[RedTeam] Rotating Source IPs (Part 1) — AWS API Gateway

4 min readJan 7, 2021


During a security engagement, especially for an evasive/covert type of assessment, you might need to hide your traffic as much as possible. Or if the client has implemented some type of IP based blocking, you might need to rotate your source IPs to bypass it to do something like password spraying, web application enumeration, etc. Also, Microsoft is no longer considering user enumeration as their “feature”. So, if you are trying to do a password guessing/user-enumeration against one of their Office365 APIs like ActiveSync or rst2.srf (SOAP API), Microsoft has implemented a defense that after a number of queries, it will start to throw error code saying the user account is locked out whether it is valid or invalid. To bypass this, rotating your source IPs is required. In this blog post, I will show how to use AWS API Gateway to rotate source IPs to access a target URL.

AWS API Gateway Setup

Login to your AWS account

→ Click Services drop-down menu

→ Select API Gateway under the “Networking & Content Delivery”

Select REST API and click Build

NOTE: This will allow synchronous communication.

Click New API

→ “API name” : Any Name (e.g., bigb0ss_api_test)

→ “Endpoint Type”: Regional

→ Click `Create API`

Click Actions drop-down menu

→ Select Create Method

Select ANY


OSWE | OSCE | OSCP | CREST | Lead Offensive Security Engineer — All about Penetration Test, Red Team, Cloud Security, Web Application Security