The threat detection service Amazon GuardDuty natively uses Amazon’s own intelligence sources, third-party sources such as CrowdStrike and Proofpoint, and some OpenSource sources (such as the list of exit nodes of the TOR anonymization network)
However, if you detect malicious IPs attacking your on-prem, you could add them to GuardDuty’s threat lists so that the service alerts against access from those IPs.
Another frequent use case is when they have contracted a threat intelligence service (such as Talos, X-Force, FireEye, etc) and would like to add their indicators of compromise (malicious IPs) they can do so on the following screen:
AWS WAF natively has IP reputation lists among its Managed Rules (Amazon IP Reputation, and Anonymous IP List), which are particularly useful for reducing the number of attacks from malicious botnets.
You can enrich this list of IPs with rules managed by our partners in the AWS Marketplace, such as F5, GeoGuard, Imperva.
If you need to extend the WAF Capacity Units (WCU), keep in mind that it is a “soft-limit”, that you can extend up to 2500 WCUs (this maximum number grows over time).
WAF Security Automations is a solution that implements a number of additional protections for WAF, including intelligence feeds from SpamHaus, TORproject, and EmergingThreats.