cloudwatch_top_ips
Identify abusive client IPs by ranking them from CloudWatch log groups. Parses WAF/ALB logs to display per-IP allowed and blocked counts for targeted banning.
Instructions
Rank the top client IPs in a CloudWatch log group. Parses WAF/ALB structured logs to report per-IP total, allowed, and blocked counts — use it to find abusive IPs before banning.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| limit | No | Maximum IPs to return. | |
| region | No | AWS region (optional). | |
| log_group | Yes | CloudWatch log group name (e.g. a WAF or ALB access-log group). | |
| hours_back | No | How many hours back to scan. | |
| max_events | No | Maximum events to scan (0 = unlimited, capped at 50000). | |
| action_filter | No | Count only events with this WAF action: 'ALLOW', 'BLOCK', or empty for all. |