Domain whitelisting for aws integration

33 views
Skip to first unread message

Rahul Manoj

unread,
Apr 20, 2026, 12:04:20 AMApr 20
to Wazuh | Mailing List

Hi Team,

I am currently working on integrating AWS log ingestion with Wazuh (via S3/CloudTrail), and I need to implement network-level whitelisting from the Wazuh Manager.

The challenge I am facing is identifying the exact AWS domains/endpoints that need to be whitelisted.

What I’ve tried:

  • Used tcpdump on the Wazuh Manager to capture outbound traffic during AWS log ingestion

  • Captured both HTTPS (port 443) and DNS (port 53) traffic

  • Extracted domain names using strings/grep (e.g., filtering for "amazonaws")

Observations:

  • I can see multiple AWS-related domains (e.g., *.amazonaws.com), but the list is not very precise

  • Due to HTTPS encryption, it’s difficult to reliably extract all required endpoints

  • AWS IP ranges are dynamic, so IP-based whitelisting is not ideal

My questions:

  1. Is there an official or recommended list of AWS endpoints required for Wazuh AWS integrations (S3, CloudTrail, etc.)?

  2. Does Wazuh documentation specify minimum required domains/services for this setup?

Any guidance would be really helpful.

Thanks!

Bony V John

unread,
Apr 20, 2026, 12:16:16 AMApr 20
to Wazuh | Mailing List
Hi,

Please allow me some time, I'm working on this and will get back to you with an update as soon as possible.

Bony V John

unread,
Apr 20, 2026, 1:20:34 AMApr 20
to Wazuh | Mailing List

Hi,

Based on your input, it seems you are trying to tighten network security by restricting outbound traffic.

Using tcpdump will not provide all the required details in this case, as most of the communication is over TLS and the payload is encrypted.

AWS SDKs resolve service endpoints dynamically, meaning DNS responses can change over time. Because of this, static IP-based whitelisting is not reliable. Additionally, AWS services are region-based, so endpoints vary depending on the region. Some SDK operations may also use global or regional endpoints, making strict endpoint whitelisting difficult to maintain.

Since you are integrating Wazuh with AWS services such as S3 and CloudTrail, the integration does not rely on a single service. It typically requires access to multiple AWS services, including:

  • S3 - for fetching logs
  • STS (IAM) - for authentication
  • CloudTrail - for audit/event logs

Because of this, restricting outbound traffic to a fixed set of IPs or endpoints may cause failures in log collection.

Instead of strict endpoint or IP-based whitelisting, it is better to use a pattern-based allow policy, such as: *.amazonaws.com

This approach:

  • Allows access to all required AWS services
  • Works across different regions
  • Avoids issues caused by dynamic endpoint resolution 

If you apply strict whitelisting and AWS endpoints change (which is common), the Wazuh manager may fail to fetch logs from AWS services. A broader allow rule is more reliable for maintaining integration stability.

You can refer to the Wazuh AWS integration documentation for more details on configuring S3 and CloudTrail integrations.

Rahul Manoj

unread,
2:16 AM (6 hours ago) 2:16 AM
to Wazuh | Mailing List
Hi Team,

I would also like to know if there is any recommended whitelist of domains/endpoints required for:

- Office 365 log integration
- Azure log integration
- Microsoft Graph API communication

Similar to AWS integrations, I am trying to implement least-privilege outbound whitelisting from the Wazuh Manager side instead of broadly allowing Microsoft domains.

Any guidance or recommended endpoints would be helpful.

Thanks!

Reply all
Reply to author
Forward
0 new messages