Considerations and disclaimers for using Amazon managed rule groups in Network Firewall
Before you add Amazon managed rule groups to a firewall policy, consider the following.
Disclaimer
Managed rule groups are designed to protect you from common web threats. When used in accordance
with the documentation, Amazon managed rule groups add another layer of security for your
applications. However, Amazon managed rule groups aren't intended as a replacement for
your security responsibilities, which are determined by the Amazon resources
that you select. Refer to the Shared
Responsibility Model
DNS traffic limitations
Network Firewall filters network traffic that is routed through firewall endpoints. However, DNS queries made to Amazon Route 53 Resolver are not inspected because they are routed to a static address in the VPC. Any DNS inspection rules in Amazon managed rule groups, including active threat defense managed rule groups, cannot inspect traffic to Amazon Route 53 Resolver. For more information about Network Firewall limitations, see Limitations and caveats for stateful rules in Amazon Network Firewall.
Automatic updates
Amazon automatically updates managed rule groups to protect against new vulnerabilities and threats. These updates can occur daily to weekly, depending on threat severity. Sometimes, Amazon is notified of new vulnerabilities before public disclosure due to its participation in a number of private disclosure communities. In those cases, Network Firewall may update rule groups and deploy them to your environment before a new threat is widely known.
Copying Amazon managed rules
You can copy managed threat signature rules into your own rule group and customize them for your specific needs, but Network Firewall does not supporting copying active threat defense rules.