aijunpeng
commented
2 years ago Thanks for opening the issue. As you pointed out, these two rules use different sources. The IPReputationLists rule retrieves and blocks IPs from third-party IP reputation lists while the AWS managed rule retrieves and blocks IPs from Amazon internal IP reputation lists. Together they help identify as many attackers as possible to protect your web application. We don't favor one over the other in general. Turn on both rules if possible.
koen-serneels
The IPReputationLists rule blocks IPs based on an IPset that is populated by a Lambda retrieveing IPs from some well known threat intelligence websites (such as spamhaus) and can be extended if needed. However, there is also an AWS managed rule group 'AWSManagedIPReputationList' which appeared to be populated by 'Amazon threat intelligence', as there is no additional info to be found on this process, is there any reason to favor one over the other? Given a standard case where no specific customization are needed. For example; maybe the AWSManagedIPReputationList didn't exist when the IPReputationLists was created and is, by default, more complete so maybe it's a better choice in that case? Or maybe the other way around and the IPReputationLists is newer, contains all source as in the AWSManagedIPReputationList but is more flexible? (besides taking less capacity than the AWSManagedIPReputationList and possibly also a lower cost).