Get notified when AWS WAF rate limit is triggered

[FuhuXia]

User Story

In order to be aware of catalog web traffic status, data.gov teams wants to be notified when AWS WAF rate limiting rule is triggerd and blocks ip addresses.

Acceptance Criteria

[ACs should be clearly demoable/verifiable whenever possible. Try specifying them using BDD.]

• [ ] GIVEN an AWS WAF Web ACLs rate limit rule is set \ WHEN an ip is blocked by the rule \ THEN a notification goes out to datagov-alerts channel \ AND includes IP address

Background

[Any helpful contextual notes or links to artifacts/evidence, if needed]

Security Considerations (required)

None

Sketch

[Notes or a checklist reflecting our understanding of the selected approach]

[rshewitt]

aws documentation on listing ip addresses that are being rate-limited

[FuhuXia]

Good finding. I was also thinking to pipe the rate limit log to new relic where we can set an alert. Piping log to newrelic give us more info, allowing us to exam user's request info such as uri and browser agent, so we can tell the blocking is good or a mistake.