During AWS re:Invent 2015, AWS launched a new security service, AWS WAF (web application firewall). Trend Micro was a launch partner and at the time I wrote about the service and how it complements Deep Security.

We’ve recently published a new script that helps you use Deep Security IP Lists in AWS WAF. Check out the code at https://github.com/deep-security/aws-waf.


AWS WAF is an edge service that protects CloudFront distributions. At it’s heart is the concept of a web access control list (WACL). The WACL defines the rules that protect your distribution.

A rule uses one or more match conditions in order to either deny or allow the web request. A match condition can either be a string match on an HTTP header, an SQL injection match, or an IP Set.

This simple combination of rule objects makes it easy to build up a surprisingly sophisticated rule set for your WACL.

Deep Security IP Lists

Deep Security implements the concept of IP Lists to make managing firewall rules simpler. Instead of embedded a set of IPs inside of a firewall rule, you can use a list to define the set of IPs that you’ll allow or deny.

If you need to change the scope of a rule, you can easily edit the list instead of change the rule itself. This reduces the chance of making a mistake and inadvertently changing your security posture. Like most features in the platform, IP Lists are designed to reduce the amount of time you need to spend on operations.

If you’ve already put the work into building IP lists within Deep Security, wouldn’t it be nice to be able to leverage them in an AWS WAF WACL?


To do just that, we’ve released a simple script that will convert your Deep Security IP Lists to AWS WAF IP Sets. There are some slight differences between the two (Deep Security lists have much higher limits and takes a variety of IP address formats) but the script accounts for those differences and streamlines the process.

Using the script is a simple two step process. Step one, list all of the IP Lists available in Deep Security;

$python ip_list_to_set.py --list -u USERNAME -p PASSWORD -t TENANT
>> Available Deep Security IP Lists
1   Ignore Reconnaissance
2   Network Broadcast
3   Ingress Filters
4   Domain Controller(s)
5   Off Domain IPs
6   Corporate Network IPs

Step two, select an IP List (using the -d switch) to recreate as an AWS WAF IP Set;

$ python ip_list_to_set.py -d 152 -u USERNAME -p PASSWORD -t TENANT --dryrun
>> Converted 41 IP List entries to 718 IP Set entries
Updated IP Set [AMAZON eu-west-1] with ID [9ee53a08-cdaf-4881-a111-3d99b58065e4]

It’s as simple as that.

There are additional options and details listed in the README for the repository. Pull requests are welcome so if you have a feature you’d like added or find an issue please let us know.

More to come

This is the first of a few planned integrations between Deep Security and AWS WAF. Using both services together can provide a robust, full stack of security controls for your AWS workloads.

Questions or comments? Let me know on Twitter where I’m @marknca or join me on Wednesday, 16 December for a webinar on AWS WAF & Deep Security. During the webinar I’ll go through AWS WAF basics, how it complement Deep Security, and I’ll be taking your questions on the topic.