# Managed rule groups in Amazon Network Firewall
Managed rule groups are collections of predefined, ready-to-use rules that Amazon writes and maintains for you. Most Amazon managed rule groups are available for at no additional cost to Network Firewall customers. The managed rule groups offered by Network Firewall combine thorough security coverage with the convenience and experitise of Amazon managed solutions.
You can select one or more of the following rule groups to use in your Network Firewall policies:
+ **Active threat defense managed rule groups** – protect against active threats tracked by Amazon threat intelligence.
+ **Domain and IP managed rule groups** – protect against domains known or suspected to be associated with malware or bots.
+ **Threat signature managed rule groups** – inspect for and defend against signatures that represent a variety of known threat categories.
Each set of managed rule groups counts as a single rule group toward the maximum number of stateful rule groups per firewall policy.
The following topics provide more details about the Amazon managed rule groups supported by Network Firewall and how you can configure them to meet your security needs.
**Topics**
+ [Amazon active threat defense for Amazon Network Firewall](aws-managed-rule-groups-atd.md)
+ [Amazon domain and IP managed rule groups for Amazon Network Firewall](aws-managed-rule-groups-domain-list.md)
+ [Amazon threat signature managed rule groups for Amazon Network Firewall](aws-managed-rule-groups-threat-signature.md)
+ [Using Amazon Marketplace rule groups](aws-marketplace-rule-groups.md)
+ [Working with Amazon managed rule groups in the Network Firewall console](nwfw-using-managed-rule-groups-console.md)
+ [Troubleshooting Amazon managed rule groups in Network Firewall](nwfw-using-managed-rule-groups-mitigating-false-positive.md)
+ [Considerations and disclaimers for using Amazon managed rule groups in Network Firewall](aws-managed-rule-groups-disclaimer.md)
# Amazon active threat defense for Amazon Network Firewall
The active threat defense managed rule group provides advanced network threat protection for your Network Firewall firewall policies. Amazon continuously updates these rules based on Amazon threat intelligence to protect against active threats and cloud-specific attack patterns. While complementing existing Amazon managed rule groups, active threat defense specifically uses Amazon threat intelligence from MadPot, an internal Amazon threat intelligence and disruption service. For more information about MadPot, see [ Meet MadPot, a threat intelligence tool Amazon uses to protect customers from cybercrime](https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime).
Amazon Network Firewall currently supports the `AttackInfrastructure` active threat defense rule group.
Each rule group name in the table below is appended by either `StrictOrder` or `ActionOrder`. A firewall policy's *rule evaluation order* determines whether you can add `StrictOrder` or `ActionOrder` managed rule groups to the policy. For example, you can only add a rule group appended with `StrictOrder` if the policy uses strict order for its rule evaluation order.
**Note**
In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see [Managing evaluation order for Suricata compatible rules in Amazon Network Firewall](suricata-rule-evaluation-order.md).
| Rule group name | Maximum rule capacity per rule group | Description |
| --- | --- | --- |
| `AttackInfrastructureStrictOrder`, `AttackInfrastructureActionOrder` | 15,000 | Protects against threat activity by blocking communication with known harmful infrastructure tracked by Amazon. This includes: [\[See the AWS documentation website for more details\]](http://docs.amazonaws.cn/en_us/network-firewall/latest/developerguide/aws-managed-rule-groups-atd.html) Implements comprehensive filtering of both inbound and outbound traffic for multiple protocols, including TCP, TLS, HTTP, and outbound UDP. Uses verified threat indicators to ensure high accuracy and minimize false positives. Amazon automatically removes threat indicators when there is no evidence of related threat activity. |
**Important**
Network Firewall active threat defense managed rule groups have rule capacity limits that differ from the rule capacity limits that apply to other rule groups.
## Get started with active threat defense
To start using the active threat defense, complete the following tasks:
1. Add the `AttackInfrastructure` rule group to your firewall policy. For instructions, see [Working with Amazon managed rule groups in the Network Firewall console](nwfw-using-managed-rule-groups-console.md).
**Tip**
After you add the rule group to your policy, you don't need to take any action to receive updates. Amazon automatically updates the rules based on the latest threat intelligence.
1. Configure your firewall policy to use either strict order or action order evaluation. This determines which version of the rule group you can add. For more information, see [Managing evaluation order for Suricata compatible rules in Amazon Network Firewall](suricata-rule-evaluation-order.md).
1. Optionally monitor your firewall's activity using CloudWatch Logs. For information about monitoring Network Firewall, see [Amazon Network Firewall metrics in Amazon CloudWatch](monitoring-cloudwatch.md).
To learn more about active threat defense managed rule groups, review the topics in this guide:
**Topics**
+ [Get started with active threat defense](#atd-next-steps)
+ [Understanding active threat defense managed rule group indicators](atd-indicators.md)
+ [Deep threat inspection for active threat defense managed rule groups](atd-deep-threat-inspection.md)
# Understanding active threat defense managed rule group indicators
A threat indicator is a unique identifier of potentially malicious infrastructure or threat activity. active threat defense managed rule groups match traffic for IP address, domain name, and URL indicators that are associated with known threats.
**Tip**
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. For information, see [Working with active threat defense indicators in Amazon GuardDuty](nwfw-atd-guardduty-use-case.md).
Amazon groups threat indicators into categories based on observed attack patterns. The following table describes each indicator group available in the active threat defense managed rule group:
| Indicator group and description | Traffic direction | Indicator types |
| --- | --- | --- |
| **Command and control** Infrastructure that malicious actors use to remotely control compromised systems. | Egress | IPs, domains |
| **Malware staging** Infrastructure that facilitates the distribution of malware and attack tooling. | Ingress/Egress | URLs |
| **Sinkholes** Previously abused infrastructure used for malicious purposes. | Egress | Domains |
| **Out-of-band application security testing** A technique where injected payloads make an outbound connection to external infrastructure that validates the existence of a vulnerability. | Egress | IPs, domains |
| **Crypto-mining pool** Infrastructure used by crypto-miners. | Egress | IPs, domains |
# Working with active threat defense indicators in Amazon GuardDuty
If you use Amazon GuardDuty, you can strengthen your security by using active threat defense managed rule group to automatically block the threats that Amazon GuardDuty detects. Amazon GuardDuty can generate findings with the threat list name `Amazon Active Threat Defense`. You can block these threats by implementing the `AttackInfrastructure` active threat defense rule group in your Network Firewall firewall policy.
**Note**
The active threat defense managed rule group can block threats regardless of whether you use Amazon GuardDuty. This information is relevant only if you already use Amazon GuardDuty for threat detection.
The following Amazon GuardDuty finding types may indicate threats that active threat defense managed rule group can block:
Command and control related findings
+ Backdoor:EC2/C&CActivity.B
+ Backdoor:EC2/C&CActivity.B\$1DNS
+ Backdoor:Lambda/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B
+ Backdoor:Runtime/C&CActivity.B\$1DNS
Cryptocurrency related findings
+ CryptoCurrency:EC2/BitcoinTool.B
+ CryptoCurrency:EC2/BitcoinTool.B\$1DNS
+ CryptoCurrency:Lambda/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B
+ CryptoCurrency:Runtime/BitcoinTool.B\$1DNS
+ Impact:EC2/BitcoinDomainRequest.Reputation
Other threat findings
+ Trojan:EC2/BlackholeTraffic\$1DNS
+ Trojan:Runtime/BlackholeTraffic\$1DNS
+ UnauthorizedAccess:EC2/MaliciousIPCaller.Custom
For more information about Amazon GuardDuty finding types, see [Active findings](https://docs.amazonaws.cn/guardduty/latest/ug/guardduty_finding-types-active.html) in the *Amazon GuardDuty User Guide*.
# Deep threat inspection for active threat defense managed rule groups
Amazon Network Firewall plans to augment the active threat defense managed rule group with an additional deep threat inspection capability. When this capability is released, Amazon will analyze service logs of network traffic processed by these rule groups to identify threat indicators across customers. Amazon will use these threat indicators to improve the active threat defense managed rule groups and protect the security of Amazon customers and services.
**Note**
Customers can opt-out of deep threat inspection at any time through the Amazon Network Firewall console or API. When customers opt out, Amazon Network Firewall will not use the network traffic processed by those customers' active threat defense rule groups for rule group improvement.
# Amazon domain and IP managed rule groups for Amazon Network Firewall
This section describes the Amazon managed rule groups that inspect domain and IP information for Network Firewall. You see these in the console in the list of Amazon managed rule groups, or when you add rule groups to your firewall policy. Through the API, you can retrieve the list of Amazon managed rule groups by calling [ListRuleGroups](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_ListRuleGroups.html).
Domain and IP rule groups block HTTP/HTTPS traffic to domains identified as low-reputation, or that are known or suspected to be associated with malware or botnets. Choose one or more of these rule groups to establish domain list protection for your resources.
Each rule name in the table below is appended by either `StrictOrder` or `ActionOrder`. A firewall policy's *rule evaluation order* determines whether you can add `StrictOrder` or `ActionOrder` managed rule groups to the policy. For example, you can only add a rule group appended with `StrictOrder` if the policy uses strict order for its rule evaluation order. In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see [Managing evaluation order for Suricata compatible rules in Amazon Network Firewall](suricata-rule-evaluation-order.md).
| Rule name | Description and label |
| --- | --- |
| AbusedLegitMalwareDomainsStrictOrder, AbusedLegitMalwareDomainsActionOrder | Rules that allow you to block requests to a class of domains, which are generally legitimate but are compromised and may host malware. This can help reduce the risk of receiving malware or viruses originating from these sources with poor reputation. |
| MalwareDomainsStrictOrder, MalwareDomainsActionOrder | Rules that allow you to block requests to domains that are known for hosting malware. This can help reduce the risk of receiving malware or viruses originating from these known sources. |
| AbusedLegitBotNetCommandAndControlDomainsStrictOrder, AbusedLegitBotNetCommandAndControlDomainsActionOrder | Rules that allow you to block requests to a class of domains, which are generally legitimate but are compromised and may host botnets. This can help reduce the risk of resources accessing botnets originating from these sources with poor reputation. |
| BotNetCommandAndControlDomainsStrictOrder, BotNetCommandAndControlDomainsActionOrder | Rules that allow you to block requests to domains that are known for hosting botnets. This can help reduce the risk of resources accessing botnets originating from these known sources. |
# Amazon threat signature managed rule groups for Amazon Network Firewall
This section describes the Amazon managed rule groups that inspect for threat signatures for Network Firewall. You see these in the console in the list of Amazon managed rule groups, or when you add rule groups to your firewall policy. Through the API, you can retrieve the list of Amazon managed rule groups by calling [ListRuleGroups](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_ListRuleGroups.html).
Network Firewall managed threat signature rule groups support several categories of threat signatures to protect against various types of malware and exploits, denial of service attempts, botnets, web attacks, credential phishing, scanning tools, and mail or messaging attacks. There are also signatures for intrusion detection and to enforce fair use policies as well as guard against emerging threats. Currently, Network Firewall supports only Suricata-compatible stateful managed rule groups.
Each rule name in the table below is appended by either `StrictOrder` or `ActionOrder`. A firewall policy's *rule evaluation order* determines whether you can add `StrictOrder` or `ActionOrder` managed rule groups to the policy. For example, you can only add a rule group appended with `StrictOrder` if the policy uses strict order for its rule evaluation order. In the console, Network Firewall automatically filters the managed rule groups available for you to add to your policy. For information about rule evaluation order, see [Managing evaluation order for Suricata compatible rules in Amazon Network Firewall](suricata-rule-evaluation-order.md).
| Category | Rule name | Description and label |
| --- | --- | --- |
| Botnet | ThreatSignaturesBotnetStrictOrder, ThreatSignaturesBotnetActionOrder | Signatures that are autogenerated from several sources of known and confirmed active botnet and other Command and Control (C2) hosts. |
| Botnet Web | ThreatSignaturesBotnetWebStrictOrder, ThreatSignaturesBotnetWebActionOrder | Signatures that detects HTTP botnets. |
| Botnet Windows | ThreatSignaturesBotnetWindowsStrictOrder, ThreatSignaturesBotnetWindowsActionOrder | Detects Windows botnets. |
| Compromised | ThreatSignaturesIOCStrictOrder, ThreatSignaturesIOCActionOrder | Attack Response - Signatures to identify responses indicative of intrusion—examples included but not limited to LMHost file download, presence of certain web banners and the detection of Metasploit Meterpreter kill command. These are designed to catch the results of a successful attack. Things like “id=root”, or error messages that indicate a compromise may have happened. Exploit Kit - Signatures to detect activity related to Exploit Kits, their infrastructure, and delivery. |
| DoS | ThreatSignaturesDoSStrictOrder, ThreatSignaturesDoSActionOrder | Signatures that detect Denial of Service (DoS) attempts. These rules are intended to catch inbound DoS activity, and provide indication of outbound DoS activity. |
| Emerging Threats | ThreatSignaturesEmergingEventsStrictOrder, ThreatSignaturesEmergingEventsActionOrder | Current Events - Signatures with rules developed in response to active and short-lived campaigns and high-profile items that are expected to be temporary. The rules in this category are ones that are not intended to be kept in the ruleset for long, or that need to be further tested before they are considered for inclusion. Most often these will be simple sigs for the Storm binary URL of the day, sigs to catch CLSID’s of newly found vulnerable apps where we don’t have any detail on the exploit. |
| Exploits | ThreatSignaturesExploitsStrictOrder, ThreatSignaturesExploitsActionOrder | Exploits - Signatures that protect against direct exploits not otherwise covered in a specific service category. This is the category where you'll find specific attacks against vulnerabilities such as against Microsoft Windows. Attacks with their own category such as SQL injection have their own category. ActiveX - Signatures that protect against attacks against Microsoft ActiveX controls and exploits targeting vulnerabilities in ActiveX controls. FTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding File Transfer Protocol (FTP). This category also includes rules that detect non-malicious FTP activity such as logins for logging purposes. ICMP - Signatures that protect against attacks and vulnerabilities regarding Internet Control Message Protocol (ICMP). NetBIOS - Signatures that protect against attacks, exploits, and vulnerabilities regarding NetBIOS. This category also includes rules that detect non-malicious NetBIOS activity for logging purposes. RPC - Signatures that protect against attacks, exploits, and vulnerabilities regarding Remote Procedure Call (RPC). This category also includes rules that detect non-malicious RPC activity for logging purposes. ShellCode - For remote shellcode detection. Remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on a local network or intranet. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. SNMP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Simple Network Management Protocol (SNMP). This category also includes rules that detect non-malicious SNMP activity for logging purposes. Telnet - Signatures that protect against attacks, exploits, and vulnerabilities regarding TELNET. This category also includes rules that detect non-malicious TELNET activity for logging purposes. TFTP - Signatures that protect against attacks, exploits, and vulnerabilities regarding Trivial File Transport Protocol (TFTP). This category also includes rules that detect non-malicious TFTP activity for logging purposes. VOIP - Signatures that protect against attacks and vulnerabilities regarding Voice over IP (VOIP) including SIP, H.323 and RTP among others. SQL - Signatures that protect against attacks, exploits, and vulnerabilities regarding Structured Query Language (SQL). This category also includes rules that detect non-malicious SQL activity for logging purposes. |
| FUP | ThreatSignaturesFUPStrictOrder, ThreatSignaturesFUPActionOrder | Signatures to detect gaming traffic, potentially inappropriate websites, and P2P traffic as well as signatures that may indicate violations to an organization's policy. |
| Malware | ThreatSignaturesMalwareStrictOrder, ThreatSignaturesMalwareActionOrder | Signatures that detect malware (TCP, UDP, SMTP, ICMP, SMB, IP) and WORM. Malware - Detects malicious software. Rules in this category detect activity related to malicious software that is detected on the network including malware in transit, active malware, malware infections, malware attacks, and updating of malware. Worm - Detects malicious activity that automatically attempts to spread across the internet or within a network by exploiting a vulnerability. While the exploit itself is typically identified in the exploit or given protocol category, an additional entry in this category might be made if the actual malware engaging in worm-like propagation can be identified. |
| Malware Coin Mining | ThreatSignaturesMalwareCoinminingStrictOrder, ThreatSignaturesMalwareCoinminingActionOrder | Signatures with rules that detect malware that performs coin mining. These signatures can also detect some legitimate (though often undesirable) coin mining software. |
| Malware Mobile | ThreatSignaturesMalwareMobileStrictOrder, ThreatSignaturesMalwareMobileActionOrder | Signatures that indicate malware that's associated with mobile and tablet operating systems such as Google Android, Apple iOS, and others. Malware that's detected and is associated with mobile operating systems is generally placed in this category rather than the standard categories such as Malware. |
| Malware Web | ThreatSignaturesMalwareWebStrictOrder, ThreatSignaturesMalwareWebActionOrder | Signatures that detect malicious code in HTTP and TLS protocols. |
| Phishing | ThreatSignaturesPhishingStrictOrder, ThreatSignaturesPhishingActionOrder | Signatures that detect credential phishing activity. This includes landing pages exhibiting credential phishing as well as successful submission of credentials into credential phishing sites. |
| Scanners | ThreatSignaturesScannersStrictOrder, ThreatSignaturesScannersActionOrder | Signatures that detect reconnaissance and probing from tools such as Nessus, Nikto, and other port scanning tools. This category can be useful for detecting early breach activity and post-infection lateral movement within an organization. |
| Suspect | ThreatSignaturesSuspectStrictOrder, ThreatSignaturesSuspectActionOrder | JA3 - Fingerprints malicious SSL certificates using JA3 hashes. These rules are based on parameters that are in the SSL handshake negotiation by both clients and servers. These rules can have a high false positive rate but can be very useful for threat hunting or malware detonation environments. Chat - Signatures that identify traffic related to numerous chat clients such as Internet Relay Chat (IRC). Chat traffic can be indicative of possible check-in activity by threat actors. User Agents - Signatures that detect suspicious and anomalous user agents. Known malicious user agents are generally placed in the Malware category. |
| Web Attacks | ThreatSignaturesWebAttacksStrictOrder, ThreatSignaturesWebAttacksActionOrder | Web Client - Signatures that detect attacks and vulnerabilities regarding web clients such as web browsers as well as client-side applications like CURL, WGET and others. Web Server - Signatures that detect attacks against web server infrastructure such as APACHE, TOMCAT, NGINX, Microsoft Internet Information Services (IIS) and other web server software. Web Specific Apps - Signatures that detect attacks and vulnerabilities in specific web applications. |
# Copying threat signature rules into your own Amazon Network Firewall rule group
Network Firewall provides full visibility into the threat signature rule content of its Amazon managed rules. This enables you to choose between using the rule group as-is in your firewall policy or copying the rule group's rules into your own rule group and customizing them for your specific needs.
**Important**
Copied rules don't automatically inherit rule updates that Amazon makes to managed rule group rules. We recommend that you subscribe to Amazon SNS topics for updates made to the originating rule group. For more information, see [Notifications for threat signature rule group updates](using-managed-rule-groups-sns.md). You're responsible for validating rule changes and making sure that your own rules are up-to-date.
To copy a managed threat signature rule group's rules, create a local copy of the rule group rules, make your modifications, then create your own rule group. The following procedure explains how to copy a threat signature rule group's rules, and then create your own rule group.
------
#### [ Console ]
**To copy a managed threat signature rule group's rules using the console**
1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Network Firewall rule groups**.
1. In the **Amazon managed rule groups** tab, under **Threat signature rule groups**, select a rule group to view its details.
1. Choose **Duplicate rule group** to copy the rules into your own rule group. You can modify the rule group details, and then choose **Create rule group**.
Alternatively, you can choose **Copy** to copy the rules to your clipboard. You can then modify them in a text editor, or create a new rule group and paste the rules into your own stateful rule group. For information about how to create your own stateful rule group, see [Creating a stateful rule group](rule-group-stateful-creating.md).
------
#### [ CLI ]
**To copy a managed threat signature rule group's rules using the Amazon CLI**
1. Run `aws network-firewall list-rule-groups --scope MANAGED --managed-type AWS_MANAGED_THREAT_SIGNATURES` to filter the Amazon managed threat signature rule groups.
1. In the following command, replace *rulegroup-arn* with the Amazon Resource Name (ARN) of the threat signature managed rule group that you'd like to copy:
`aws network-firewall describe-rule-group --rule-group-arn rulegroup-arn`.
Network Firewall returns the rule group details in the response, which you can parse and modify in your text editor. Then, you can use the modified rule group details to create your own rule group using the command [create-rule-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/create-rule-group.html).
------
# Getting notified of updates to a threat signature rule group in Amazon Network Firewall
You can subscribe to Amazon Simple Notification Service (Amazon SNS) notifications for updates to a managed threat signature rule group, such as updates made for urgent security updates. Amazon updates managed threat signature rule groups for Network Firewall as often as once a day to once a week.
The Amazon threat signature managed rule groups use a single SNS subscription topic ARN, so you subscribe once for all the rule groups.
**How to subscribe**
To subscribe to notifications for a rule group, create an Amazon SNS subscription for the rule group's Amazon SNS topic ARN.
For information about how to subscribe to an Amazon SNS topic, see [Configuring Amazon Simple Notification Service](https://docs.amazonaws.cn/sns/latest/dg/sns-configuring.html) in the *[Amazon Simple Notification Service Developer Guide](https://docs.amazonaws.cn/sns/latest/dg/)*.
**Where to find the Amazon SNS topic ARN for a threat signature managed rule group**
The Amazon managed rule groups use a single SNS topic ARN, so you can retrieve the topic ARN from one of the rule groups and subscribe to it to get notifications for all of the managed rule groups.
+ **Console**
+ On the Network Firewall rule groups page, in the **Amazon managed rule group** tab, in the **Threat signature rule groups** section, select a rule group to view the rule group's details. The details include the rule group's Amazon SNS topic ARN.
+ (Option) After you've added the managed rule group into your firewall policy, choose **Edit** on the firewall policy, and then select and edit the rule group rule to view the rule group's Amazon SNS topic ARN.
+ **API** – The [DescribeRuleGroup](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_DescribeRuleGroup.html) response includes `SnsTopic`. The value for `SnsTopic` is the Amazon SNS topic ARN.
+ **CLI** – The [describe-rule-group](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/network-firewall/describe-rule-group.html) response includes `SnsTopic`. The value for `SnsTopic` is the Amazon SNS topic ARN.
**The notification format for Amazon managed rule group**
The Amazon SNS notifications for Amazon managed rule groups always contain the fields `Subject`, `Message`, and `MessageAttributes`. Other fields are included according to the type of message and which managed rule group the notification is for.
The following shows an example notification listing for the `AWS-Managed-Threat-Signatures`.
```
{
"Type" : "Notification",
"MessageId" : "82a03348-5419-5945-9a82-699adada25e3",
"TopicArn" : "arn:aws:sns:us-west-2:696851677263:AWS-Managed-Threat-Signatures",
"Subject" : "New version available for: StatefulRG2",
"Message" : "The following Network Firewall managed resource has a new version: arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup/StatefulRG2. To view the new version, either call DescribeRuleGroup or view the resource in the Network Firewall console.",
"Timestamp" : "2022-04-14T21:05:07.002Z",
"SignatureVersion" : "1",
"Signature" : "ZoDQM5iIhp6E7u84qnip14RTQo/5Vi+fpQ7/tYuqwk28o+7uXuHz9TygI6otycw6Dz5Pw+VOLu0PDuIK4xrGwFYrJypbsaZ1cbNRnM9upkzwGH8w/VORCDZ1QwKYKNP4Ep/mSKVyigh9qe+CHSW/jD2HNE9LY96li5D0h7a2594A12MH5koAXucnYUcHkclBAzwwxbbca2fCkI4PaT24SYyHem1COw86hLt1mDZYE8o7crIX7OUN19+/3vAtsJ2NJ4pLbbR7xufWQmQJks90irG9xRk9K5ky+/1xEv33RYPushZIYjf+H3EW7jX6fAc7+Dz/KLCX5Jeft2pheVMomQ==",
"SigningCertURL" : "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-7ff5318490ec183fbaddaa2a969abfda.pem",
"UnsubscribeURL" : "https://sns.us-west-2.amazonaws.com/?Action=Unsubscribe&SubscriptionArn=arn:aws:sns:us-west-2:123456789012:AWS-Managed-Threat-Signatures:f2b28278-6d26-4d05-8332-1a96687c850f",
"MessageAttributes" : {
"source_revision_token" : {"Type":"String","Value":"14a7e0f5-e050-40d0-a0b1-001f690d44b9"},
"managed_arn" : {"Type":"String","Value":"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup/StatefulRG2"}
}
}
```
The notification contains `source_revision_token`. The value for `source_revision_token` is the `UpdateToken` that you can view when you call [DescribeRuleGroup](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_DescribeRuleGroup.html) in the *Amazon Network Firewall API Reference*.
For general information about Amazon SNS notification formats and how to filter the notifications that you receive, see [Parsing message formats](https://docs.amazonaws.cn/sns/latest/dg/sns-message-and-json-formats.html) and [Amazon SNS subscription filter policies](https://docs.amazonaws.cn/sns/latest/dg/sns-subscription-filter-policies.html) in the Amazon Simple Notification Service Developer Guide.
# Using Amazon Marketplace rule groups
Amazon Marketplace rule groups provide managed security rules from Amazon Partners that you can integrate with Amazon Network Firewall.
Amazon Marketplace rule groups are available by subscription through the Amazon Marketplace console at [Amazon Marketplace](https://www.amazonaws.cn/marketplace/) or through the Amazon Management console. After you subscribe to an Amazon Marketplace rule group, to enable the functionality in Amazon Network Firewall, you can apply it to a firewall policy and associate it to a firewall to have these rules take effect.
**Note**
Some Amazon Marketplace managed rule groups use a `stateful-domain-rulegroup` resource type that is available only with managed rules. You will see this resource type identified in the Amazon Resource Name (ARN) for the rule group. This resource type consumes capacity from your firewall policy's total available domain capacity. Only Amazon Marketplace managed rule groups can use this capacity. For more information about domain capacity, see [Firewall policy settings](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-policy-settings.html).
## Pricing
Amazon Marketplace rule groups are available with no long-term contracts or minimal commitments. When you subscribe to a managed rule group provided by an Amazon Marketplace seller, you will be charged additional fees based on the price set by the seller, which will be based on per GB traffic inspected by the firewall. For more information, see [Amazon Network Firewall Pricing](https://www.amazonaws.cn/network-firewall/pricing/) and the description for each Amazon Marketplace rule group at Amazon Marketplace.
## Information and support
To find additional information about an Amazon Marketplace managed rule group or to contact the seller's support team, visit the individual seller's marketplace listing on Amazon Marketplace. You can navigate directly to the seller's product listing from the rule group details page in Amazon Network Firewall.
## Subscribe to Amazon Marketplace rule groups
You can subscribe to and unsubscribe from Amazon Marketplace rule groups on the Amazon Network Firewall console or the Amazon Marketplace.
**To subscribe to an Amazon Marketplace rule group**
1. Sign in to the Amazon Management Console and open the [Amazon VPC console](https://console.amazonaws.cn/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Network Firewall rule groups**.
1. In the **Amazon Marketplace** section, choose the name of a rule group to view the details and pricing information.
1. To subscribe to an Amazon Marketplace rule group, navigate to a rule group, then choose **View Subscription Options**. From there you can subscribe.
**Note**
If you decide not to subscribe to the rule group, simply close the pop-up.
After you're subscribed to an Amazon Marketplace rule group, you can associate it onto your Amazon Network Firewall policy as you do other managed rule groups. For information, see [Adding Amazon managed rule groups to your firewall policy using the console](https://docs.amazonaws.cn/network-firewall/latest/developerguide/nwfw-using-managed-rule-groups-add-to-policy.html).
## Unsubscribe from Amazon Marketplace rule groups
You can unsubscribe from Amazon Marketplace rule groups on the Amazon Network Firewall console and the Amazon Marketplace.
**Important**
To stop the subscription charges for an Amazon Marketplace rule group, you must remove it from all Amazon Network Firewall policies in Amazon Network Firewall, in addition to unsubscribing from it. If you unsubscribe from an Amazon Marketplace rule group but don't remove it from your Amazon Network Firewall policy, you will continue to be charged for the subscription until the rule group is removed from the policy.
**To unsubscribe from an Amazon Marketplace rule group**
1. Open the [Amazon Marketplace console](https://console.amazonaws.cn/marketplace).
1. Navigate to the **Manage subscriptions** page.
1. Open the **Delivery method** list and choose **SaaS**.
1. Under **Agreement**, open the **Actions list** and choose **Cancel subscription** next to the name of the Amazon Marketplace product that you want to unsubscribe from.
1. In the **Cancel subscription** dialog box, enter `confirm`, then choose **Yes, cancel subscription**.
## Add Amazon Marketplace managed rule groups
Once you subscribe to an Amazon Marketplace managed rule, add them to one or more Network Firewall policies. The policy automatically implements the built-in protection across your firewall when you associate the rule group to the firewall policy. You can add Amazon Marketplace managed rule groups either through the Network Firewall rule groups page or from your firewall policy's detail page.
**To add one or more Amazon Marketplace managed rule groups to your firewall policy from the details page**
1. Open the [Amazon VPC console](https://console.amazonaws.cn/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewall policies**.
1. Select the policy that you'd like to add one or more Amazon Marketplace managed rule groups to.
1. In the **Stateful rule groups** section, in the **Actions** drop-down menu, select **Add Partner managed stateful rule groups**.
1. Select the Amazon Marketplace managed rule groups to add to your policy.
1. Choose **Add to policy**.
## View managed rules groups
You can view available Amazon Marketplace rule groups for your firewall policy.
**To view the list of Amazon Marketplace managed rule groups**
You can view the list of managed rule groups using the following methods:
+ **Amazon console** – You can view the list of managed rule groups either in the **Network Firewall rule groups** page in the **Amazon Marketplace** tab, or in the policy details page. When you add Amazon Marketplace managed rule groups to a policy, you'll see only the managed rule groups that fit your policy type. For example, if your policy type is strict ordered, you'll see only the managed rule groups that have a type of strict ordered.
+ **Network Firewall API** – [ListRuleGroups](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_ListRuleGroups.html) with the parameter `Scope`.
+ **Amazon CLI** – [aws network-firewall list-rule-groups](https://docs.amazonaws.cn/cli/latest/reference/network-firewall/list-rule-groups.html) `--scope MANAGED` and `--managed-type PARTNER_MANAGED`.
## Amazon Marketplace rule group sync states
Amazon Marketplace rule groups can have different sync states that indicate their current status and availability:
DEPRECATED
The rule group has been deprecated by the seller. While the rule group will still be sent to the firewall, Amazon Network Firewall does not have control over whether these rules are being updated or removed by the seller. It is recommended to remove this rule group from your firewall policy and use the recommended approach from the owner of the product.
NOT\$1SUBSCRIBED
You have a rule group configured in your firewall policy that does not have an active subscription to the product in Amazon Marketplace. When this occurs, the rule group will not be sent to the firewall and will be effectively inactive. To resolve this, you need to either:
+ Subscribe to the product in Amazon Marketplace, or
+ Remove the rule group from your firewall policy
You can check your subscription status in the Amazon Marketplace console under **Manage subscriptions**.
## Troubleshoot Amazon Marketplace managed rule groups in Network Firewall
As a best practice, before using a rule group in production, with logging enabled, run the Amazon Marketplace managed rule group in a specific mode depending on the intention of the firewall. You can use **alert mode** if you're using the firewall as an intrusion detection system (IDS) or you can use **drop mode** if you use the firewall as an intrusion prevention system (IPS) in a non-production environment. Either mode sends alert messages to the logs for traffic that doesn't pass inspection. For more information, see [Logging network traffic from Amazon Network Firewall.](https://docs.amazonaws.cn/network-firewall/latest/developerguide/firewall-logging.html)
Running a managed rule group in either alert mode or drop mode allows you to do a dry run with alert logs that show you what the resulting behavior would be before you commit to making changes to your traffic. Evaluate the rule group using Network Firewall logs. When you're satisfied that the rule group does what you want it to do, disable test mode on the group.
For more information about a rule in an Amazon Marketplace managed rule group, see the provider's listing at Amazon Marketplace or contact the [Amazon Support Center](https://console.amazonaws.cn/support/home#/).
## Considerations while using Amazon Marketplace managed rule groups in Amazon Network Firewall
You can subscribe to Amazon Marketplace managed rule groups either by visiting the product page in the Marketplace console or via Network Firewall console. While the experience is similar, you would be automatically redirected to the Seller's home page while subscribing to the product from Marketplace console, however you would not be redirected to this page if you attempted to subscribe via NFW console. If you would like to use NFW console to subscribe to a Amazon Marketplace managed rule group, we recommend visiting the seller's home page and enter your details separately.
# Working with Amazon managed rule groups in the Network Firewall console
Through the console, you access managed rule group information when you add and edit rules in your firewall policies. Through the APIs and the command line interface (CLI), you can directly request managed rule group information.
When you use a managed rule group in your firewall policy, you can edit the following setting:
+ **Set rule actions to alert** – Managed rule groups are designed to block traffic with `drop` rules. This setting in the API matches the **Run in alert mode** setting in the console. This overrides all rule actions in the rule group to `alert` instead. This is useful for testing a rule group before using it to control traffic.
To edit the managed rule group alert settings in your firewall policy:
------
#### [ Console ]
After you add the managed rule group to your firewall policy, from the **Policies** page, choose the firewall policy you just created. This takes you to the policy detail page where you can edit aspects of the policy, and view details about the policy.
In the **Network Firewall rule groups** tab, in the **Stateful rule groups** section, choose the rule group that you'd like to run in alert mode, then from the **Actions** drop-down menu, choose **Rule group details**. For the **Run in alert mode** setting, toggle to **Enabled** to run the rule group in alert mode.
------
#### [ CLI ]
Use the [StatefulRuleGroupOverride](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_StatefulRuleGroupOverride.html) setting in a `StatefulRuleGroupReference`.
------
# Adding Amazon managed rule groups to your firewall policy using the console
Learn how to add one or more managed rule groups to your Network Firewall firewall policy. Adding managed rule groups to your firewall policy automatically implements their built-in protections across your firewall. You can add managed rule groups either through the the Network Firewall rule groups page or from your firewall policy's detail page.
------
#### [ Rule groups page ]
**To add one or more managed rule groups to your firewall policy from the rule groups page**
1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Network Firewall rule groups**.
1. In the **Amazon managed rule groups** tab, choose **Add rule groups to policy**.
1. In the **Choose a firewall policy** section, select the firewall policy to add your Amazon managed rule groups to.
1. Choose **Next**.
1. In the **Choose rule groups** section, choose one or more rule groups to add to your policy. You can add your own rule groups, or Amazon managed rule groups.
1. Choose **Next**.
1. (Optional) On the **Add tags** page, enter a key and optional value for any tag that you want to add to this firewall policy. Tags help you organize and manage your Amazon resources. For more information about tagging your resources, see [Tagging Amazon Network Firewall resources](tagging.md).
1. Choose **Next**.
1. On the **Review and confirm** page, check the rule group settings for your policy. If you want to change any section, choose **Edit** for the section. This returns you to the corresponding step in the add rule group to policy wizard. Make your changes, then choose **Next** on each page until you come back to the review and confirm page.
1. Choose **Add rule groups to policy**.
------
#### [ Firewall policy detail page ]
**To add one or more managed rule groups to your firewall policy from the details page**
1. Sign in to the Amazon Web Services Management Console and open the Amazon VPC console at [https://console.amazonaws.cn/vpc/](https://console.amazonaws.cn/vpc/).
1. In the navigation pane, under **Network Firewall**, choose **Firewall policies**.
1. Select the policy that you'd like to add one or more Amazon managed rule groups to.
1. In the **Stateful rule groups** section, in the **Actions** drop-down menu, select **Add managed stateful rule groups**.
1. Select the Amazon managed rule groups to add to your policy.
1. Choose **Add to policy**.
------
# Viewing Amazon managed rule groups in Network Firewall using the console
You can view the managed rule groups that are available for your use in your Network Firewall policy.
**To view the list of managed rule groups**
+ **Console** – You can view the list of managed rule groups either in the **Network Firewall rule groups** page in the **Amazon managed rule groups** tab, or in the policy details page. When you add managed rule groups to a policy, you’ll see only the managed rule groups that fit your policy type. For example, if your policy type is default ordered, you’ll see only the managed rule groups that have a type of default ordered.
+ **API** – [ListRuleGroups](https://docs.amazonaws.cn/network-firewall/latest/APIReference/API_ListRuleGroups.html) with the parameter `Scope`.
+ **CLI** – `aws network-firewall list-rule-groups --scope MANAGED`. To filter by managed rule group type, you can include the parameter `managed-type` and filter by `AWS_MANAGED_THREAT_SIGNATURES` and `AWS_MANAGED_DOMAIN_LISTS`.
# Troubleshooting Amazon managed rule groups in Network Firewall
As a best practice, before using a rule group in production, with logging enabled, run the managed rule group in **alert mode** if you're using an intrusion detection system (IDS), or in **drop mode** if you use an intrusion prevention system (IPS) in a non-production environment. Either mode sends alert messages to the logs for traffic that doesn't pass inspection. For more information, see [Logging network traffic from Amazon Network Firewall](firewall-logging.md).
Running a managed rule group in either alert mode or drop mode allows you to do a dry run with alert logs that show you what the resulting behavior would be before you commit to making changes to your traffic. Evaluate the rule group using Network Firewall logs. When you're satisfied that the rule group does what you want it to do, disable test mode on the group.
**Mitigating false-positive scenarios**
If you are encountering false-positive scenarios with Amazon managed rule groups, perform the following steps:
1. In the firewall policy's Amazon managed rule group settings in the Network Firewall console, override the actions in the rules of the rule groups by enabling **Run in alert mode**. This stops them from blocking legitimate traffic.
1. Use [Network Firewall logs](logging-monitoring.md) to identify which Amazon managed rule group is triggering the false positive.
1. In the Amazon Network Firewall console, edit the firewall policy, and locate the Amazon managed rule group that you've identified. Then, disable **Run in alert mode** for the rules that aren't causing the false positive, and leave the rule group that is causing the false positive in alert mode.
For more information about a rule in an Amazon managed rule group, contact the [Amazon Web Services Support Center](https://console.amazonaws.cn/support/home#/).
# Considerations and disclaimers for using Amazon managed rule groups in Network Firewall
Before you add Amazon managed rule groups to a firewall policy, consider the following.
**Disclaimer**
Managed rule groups are designed to protect you from common web threats. When used in accordance with the documentation, Amazon managed rule groups add another layer of security for your applications. However, Amazon managed rule groups aren't intended as a replacement for your security responsibilities, which are determined by the Amazon resources that you select. Refer to the [Shared Responsibility Model](http://www.amazonaws.cn/compliance/shared-responsibility-model/) to ensure that your resources in Amazon are properly protected.
**DNS traffic limitations**
Network Firewall filters network traffic that is routed through firewall endpoints. However, DNS queries made to Amazon Route 53 Resolver are not inspected because they are routed to a static address in the VPC. Any DNS inspection rules in Amazon managed rule groups, including active threat defense managed rule groups, cannot inspect traffic to Amazon Route 53 Resolver. For more information about Network Firewall limitations, see [Limitations and caveats for stateful rules in Amazon Network FirewallLimitations and caveats](suricata-limitations-caveats.md).
**Automatic updates**
Amazon automatically updates managed rule groups to protect against new vulnerabilities and threats. These updates can occur daily to weekly, depending on threat severity. Sometimes, Amazon is notified of new vulnerabilities before public disclosure due to its participation in a number of private disclosure communities. In those cases, Network Firewall may update rule groups and deploy them to your environment before a new threat is widely known.
**Copying Amazon managed rules**
You can copy managed threat signature rules into your own rule group and customize them for your specific needs, but Network Firewall does not supporting copying active threat defense rules.