As a software developer myself, I can honestly say security is rarely at the top of mind when most developers put together a new cloud-hosted web application. Well, that is, until you get directly affected by cybercrime. From then on, trust me, it’s one of the first things you think of when building a new mobile or web app.

So why isn’t security addressed more directly and consistently? There are lots of reason, but probably none more is prominent than, well, you just don’t think you have to. When using cloud environments like AWS, for some reason there’s an almost subconscious sense of security and safety that comes from the associations of size, quality and support for the “big brand” platform.

Nothing could be further from the truth, though.

In fact, with almost daily hits from a wide variety of botnets, nefarious clients for your web service APIs, and myriad other network badness, it’s clear that cybercriminals don’t have any similar such respect for names like Amazon AWS or Google Cloud. No, your cloud web apps and web services are just as vulnerable as the ones you host on that old Dell server stack you rescued from the dumpster behind your office a few years ago.

So, what can you do to help protect your web apps and web services? Well, stop the malicious traffic at the door, for one.

AWS Lambdas + IP Address API + AWS WAF = Dynamic IP Threat “Firewall”

Amazon AWS is one of (if not) the most popular cloud hosting platforms for web application developers. Let’s take a look at how you can easily and quickly keep potentially harmful requests from getting to your Amazon AWS apps in the first place. Here’s the recipe in its simplest form:

  1. Create an Amazon Lambda that calls a REST API for getting IP Address Data with built-in cyber threat scoring that shows the type and level of threat (ahem, Musubu).
  2. Use the Lambda with Amazon WAF to set blocklists for restricting access for desired malicious or suspicious IP addresses (i.e. network clients).

It’s just that simple, actually. So how’s it done?

Amazon AWS provides what can be called kind of a “steroidal” database trigger framework for the cloud age, Amazon Lambda. What’s Lambda? Well, lets read what Amazon says about it:

AWS Lambda lets you run code without provisioning or managing servers. You pay only for the compute time you consume – there is no charge when your code is not running.

With Lambda, you can run code for virtually any type of application or backend service – all with zero administration. Just upload your code and Lambda takes care of everything required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.

Basically, Amazon Lambda lets you write little modules of code to do just about anything, upload them and run them from your or other web or mobile apps. One of the most powerful things you can do with these modules is make calls to 3rd party RESTful web service APIs. Since there are many online guides and blog posts about how to call a REST API from a Lambda, I wont repeat those instructions here, but will link to one of the best.


“Calling RESTful APIs from inline AWS Lambda functions” from

When you deploy your web applications onto AWS, the Amazon Cloudfront that receives client requests can be configured to drop logs into Amazon S3 storage. From here, your Lambda can inspect the logs each day (or more often) for each IP address, then call a 3rd party IP address data API that also characterizes the cyber threats for each. From there, you simply make decisions on which ones you want to block.

To create your blocklist, you can use the same Lambda to configure Amazon WAF, or Amazon Web Application Firewall. Again, for the sake of brevity and not wanting to tread over someone else’s good work, the best guide I’ve found on the web for just how to do this is here, step-by-step in the fine article “Configuring Rate-Based Blacklisting of IP’s using AWS WAF and AWS Lambda.”


(Configuring Rate-Based Blacklisting of IP’s using AWS WAF and AWS Lambda by Shruti Lamba)

Now, in this article, they’re limiting access based on rates to detect and avoid DDOS. By using Musubu IP data API that also includes a cyber threat rating, type, and volume by IP address, you can create a very robust dynamic blocklist firewall for your web servers. Currently, the API supports the following types for our data field “blacklist_class:”

  • apache
  • blacklisted
  • botnet
  • botnetcnc
  • bruteforce
  • compromised
  • ftp
  • http
  • imap
  • mail
  • malware
  • phishing
  • ransomware
  • shunned
  • sips
  • ssh
  • tor
  • worm
  • zeus

This makes it easy to identify IPs that are malicious by the type of activity that has been observed in association with these IPs. As well, our Musubu API also calls out:

threat_potential_score_pctNumeric threat score. Integer 0-100.
threat_classificationOverall characterization of threat. String, with one of the following values:
blacklist_class_cntCount of distinct sources which have identified the address as malicious. Integer.
blacklist_network_neighborsCount of addresses present on the same subnet which have been identified as malicious. Integer.
blacklist_observationsCount of observations in the last 90 days. Integer.

As you can see, our data makes it very easy to build a dynamic, sophisticated strategy for dealing with IPs that represent threats to your web applications and servers hosted on Amazon AWS.


Where Do You Get Musubu API?

Right here on our site, of course. Our plans start at only $10/month for 10K IP requests. Want to check out our data before you buy? Head over to and try out our simple user interface for up to 50 IPs at a time.

musubuapp ip address geolocation

About the Author

Jason Polancich

Jason Polancich is app designer and digital marketing lead for Polancich is a linguist, software engineer, data scientist, intelligence analyst, and real estate broker and investor with his wife and business partner Rebekah. He's also the founder and lead architect of VandalsSmile, a data-driven, small business marketing and lead generation network making big data work practically and usefully for owners. Polancich also originally created HackSurfer/SurfWatch Labs (Pre-VC), a cyber analytics firm founded in 2013 that provided highly accurate, timely and actionable information to businesses regarding the cybercrime threats they face. Polancich is a serial entrepreneur focused on solving complex internet commerce, data analysis, and cyber-defense problems. Novii Design, a company he co-founded in 2005 with Rebekah Lewis-Polancich, was based on his contributions to cloud architectures, distributed computing, data analysis and systems integration. The company assisted the U.S. Intelligence Community and Department of Defense in building some of the largest data warehouse and analysis systems ever put into operation within the government and defense contracting sectors. Novii Design was sold to Six3/CACI in 2010. Polancich is also a service-disabled veteran of the U.S. Army. Amazon Author Profile.

Contact Me