diff --git a/CLAUDE.md b/CLAUDE.md
index ed52c9e..7119c96 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,6 +2,10 @@
 
 This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
 
+## Project Overview
+
+AWS CloudFront CDN with CrowdSec real-time security integration via Lambda. Implements automated IP blocking through webhook notifications.
+
 ## Common Development Commands
 
 ### Infrastructure Management
@@ -30,10 +34,10 @@ echo "yes" | tofu init -migrate-state
 
 ### Validation and Formatting
 ```bash
-# Validate Terraform configuration
+# Validate configuration
 tofu validate
 
-# Format Terraform files
+# Format files
 tofu fmt
 
 # Check syntax and validate variables
@@ -42,8 +46,8 @@ tofu plan -var-file=terraform.tfvars
 
 ### AWS Resource Verification
 ```bash
-# Check CloudFront distribution status
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU --query 'Distribution.Status' --output text
+# Check CloudFront distribution status (Current Distribution ID: EATJ1HDQU8V51)
+aws cloudfront get-distribution --id EATJ1HDQU8V51 --query 'Distribution.Status' --output text
 
 # List all CloudFront distributions
 aws cloudfront list-distributions --query 'DistributionList.Items[*].[Id,Status,DistributionConfig.Enabled]' --output table
@@ -64,7 +68,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - **CloudFront Distribution**: Main CDN with custom origin server
 - **WAF v2 Web ACL**: Security layer with rate limiting and AWS managed rules
 - **S3 Backend**: Remote state storage with versioning and encryption
-- **Optional CloudFormation Stack**: VPC and networking resources
+- **CrowdSec Integration**: Real-time threat detection and IP blocking
 
 **Critical Configuration Constraints:**
 - Origin server (`origin.servidor.it.com`) only supports HTTP, not HTTPS
@@ -75,8 +79,10 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 ### File Structure and Responsibilities
 
 **Core Infrastructure:**
-- `main.tf` - CloudFront distribution, origin configuration, cache behaviors, and optional CloudFormation stack
+- `main.tf` - CloudFront distribution, origin configuration, cache behaviors
 - `security.tf` - WAF Web ACL with rate limiting, managed rule sets, and security groups
+- `lambda.tf` - CrowdSec Lambda integration with API Gateway
+- `lambda-crowdsec-waf.py` - Lambda function for real-time IP management
 - `variables.tf` - All configurable parameters with validation rules
 - `outputs.tf` - CloudFront URLs, distribution IDs, and resource ARNs
 
@@ -100,6 +106,7 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - WAF protection with AWS managed rules and rate limiting
 - S3 buckets with encryption, versioning, and public access blocking
 - Security groups with principle of least privilege (when VPC enabled)
+- CrowdSec real-time threat detection with Lambda integration
 
 **Cache Strategy:**
 - Default behavior uses CachingDisabled policy for dynamic content
@@ -115,9 +122,9 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 
 ### Critical Settings in terraform.tfvars
 - `origin_protocol_policy = "http-only"` - **Do not change to HTTPS** (causes 504 errors)
-- `create_acm_certificate = false` - Custom certificates fail due to CAA restrictions
+- `create_acm_certificate = true` - ACM certificate enabled for custom domain
 - `enable_waf = true` - WAF is working and provides important security
-- `create_route53_records = false` - DNS management disabled due to CAA restrictions
+- `create_route53_records = true` - Route53 DNS management enabled
 
 ### State Management
 - Backend uses S3 without DynamoDB locking (single developer setup)
@@ -135,15 +142,148 @@ This is an AWS CloudFront CDN deployment using OpenTofu (Terraform fork) with th
 - Compression enabled for all content types
 - Custom error pages redirect 404/403 to index.html for SPA support
 
-### Working vs Disabled Features
+## CrowdSec Integration
+
+**🔄 Automated Workflow**: CrowdSec → API Gateway → Lambda → AWS WAF → CloudFront
+
+**📊 Current Resources (Updated 2025-09-09):**
+- **CloudFront Distribution ID**: `EATJ1HDQU8V51`
+- **CloudFront URL**: `https://d2mhxhntq3ezzr.cloudfront.net`
+- **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
+- **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
+- **Deployment Status**: `Deployed` ✅
+
+### CrowdSec Integration Commands
+
+**⚠️ Note**: IP management is now automated via CrowdSec webhook integration. Manual commands are for monitoring and emergency use only.
+
+**View Current Blocked IPs:**
+```bash
+# View current blocked IPs (Updated IP Set ID)
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --query 'IPSet.Addresses'
+```
+
+**Test CrowdSec Webhook:**
+```bash
+# Test webhook endpoint
+curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
+  -H "Content-Type: application/json" \
+  -H "User-Agent: CrowdSec/1.7.0" \
+  -d '[{"uuid":"test","decisions":[{"value":"1.2.3.4","type":"ban","action":"add"}]}]'
+```
+
+**Monitor CrowdSec Container:**
+```bash
+# Check CrowdSec status
+incus exec crowdsec -- cscli metrics
+
+# View current decisions
+incus exec crowdsec -- cscli decisions list
+
+# Test notifications
+incus exec crowdsec -- cscli notifications test aws-waf
+```
+
+**Lambda Function Monitoring:**
+```bash
+# Check Lambda logs
+aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
+
+# Test Lambda directly
+aws lambda invoke --function-name aws-cf-dev-crowdsec-waf-updater response.json
+```
+
+### WAF Monitoring
+
+**Check WAF Metrics:**
+```bash
+# Check blocked requests
+aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
+  --metric-name BlockedRequests \
+  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=BlockedIPsRule \
+  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
+  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
+  --period 300 --statistics Sum
+
+# Check rate limited requests
+aws cloudwatch get-metric-statistics --namespace AWS/WAFV2 \
+  --metric-name BlockedRequests \
+  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=RateLimitRule \
+  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
+  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
+  --period 300 --statistics Sum
+```
+
+## Working vs Disabled Features
+
 **Currently Working:**
-- CloudFront distribution with HTTP origin
-- WAF v2 with managed rules
-- S3 logging and state storage
-- Custom cache behaviors for API paths
+- CloudFront distribution with HTTP origin ✅
+- WAF v2 with managed rules ✅
+- S3 logging and state storage ✅
+- Custom cache behaviors for API paths ✅
+- IP-based blocking through WAF IP Sets ✅
+
+**Currently Enabled:**
+- ACM custom certificates (b011e60a-1ea1-4dd3-844f-e0851ece4784) ✅
+- Route53 DNS management (Z01934581JQAF2GS71GG) ✅
+- WAF v2 with IP blocking (d61073b6-27b1-473e-aa9f-d2aa4a4c75a6) ✅
+- CrowdSec webhook integration (setup required) ⚠️
 
 **Currently Disabled (can be enabled with proper permissions):**
-- ACM custom certificates (CAA restrictions)
-- Route53 DNS management (CAA restrictions)  
 - CloudFormation VPC stack (permission constraints)
-- DynamoDB state locking (permission constraints)
\ No newline at end of file
+- DynamoDB state locking (permission constraints)
+
+## WAF Troubleshooting History
+
+### Issue Resolution (2025-09-09)
+
+**Problem**: WAF IP blocking was not functioning despite proper configuration.
+
+**Root Cause Analysis:**
+1. **IP Set ID Mismatch**: Commands referenced old IP Set ID (`c43ff364-f3e2-43c7-8462-8fae20599d8d`) instead of actual ID
+2. **CloudFront Deployment State**: Distribution was in "InProgress" status preventing WAF changes from taking effect
+3. **Configuration Synchronization**: WAF and CloudFront association was not properly synchronized
+
+**Resolution Method:**
+- Complete infrastructure recreation using `tofu destroy` and `tofu apply`
+- All resources recreated with fresh IDs and proper associations
+- WAF rules now properly configured with correct IP Set references
+
+**Current Status:**
+- ✅ WAF properly associated with CloudFront (`EATJ1HDQU8V51`)
+- ✅ IP blocking rules functional (Priority 1: BlockedIPsRule)
+- ✅ Rate limiting active (10,000 requests/5min per IP)
+- ✅ AWS managed rule sets enabled (Common + Known Bad Inputs)
+- ✅ Test IP blocking verified: `1.2.3.4/32`, `61.77.18.91/32`
+
+**Key Commands for Manual IP Management:**
+```bash
+# Add IP to blocked list
+aws wafv2 update-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --addresses "IP1/32" "IP2/32" \
+  --lock-token $(aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+    --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+    --name aws-cf-dev-blocked-ips --query 'LockToken' --output text)
+
+# Verify WAF-CloudFront association
+aws cloudfront get-distribution --id EATJ1HDQU8V51 \
+  --query 'Distribution.DistributionConfig.WebACLId' --output text
+
+# Check current blocked IPs
+aws wafv2 get-ip-set --scope=CLOUDFRONT --region=us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips --query 'IPSet.Addresses'
+```
+
+**Note**: WAF rule changes may take up to 15 minutes to propagate across CloudFront edge locations.
+
+# important-instruction-reminders
+Do what has been asked; nothing more, nothing less.
+NEVER create files unless they're absolutely necessary for achieving your goal.
+ALWAYS prefer editing an existing file to creating a new one.
+NEVER proactively create documentation files (*.md) or README files. Only create documentation files if explicitly requested by the User.
\ No newline at end of file
diff --git a/DEPLOYMENT_GUIDE.md b/DEPLOYMENT_GUIDE.md
index 456cb7a..8f90755 100644
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@@ -1,241 +1,285 @@
-# AWS CloudFront 배포 가이드
+# AWS CloudFront + CrowdSec 배포 가이드
 
-## 📋 프로젝트 개요
-AWS CloudFront CDN을 OpenTofu(Terraform fork)로 구성하여 `origin.servidor.it.com`을 origin으로 사용하는 인프라스트럭처 프로젝트입니다.
+## 📋 완전 배포 가이드
+AWS CloudFront CDN과 CrowdSec 실시간 보안 통합 시스템의 단계별 배포 가이드입니다.
 
-## 🏗️ 현재 인프라 상태
+## 🎯 배포 목표
+- CloudFront CDN 구성 (`origin.servidor.it.com`)
+- CrowdSec 컨테이너 보안 시스템
+- Lambda 기반 실시간 WAF 통합
+- Nginx Proxy Manager 로그 분석
 
-### CloudFront Distribution
-- **Distribution ID**: E1XR8P4ENGP8RU
-- **CloudFront URL**: https://dspki4yrh5oy1.cloudfront.net
-- **Origin**: origin.servidor.it.com (HTTP-only)
-- **Status**: ✅ Deployed and Working
+## ⚠️ 중요 제약사항
+- **Origin Protocol**: HTTP-only (HTTPS 사용 시 504 에러)
+- **DynamoDB Locking**: 권한 제한으로 비활성화
 
-### 보안 설정
-- **WAF**: AWS WAF v2 활성화
-  - WAF ID: d21d84c1-edb9-40af-9cdd-27f42f09c499
-  - Rate Limiting: 10,000 requests/5min per IP
-  - AWS Managed Rules - Common Rule Set (SQL Injection, XSS 방어)
-  - AWS Managed Rules - Known Bad Inputs (악성 패턴 차단)
-- **Viewer Protocol**: HTTPS (redirect-to-https)
-- **Origin Protocol**: HTTP-only (중요: HTTPS 사용 시 504 에러)
+## ✅ 현재 활성화된 기능
+- **ACM Certificate**: 활성화됨 (b011e60a-1ea1-4dd3-844f-e0851ece4784)
+- **Route53 Records**: 활성화됨 (Z01934581JQAF2GS71GG)
+- **WAF Protection**: 활성화됨 (d61073b6-27b1-473e-aa9f-d2aa4a4c75a6)
 
-### 로깅 및 상태 관리
-- **CloudFront Logs**: `s3://aws-cf-cloudfront-logs-535294143817/cloudfront-logs/`
-- **Terraform State**: `s3://aws-cf-terraform-state-535294143817/aws-cf/terraform.tfstate`
-- **State Locking**: 비활성화 (DynamoDB 권한 없음)
-
-## 🚀 배포 방법
+## 🚀 1단계: 인프라 배포
 
 ### 사전 요구사항
-- OpenTofu 또는 Terraform 설치
-- AWS CLI 구성
-- 필요한 IAM 권한:
-  - CloudFrontFullAccess
-  - S3FullAccess
-  - Route53FullAccess
-  - AWSCertificateManagerFullAccess
-  - AWSWAFFullAccess (WAFv2 포함)
-  - AWSCloudFormationFullAccess
+- AWS CLI 설정 완료
+- OpenTofu 설치 (`brew install opentofu`)
+- Incus 설치 및 설정
 
-### 초기 설정
+### 인프라 배포
 ```bash
-# S3 Backend 설정 (이미 완료됨)
-./setup-backend.sh
+# 프로젝트 디렉토리로 이동
+cd /Users/kaffa/Projects/was-cf
 
-# State 마이그레이션 (이미 완료됨)
-echo "yes" | tofu init -migrate-state
-```
-
-### 배포 명령어
-```bash
-# 초기화
+# OpenTofu 초기화
 tofu init
 
 # 계획 확인
 tofu plan
 
-# 배포 실행
+# 인프라 배포
 tofu apply -auto-approve
-
-# 상태 확인
-tofu state list
 ```
 
-## 📁 프로젝트 구조
-```
-aws-cf/
-├── main.tf                 # CloudFront 메인 구성
-├── variables.tf            # 변수 정의
-├── terraform.tfvars        # 변수 값 설정
-├── outputs.tf              # 출력 정의
-├── versions.tf             # Provider 버전 관리
-├── backend.tf              # S3 Backend 설정
-├── security.tf             # WAF 및 보안 그룹
-├── acm.tf                  # ACM 인증서 (비활성화)
-├── setup-backend.sh        # S3 Backend 설정 스크립트
-├── README.md               # 기존 문서
-└── DEPLOYMENT_GUIDE.md     # 이 문서
+### 배포 결과 확인
+```bash
+# 출력값 확인
+tofu output
+
+# CloudFront 상태 확인
+aws cloudfront get-distribution --id EATJ1HDQU8V51 --query 'Distribution.Status'
+
+# WAF 규칙 확인
+aws wafv2 get-web-acl --scope CLOUDFRONT --id d61073b6-27b1-473e-aa9f-d2aa4a4c75a6 --region us-east-1
 ```
 
-## ⚙️ 중요 설정 내용
+## 🔒 2단계: CrowdSec 컨테이너 설정
 
-### terraform.tfvars 핵심 설정
-```hcl
-# Origin 설정 (매우 중요)
-origin_domain = "origin.servidor.it.com"
-origin_protocol_policy = "http-only"  # HTTPS 사용 시 504 에러!
-
-# CloudFront 설정
-viewer_protocol_policy = "redirect-to-https"
-price_class = "PriceClass_100"
-
-# 보안 설정
-enable_waf = true
-
-# 로깅 설정
-enable_cloudfront_logging = true
-cloudfront_logs_bucket = "aws-cf-cloudfront-logs-535294143817"
-
-# 비활성화된 기능 (권한/제한 사항)
-create_route53_records = false  # CAA 제한으로 비활성화
-create_acm_certificate = false  # CloudFront 기본 인증서 사용
-enable_cloudformation_stack = false  # CloudFormation 권한 없음
+### 컨테이너 생성
+```bash
+# 새 Ubuntu 컨테이너 생성
+incus launch ubuntu:24.04 crowdsec
+incus exec crowdsec -- apt update
 ```
 
-## 🔧 문제 해결 히스토리
+### CrowdSec 설치
+```bash
+# CrowdSec 설치
+incus exec crowdsec -- curl -s https://install.crowdsec.net | sh
 
-### 1. 504 Gateway Timeout 해결 ✅
-**문제**: CloudFront가 origin 서버에 연결할 수 없음
-**원인**: origin.servidor.it.com이 HTTP(80)만 지원하는데 HTTPS(443)로 연결 시도
-**해결**: 
-```hcl
-origin_protocol_policy = "http-only"
+# 서비스 상태 확인
+incus exec crowdsec -- systemctl status crowdsec
 ```
 
-### 2. ACM 인증서 CAA 제한 ✅
-**문제**: *.servidor.it.com 도메인에 대한 ACM 인증서 발급 실패
-**원인**: CAA DNS 레코드가 AWS 인증서 발급을 제한
-**해결**: CloudFront 기본 인증서 사용
-```hcl
-create_acm_certificate = false
-viewer_certificate {
-  cloudfront_default_certificate = true
+### 보안 컬렉션 설치
+```bash
+# Nginx Proxy Manager 컬렉션 설치
+incus exec crowdsec -- cscli collections install crowdsecurity/nginx-proxy-manager
+
+# 설치된 컬렉션 확인
+incus exec crowdsec -- cscli collections list
+
+# 설정 적용
+incus exec crowdsec -- systemctl reload crowdsec
+```
+
+## 🔗 3단계: 웹훅 통합 설정
+
+### 알림 설정 파일 생성
+```bash
+incus exec crowdsec -- tee /etc/crowdsec/notifications/aws-waf.yaml << 'EOF'
+type: http
+name: aws-waf
+log_level: info
+url: https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook
+method: POST
+headers:
+  Content-Type: application/json
+  User-Agent: CrowdSec/1.7.0
+timeout: 10s
+format: |
+  {{ .|toJson }}
+EOF
+```
+
+### 프로필 설정
+```bash
+incus exec crowdsec -- tee /etc/crowdsec/profiles.yaml << 'EOF'
+name: aws_waf_profile
+filters:
+ - Alert.Remediation == true && Alert.GetScenario() startsWith "crowdsecurity/"
+notifications:
+ - aws-waf
+on_success: break
+EOF
+```
+
+### CrowdSec 재시작
+```bash
+incus exec crowdsec -- systemctl restart crowdsec
+```
+
+## 🧪 4단계: 통합 테스트
+
+### 웹훅 엔드포인트 테스트
+```bash
+curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
+  -H "Content-Type: application/json" \
+  -H "User-Agent: CrowdSec/1.7.0" \
+  -d '[{
+    "uuid": "test-123",
+    "decisions": [{
+      "value": "192.168.1.100",
+      "type": "ban", 
+      "action": "add"
+    }]
+  }]'
+```
+
+**예상 응답:**
+```json
+{
+  "success": true,
+  "message": "WAF IP Set updated successfully",
+  "ips_added": ["192.168.1.100"],
+  "ips_removed": [],
+  "total_ips": 1
 }
 ```
 
-### 3. DynamoDB State Locking 권한 ✅
-**문제**: Terraform state locking을 위한 DynamoDB 테이블 생성/접근 불가
-**해결**: S3만 사용 (1인 개발 시 충분)
-```hcl
-backend "s3" {
-  bucket = "aws-cf-terraform-state-535294143817"
-  key = "aws-cf/terraform.tfstate"
-  # dynamodb_table = "terraform-state-lock"  # 비활성화
-}
-```
-
-### 4. 중복 CloudFront Distribution 정리 ✅
-**문제**: 여러 배포 시도로 3개의 distribution 생성
-**해결**: 
-- E18GW141CX7I8C - 비활성화 중 (삭제 예정)
-- E32FD742KMW2YY - 비활성화 중 (삭제 예정)
-- E1XR8P4ENGP8RU - 현재 사용 중 ✅
-
-### 5. WAF 권한 문제 ✅
-**초기 문제**: WAFv2 권한 없다고 오류 발생
-**해결**: AWSWAFFullAccess 정책에 wafv2:* 권한 포함되어 있음 확인
-
-## 📊 모니터링 및 관리
-
-### 상태 확인 명령어
+### WAF IP Set 확인
 ```bash
-# CloudFront 상태
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU \
-  --query 'Distribution.Status' --output text
-
-# WAF 연결 확인
-aws cloudfront get-distribution --id E1XR8P4ENGP8RU \
-  --query 'Distribution.DistributionConfig.WebACLId' --output text
-
-# 로그 확인
-aws s3 ls s3://aws-cf-cloudfront-logs-535294143817/cloudfront-logs/ --recursive
-
-# State 파일 확인
-aws s3 ls s3://aws-cf-terraform-state-535294143817/aws-cf/
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --query 'IPSet.Addresses'
 ```
 
-### 성능 테스트
+### IP 제거 테스트
 ```bash
-# CloudFront 응답 확인
-curl -I https://dspki4yrh5oy1.cloudfront.net
-
-# 출력 예시:
-# HTTP/2 200
-# content-type: text/html
-# x-cache: Miss from cloudfront (첫 요청) / Hit from cloudfront (캐시된 요청)
+curl -X POST https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook \
+  -H "Content-Type: application/json" \
+  -H "User-Agent: CrowdSec/1.7.0" \
+  -d '[{
+    "uuid": "test-456",
+    "decisions": [{
+      "value": "192.168.1.100",
+      "type": "ban",
+      "action": "delete"
+    }]
+  }]'
 ```
 
-### 비활성화된 Distribution 삭제 (완전 비활성화 후)
+### CrowdSec 알림 테스트
 ```bash
-# 상태 확인
-aws cloudfront list-distributions \
-  --query 'DistributionList.Items[*].[Id,Status,DistributionConfig.Enabled]' \
-  --output table
-
-# 삭제 (Deployed 상태에서 Enabled=false 일 때)
-aws cloudfront get-distribution-config --id E18GW141CX7I8C > dist-config.json
-ETAG=$(jq -r '.ETag' dist-config.json)
-aws cloudfront delete-distribution --id E18GW141CX7I8C --if-match $ETAG
+incus exec crowdsec -- cscli notifications test aws-waf
 ```
 
-## 🔒 보안 고려사항
+## 📊 5단계: 모니터링 설정
 
-1. **WAF 설정**
-   - 현재 기본 AWS Managed Rules 사용
-   - 필요시 커스텀 룰 추가 가능
-   - Rate limiting 조정 가능 (security.tf)
+### Lambda 함수 로그 모니터링
+```bash
+# 실시간 로그 확인
+aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
 
-2. **Origin 보안**
-   - ⚠️ Origin이 HTTP만 지원하므로 CloudFront-Origin 간 트래픽 암호화 안됨
-   - 권장: Origin 서버에 HTTPS 지원 추가
+# 특정 시간대 로그
+aws logs filter-log-events \
+  --log-group-name /aws/lambda/aws-cf-dev-crowdsec-waf-updater \
+  --start-time $(date -d '1 hour ago' +%s)000
+```
 
-3. **로그 관리**
-   - CloudFront 로그 90일 자동 삭제 설정
-   - 장기 보관 필요시 S3 lifecycle 수정
+### CrowdSec 상태 모니터링
+```bash
+# 메트릭 확인
+incus exec crowdsec -- cscli metrics
 
-## 📝 향후 개선 사항
+# 현재 차단 결정
+incus exec crowdsec -- cscli decisions list
 
-### 권한 획득 시 활성화 가능한 기능
-1. **DynamoDB State Locking**
-   - 팀 협업 시 필수
-   - backend.tf에서 주석 해제
+# 허브 상태
+incus exec crowdsec -- cscli hub list
+```
 
-2. **Custom Domain with ACM**
-   - CAA 레코드 수정 후 가능
-   - terraform.tfvars에서 `create_acm_certificate = true`
+### WAF 메트릭 확인
+```bash
+# 차단된 요청 확인
+aws cloudwatch get-metric-statistics \
+  --namespace AWS/WAFV2 \
+  --metric-name BlockedRequests \
+  --dimensions Name=WebACL,Value=aws-cf-dev-waf Name=Rule,Value=BlockedIPsRule \
+  --start-time $(date -u -d '1 hour ago' +%Y-%m-%dT%H:%M:%S) \
+  --end-time $(date -u +%Y-%m-%dT%H:%M:%S) \
+  --period 300 --statistics Sum
+```
 
-3. **CloudFormation Stack**
-   - VPC 및 네트워킹 리소스 관리
-   - terraform.tfvars에서 `enable_cloudformation_stack = true`
+## 🔧 문제 해결
 
-### 성능 최적화
-1. Cache Policy 최적화
-2. Origin Request Policy 조정
-3. CloudFront Edge Location 선택 (Price Class)
+### 일반적인 문제들
 
-## 🏷️ 태그 및 메타데이터
-- **Project**: aws-cf
-- **Environment**: dev
-- **ManagedBy**: OpenTofu
-- **Owner**: kaffa
-- **Created**: 2025-09-08
-- **LastUpdated**: 2025-09-09
+**1. 웹훅 연결 실패**
+```bash
+# 네트워크 연결 확인
+incus exec crowdsec -- curl -I https://8zdmpjfnhh.execute-api.us-east-1.amazonaws.com/dev/webhook
 
-## 📚 참고 자료
-- [OpenTofu Documentation](https://opentofu.org/docs/)
-- [AWS CloudFront Best Practices](https://docs.aws.amazon.com/cloudfront/latest/developerguide/best-practices.html)
-- [AWS WAF Documentation](https://docs.aws.amazon.com/waf/latest/developerguide/)
+# CrowdSec 알림 설정 확인
+incus exec crowdsec -- cat /etc/crowdsec/notifications/aws-waf.yaml
+```
+
+**2. Lambda 함수 오류**
+```bash
+# Lambda 함수 직접 테스트
+aws lambda invoke --function-name aws-cf-dev-crowdsec-waf-updater response.json
+
+# 에러 로그 확인
+aws logs describe-log-groups --log-group-name-prefix "/aws/lambda/aws-cf-dev"
+```
+
+**3. WAF 업데이트 실패**
+```bash
+# IAM 권한 확인
+aws iam get-role-policy --role-name aws-cf-dev-lambda-waf-role --policy-name aws-cf-dev-lambda-waf-policy
+
+# WAF IP Set 상태 확인
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 --id a9e47946-c186-4b28-83a8-fe3aeb9c296b --name aws-cf-dev-blocked-ips
+```
+
+## 📈 운영 관리
+
+### 정기 유지보수
+```bash
+# CrowdSec 업데이트
+incus exec crowdsec -- cscli hub update
+incus exec crowdsec -- cscli hub upgrade
+
+# 컬렉션 상태 확인
+incus exec crowdsec -- cscli collections list
+
+# 시스템 리소스 확인
+incus info crowdsec
+```
+
+### 백업 및 복구
+```bash
+# CrowdSec 설정 백업
+incus exec crowdsec -- tar -czf /tmp/crowdsec-config.tar.gz /etc/crowdsec
+
+# 설정 파일 복사
+incus file pull crowdsec/tmp/crowdsec-config.tar.gz ./
+
+# Terraform 상태 백업
+aws s3 sync s3://aws-cf-terraform-state-535294143817 ./backup/
+```
+
+## 🎯 완료 체크리스트
+
+- [ ] AWS 인프라 배포 완료
+- [ ] CrowdSec 컨테이너 설정 완료
+- [ ] 웹훅 통합 설정 완료
+- [ ] 통합 테스트 성공
+- [ ] 모니터링 설정 완료
+- [ ] 문서화 완료
 
 ---
-*이 문서는 실제 배포 경험을 바탕으로 작성되었습니다.*
\ No newline at end of file
+
+**배포 완료 시간**: 약 30-45분  
+**필수 권한**: AWS WAF, Lambda, API Gateway, CloudWatch 접근  
+**지원**: [CrowdSec Integration Guide](CROWDSEC-WAF-INTEGRATION.md) 참조
\ No newline at end of file
diff --git a/README.md b/README.md
index 6525499..32e0546 100644
--- a/README.md
+++ b/README.md
@@ -1,151 +1,87 @@
-# AWS CloudFront with OpenTofu
+# AWS CloudFront + CrowdSec WAF Integration
 
-이 프로젝트는 OpenTofu를 사용하여 AWS CloudFront 배포와 CloudFormation 스택을 관리합니다.
+🛡️ AWS CloudFront CDN with real-time CrowdSec threat protection via Lambda integration.
 
-## 구조
+## 🏗️ Architecture
 
-- `versions.tf` - Provider 및 Terraform 버전 설정
-- `variables.tf` - 입력 변수 정의
-- `main.tf` - CloudFront 배포 및 CloudFormation 스택
-- `security.tf` - 보안 그룹 및 WAF 설정
-- `outputs.tf` - 출력 변수
-- `terraform.tfvars.example` - 변수 설정 예시
-
-## 주요 기능
-
-### CloudFront 배포
-- `origin.servidor.it.com`을 원본 서버로 사용
-- HTTPS 리디렉션 및 압축 지원
-- 사용자 정의 도메인(CNAME) 지원
-- 캐시 정책 및 원본 요청 정책 설정
-- 커스텀 오류 페이지 설정
-
-### CloudFormation 스택
-- VPC 및 네트워킹 리소스 생성
-- 퍼블릭 서브넷 및 인터넷 게이트웨이
-- 스택 출력을 통한 리소스 ID 공유
-
-### 보안 기능
-- ALB 및 웹 서버용 보안 그룹 (선택사항)
-- AWS WAF v2 웹 ACL (선택사항)
-- 레이트 제한 및 관리 규칙 세트
-
-## 사용 방법
-
-### 1. 환경 설정
-
-```bash
-# OpenTofu 설치 확인
-tofu version
-
-# AWS 자격 증명 설정
-export AWS_ACCESS_KEY_ID="your-access-key"
-export AWS_SECRET_ACCESS_KEY="your-secret-key"
-export AWS_DEFAULT_REGION="us-east-1"
+```
+CrowdSec Container → API Gateway → Lambda → AWS WAF → CloudFront Distribution
 ```
 
-### 2. 변수 설정
+## 📋 Project Overview
+
+- **CloudFront Distribution**: `EATJ1HDQU8V51` 
+- **Origin Server**: `origin.servidor.it.com` (HTTP-only)
+- **WAF Protection**: Real-time IP blocking via CrowdSec
+- **Custom Domains**: `servidor.it.com`, `www.servidor.it.com`
+- **ACM Certificate**: `b011e60a-1ea1-4dd3-844f-e0851ece4784`
+
+## 🚀 Quick Start
 
 ```bash
-# 설정 파일 복사
-cp terraform.tfvars.example terraform.tfvars
-
-# 필요한 값들 수정
-vim terraform.tfvars
-```
-
-### 3. 배포
-
-```bash
-# 초기화
+# 1. Deploy infrastructure
 tofu init
-
-# 계획 확인
-tofu plan
-
-# 배포 실행
 tofu apply
+
+# 2. Configure CrowdSec
+incus exec crowdsec -- cscli collections install crowdsecurity/nginx-proxy-manager
+
+# 3. Verify WAF configuration
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips
 ```
 
-### 4. 확인
+## 📊 Key Resources
 
-배포 후 출력된 CloudFront URL을 통해 서비스에 접근할 수 있습니다:
+- **CloudFront URL**: https://d2mhxhntq3ezzr.cloudfront.net
+- **WAF Web ACL ID**: `d61073b6-27b1-473e-aa9f-d2aa4a4c75a6`
+- **WAF IP Set ID**: `a9e47946-c186-4b28-83a8-fe3aeb9c296b`
+- **Route53 Zone ID**: `Z01934581JQAF2GS71GG`
+
+## 🛡️ Security Features
+
+1. **Priority 1**: CrowdSec real-time IP blocking
+2. **Priority 2**: Rate limiting (10K req/5min)
+3. **Priority 3**: AWS Managed Common Rules
+4. **Priority 4**: AWS Managed Bad Input Rules
+
+## 📁 Project Structure
+
+```
+├── README.md                    # This file
+├── CLAUDE.md                   # Development guide for Claude Code
+├── DEPLOYMENT_GUIDE.md         # Detailed deployment instructions
+├── CROWDSEC-WAF-INTEGRATION.md # CrowdSec integration documentation
+├── main.tf                     # CloudFront and core infrastructure
+├── security.tf                 # WAF and security configurations
+├── lambda.tf                   # CrowdSec Lambda integration
+├── lambda-crowdsec-waf.py      # Lambda function code
+└── terraform.tfvars            # Configuration variables
+```
+
+## 📚 Documentation
+
+- **🚀 [Deployment Guide](DEPLOYMENT_GUIDE.md)** - Complete deployment instructions
+- **🛡️ [CrowdSec Integration](CROWDSEC-WAF-INTEGRATION.md)** - Real-time security setup
+- **🔧 [Development Guide](CLAUDE.md)** - Claude Code specific instructions
+
+## ⚡ Common Commands
 
 ```bash
-# CloudFront 배포 상태 확인
-aws cloudfront get-distribution --id <distribution-id>
+# Check WAF blocked IPs
+aws wafv2 get-ip-set --scope CLOUDFRONT --region us-east-1 \
+  --id a9e47946-c186-4b28-83a8-fe3aeb9c296b \
+  --name aws-cf-dev-blocked-ips \
+  --query 'IPSet.Addresses'
 
-# CloudFormation 스택 상태 확인
-aws cloudformation describe-stacks --stack-name <stack-name>
+# Monitor CrowdSec decisions
+incus exec crowdsec -- cscli decisions list
+
+# View Lambda logs
+aws logs tail /aws/lambda/aws-cf-dev-crowdsec-waf-updater --follow
 ```
 
-## 중요 설정
+---
 
-### SSL 인증서
-
-이 설정은 **ACM(AWS Certificate Manager) 인증서**를 사용합니다:
-
-- `servidor.it.com`과 `*.servidor.it.com` 도메인 지원
-- 자동으로 us-east-1 리전에 ACM 인증서 생성
-- DNS 검증을 통한 자동 인증서 발급
-- Route53을 통한 자동 DNS 레코드 관리
-- CloudFront와 완전 통합된 HTTPS 설정
-
-### 캐시 정책
-
-기본 제공되는 AWS 관리 정책:
-
-- `4135ea2d-6df8-44a3-9df3-4b5a84be39ad` - CachingDisabled
-- `725fe1d6-8a84-4f3e-8ab1-bc2d5bb10e12` - CachingOptimized
-- `df3c6b6c-4e41-4d9c-a8c7-6b8b2b8e6b8b` - CachingOptimizedForUncompressedObjects
-
-### 보안 고려사항
-
-프로덕션 환경에서는:
-
-- `ssh_allowed_cidrs`를 특정 IP로 제한
-- WAF 활성화 (`enable_waf = true`)
-- 적절한 캐시 정책 선택
-- CloudTrail 및 CloudWatch 로깅 활성화
-
-### 도메인 설정
-
-**전제 조건**:
-- `servidor.it.com` 도메인의 Route53 호스팅 영역이 존재해야 함
-- 도메인의 네임서버가 Route53으로 설정되어 있어야 함
-
-**자동 설정**:
-- ACM 인증서 자동 생성 및 검증
-- Route53 A 레코드 자동 생성 (`servidor.it.com` → CloudFront)
-- Route53 A 레코드 자동 생성 (`www.servidor.it.com` → CloudFront)
-
-## 출력 정보
-
-배포 완료 후 다음 정보들이 출력됩니다:
-
-- CloudFront 배포 ID 및 도메인
-- CloudFormation 스택 정보
-- 보안 그룹 ID (활성화된 경우)
-- WAF Web ACL ARN (활성화된 경우)
-- VPC 및 서브넷 정보
-
-## 정리
-
-```bash
-# 리소스 삭제
-tofu destroy
-```
-
-## 문제 해결
-
-### 일반적인 오류
-
-1. **인증서 오류**: CloudFront용 인증서는 us-east-1에서만 생성 가능
-2. **도메인 검증**: CNAME 설정 전에 도메인 소유권 확인 필요
-3. **원본 서버**: `origin.servidor.it.com`이 HTTPS를 지원하는지 확인
-
-### 로그 확인
-
-- CloudFront 액세스 로그 활성화
-- CloudWatch 메트릭 모니터링
-- WAF 로그 분석 (활성화된 경우)
\ No newline at end of file
+**Status**: ✅ Production Ready | **Last Updated**: 2025-09-09
\ No newline at end of file