The following is a step-by-step tutorial on how to maintain the AWS service after enrollment

When the CTS detects a threat, it will add the malicious host to both Inbound and Outbound rules. On the free tier, 'Starter', up to 18 entries will be stored. After 18 entries, the list will fill up and the CTS can't add any more to it. This is a limitation of AWS's own service.

On our paid subscription models, once all 18 slots have been used up, the CTS will start to delete the oldest entries to make space for the newer ones. Once again, the total of 18 entries is a limitation of the AWS service.

In either case, we recommend monitoring the ACL and to automate a perimeter firewall to digest offending IP addresses.

  • If you are on our free tier, you can purge the ACL entries by navigating to VPC Network ACLs. Then, check 'CTS Active Response' and click on 'Inbound rules' and on 'Edit inbound rules'
AWS purge ACL entries
  • Here, you can delete rules 1 through 18. Do not delete number 32757. If you do so, you will BLOCK all traffic to all assigned networks.
  • Click on 'Save changes' once you deleted rules 1 through 18.
  • Repeat this process for 'Outbound rules'
AWS inbound rules
  • Finally, edit the two tags named 'LastIdIngress' and 'LastIdEgress'. Click on 'Manage tags'
AWS final tags
  • Change the value of 'LastIdIngress' and 'LastIdEgress' to 0. Click on 'Save'
AWS tags to 0