Actions

Each entry records: the action type (BLOCK, REVOKE, UNBLOCK, WHITELIST), the target (IP address, IAM access key ARN, or entity identifier), the GuardDuty or ThreatReaction finding type that triggered the action, the timestamp (UTC), and the AWS account ID the target belongs to.

The blocked IPs section lists all IP addresses currently in the WAF managed IP set maintained by Threat Reaction. An IP is added automatically when a finding matching a BLOCK policy is processed. Entries remain until manually unblocked or until the IP is added to the whitelist.

Shows IAM access keys and session tokens that have been revoked via the REVOKE action. After revocation, the credential cannot authenticate any AWS API call regardless of associated IAM policies. Note: REVOKE affects only the specific key or session referenced in the finding — other keys for the same IAM user remain active.

Each blocked entry has an Unblock button. Use this when a block was triggered by a legitimate actor — for example, a CI/CD runner IP that triggered a GuardDuty finding due to unusual API call patterns. Clicking Unblock removes the IP from the WAF IP set immediately.

In addition to unblocking, you can whitelist an entity for a specific finding type. This prevents Threat Reaction from re-blocking the same entity for the same finding type in the future, while still allowing blocks for other finding types. Use this for known-safe actors that are expected to trigger specific detectors (e.g., a security scanner running from a known IP).

After making a change in the Threats page (e.g., switching a rule to BLOCK), return here after the next matching finding is processed to confirm the action fired. If no action appears for an expected finding, check the EventsProcessor Lambda CloudWatch logs for errors.