus-web-app-firewall stack in the list. Click on the stack name
- Click Outputs to learn the IDs of the IP sets
- Navigate to Services -> WAF & Shield
- Click Go to AWS WAF
- Click IP addresses in the sidebar
- Make sure the correct region is selected in the filter
- Click Auto Block Set
Add IP address or range to whitelist/blacklist
- Follow the above steps 1-7
- Click White List Set or Manual Block Set
- Click Add IP addresses or ranges
- Enter the IP or range in CIDR notation
- Click Add IP address or range
- Click Add