- TechOps Examples
- Posts
- How to Automatically Block Suspicious Traffic in AWS
How to Automatically Block Suspicious Traffic in AWS
Govardhana M K
December 16, 2025
In partnership with
TechOps Examples
Hey — It's Govardhana MK 👋
Welcome to another technical edition.
Every Tuesday – You’ll receive a free edition with a byte-size use case, remote job opportunities, top news, tools, and articles.
Every Thursday and Saturday – You’ll receive a special edition with a deep dive use case, remote job opportunities and articles.
👋 👋 A big thank you to today's sponsor MINDSTREAM
Turn AI Into Extra Income
You don’t need to be a coder to make AI work for you. Subscribe to Mindstream and get 200+ proven ideas showing how real people are using ChatGPT, Midjourney, and other tools to earn on the side.
From small wins to full-on ventures, this guide helps you turn AI skills into real results, without the overwhelm.
IN TODAY'S EDITION
🧠 Use Case
How to Automatically Block Suspicious Traffic in AWS
👀 Remote Jobs
Metabase is hiring a Senior SRE/DevOps Engineer
Remote Location: Worldwide
Espresso Systems is hiring a DevOps Engineer
Remote Location: Worldwide
📚️ Resources
If you’re not a subscriber, here’s what you missed last week.
To receive all the full articles and support TechOps Examples, consider subscribing:
🧠 USE CASE
How to Automatically Block Suspicious Traffic in AWS
As a cloud engineer, you are forced to think about blocking traffic when systems start slowing down for the wrong reasons. It could be a small DDoS, a bot attack, credential stuffing, or a misbehaving crawler burning through resources.
When the same sources keep hitting critical endpoints, blocking suspicious traffic is often the only practical way to keep the service stable.
Basic IP Blocker Architecture
When you are able to clearly identify the source IPs and they are only a handful, the solution does not need to be complicated. In this situation, the design can be as simple as stopping traffic as early as possible, before it reaches application compute.
Basic IP blocker architecture
Using existing network and load balancer controls inside the VPC is often enough to cut off the noise and stabilize the system quickly. This is usually the first pattern teams reach for when the problem is known, contained, and needs an immediate response.
When traffic patterns start changing constantly, source IPs are no longer predictable, and manual blocks stop scaling, automation becomes the only workable next step.
Automation Workflow
How this automation is implemented
Detect and trigger
GuardDuty flags suspicious activity like scans, brute force, or bot abuse and sends the event through Security Hub into EventBridge.Standardize the response
EventBridge starts a Step Functions workflow so every suspicious IP is handled the same way, without manual judgment during an incident.Record before blocking
The source IP and finding details are stored to avoid duplicate blocks and to keep a simple audit trail.Block at the network layer
A dedicated AWS Network Firewall rule group is updated to drop traffic from that IP before it reaches workloads.Notify, don’t interrupt
Engineers get notified about what was blocked, but the system works without waiting for human action.
Practical nuances
Start with high confidence findings only.
Always add expiry to automatic blocks.
Make sure the firewall actually sees the traffic.
Keep dynamic blocks separate from static rules.
This keeps the system effective under attack without adding operational overhead.
🔴 Get my DevOps & Kubernetes ebooks! (free for Premium Club and Personal Tier newsletter subscribers)