Amazon Web Services Marketplace rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Automatic updatesAccess to the rules in an Amazon Web Services Marketplace rule groupQuotasPricingUsing Amazon Web Services Marketplace rule groupsRule group overrideTroubleshooting Amazon Web Services Marketplace rule groupsCreating and selling Amazon Web Services Marketplace rule groups
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Web Services Marketplace rule groups

Note

This is Amazon WAF Classic documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your resources, see Migrating your Amazon WAF Classic resources to Amazon WAF.

For the latest version of Amazon WAF, see Amazon WAF.

Amazon WAF Classic provides Amazon Web Services Marketplace rule groups to help you protect your resources. Amazon Web Services Marketplace rule groups are collections of predefined, ready-to-use rules that are written and updated by Amazon and Amazon partner companies.

Some Amazon Web Services Marketplace rule groups are designed to help protect specific types of web applications like WordPress, Joomla, or PHP. Other Amazon Web Services Marketplace rule groups offer broad protection against known threats or common web application vulnerabilities, such as those listed in the OWASP Top 10.

You can install a single Amazon Web Services Marketplace rule group from your preferred Amazon partner, and you can also add your own customized Amazon WAF Classic rules for increased protection. If you are subject to regulatory compliance like PCI or HIPAA, you might be able to use Amazon Web Services Marketplace rule groups to satisfy web application firewall requirements.

Amazon Web Services Marketplace rule groups are available with no long-term contracts, and no minimum commitments. When you subscribe to a rule group, you are charged a monthly fee (prorated hourly) and ongoing request fees based on volume. For more information, see Amazon WAF Classic Pricing and the description for each Amazon Web Services Marketplace rule group on Amazon Web Services Marketplace.

Automatic updates

Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Amazon Web Services Marketplace rule groups can save you time when you implement and use Amazon WAF Classic. Another benefit is that Amazon and our Amazon partners automatically update Amazon Web Services Marketplace rule groups when new vulnerabilities and threats emerge.

Many of our partners are notified of new vulnerabilities before public disclosure. They can update their rule groups and deploy them to you even before a new threat is widely known. Many also have threat research teams to investigate and analyze the most recent threats in order to write the most relevant rules.

Access to the rules in an Amazon Web Services Marketplace rule group

Each Amazon Web Services Marketplace rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules.

Because you can’t view individual rules in an Amazon Web Services Marketplace rule group, you also can't edit any rules in an Amazon Web Services Marketplace rule group. However, you can exclude specific rules from a rule group. This is called a "rule group exception." Excluding rules does not remove those rules. Rather, it changes the action for the rules to COUNT. Therefore, requests that match an excluded rule are counted but not blocked. You will receive COUNT metrics for each excluded rule.

Excluding rules can be helpful when troubleshooting rule groups that are blocking traffic unexpectedly (false positives). One troubleshooting technique is to identify the specific rule within the rule group that is blocking the desired traffic and then disable (exclude) that particular rule.

In addition to excluding specific rules, you can refine your protection by enabling or disabling entire rule groups, as well as choosing the rule group action to perform. For more information, see Using Amazon Web Services Marketplace rule groups.

Quotas

You can enable only one Amazon Web Services Marketplace rule group. You can also enable one custom rule group that you create using Amazon Firewall Manager. These rule groups count towards the 10 rule maximum quota per web ACL. Therefore, you can have one Amazon Web Services Marketplace rule group, one custom rule group, and up to eight custom rules in a single web ACL.

Pricing

For Amazon Web Services Marketplace rule group pricing, see Amazon WAF Classic Pricing and the description for each Amazon Web Services Marketplace rule group on Amazon Web Services Marketplace.

Using Amazon Web Services Marketplace rule groups

You can subscribe to and unsubscribe from Amazon Web Services Marketplace rule groups on the Amazon WAF Classic console. You can also exclude specific rules from a rule group.

To subscribe to and use an Amazon Web Services Marketplace rule group

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

    If you see Switch to Amazon WAF Classic in the navigation pane, select it.

  2. In the navigation pane, choose Marketplace.

  3. In the Available marketplace products section, choose the name of a rule group to view the details and pricing information.

  4. If you want to subscribe to the rule group, choose Continue.

    Note

    If you don't want to subscribe to this rule group, simply close this page in your browser.

  5. Choose Set up your account.

  6. Add the rule group to a web ACL, just as you would add an individual rule. For more information, see Creating a Web ACL or Editing a Web ACL.

    Note

    When adding a rule group to a web ACL, the action that you set for the rule group (either No override or Override to count) is called the rule group override action. For more information, see Rule group override.

To unsubscribe from an Amazon Web Services Marketplace rule group

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

    If you see Switch to Amazon WAF Classic in the navigation pane, select it.

  2. Remove the rule group from all web ACLs. For more information, see Editing a Web ACL.

  3. In the navigation pane, choose Marketplace.

  4. Choose Manage your subscriptions.

  5. Choose Cancel subscription next to the name of the rule group that you want to unsubscribe from.

  6. Choose Yes, cancel subscription.

To exclude a rule from a rule group (rule group exception)

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

    If you see Switch to Amazon WAF Classic in the navigation pane, select it.

  2. If not already enabled, enable Amazon WAF Classic logging. For more information, see Logging Web ACL traffic information. Use the Amazon WAF Classic logs to identify the IDs of the rules that you want to exclude. These are typically rules that are blocking legitimate requests.

  3. In the navigation pane, choose Web ACLs.

  4. Choose the name of the web ACL that you want to edit. This opens a page with the web ACL's details in the right pane.

    Note

    The rule group that you want to edit must be associated with a web ACL before you can exclude a rule from that rule group.

  5. On the Rules tab in the right pane, choose Edit web ACL.

  6. In the Rule group exceptions section, expand the rule group that you want to edit.

  7. Choose the X next to the rule that you want to exclude. You can identify the correct rule ID by using the Amazon WAF Classic logs.

  8. Choose Update.

    Excluding rules does not remove those rules from the rule group. Rather, it changes the action for the rules to COUNT. Therefore, requests that match an excluded rule are counted but not blocked. You will receive COUNT metrics for each excluded rule.

    Note

    You can use this same procedure to exclude rules from custom rule groups that you have created in Amazon Firewall Manager. However, rather than excluding a rule from a custom rule group using these steps, you can also simply edit a custom rule group using the steps described in Adding and deleting rules from an Amazon WAF Classic rule group.

Rule group override

Amazon Web Services Marketplace rule groups have two possible actions: No override and Override to count. If you want to test the rule group, set the action to Override to count. This rule group action overrides any block action that is specified by individual rules contained within the group. That is, if the rule group's action is set to Override to count, instead of potentially blocking matching requests based on the action of individual rules within the group, those requests will be counted. Conversely, if you set the rule group's action to No override, actions of the individual rules within the group will be used.

Troubleshooting Amazon Web Services Marketplace rule groups

If you find that an Amazon Web Services Marketplace rule group is blocking legitimate traffic, perform the following steps.

To troubleshoot an Amazon Web Services Marketplace rule group

  1. Exclude the specific rules that are blocking legitimate traffic. You can identify which rules are blocking which requests using the Amazon WAF Classic logs. For more information about excluding rules, see To exclude a rule from a rule group (rule group exception).

  2. If excluding specific rules does not solve the problem, you can change the action for the Amazon Web Services Marketplace rule group from No override to Override to count. This allows the web request to pass through, regardless of the individual rule actions within the rule group. This also provides you with Amazon CloudWatch metrics for the rule group.

  3. After setting the Amazon Web Services Marketplace rule group action to Override to count, contact the rule group provider‘s customer support team to further troubleshoot the issue. For contact information, see the rule group listing on the product listing pages on Amazon Web Services Marketplace.

Contacting customer support

For problems with Amazon WAF Classic or a rule group that is managed by Amazon, contact Amazon Web Services Support. For problems with a rule group that is managed by an Amazon partner, contact that partner's customer support team. To find partner contact information, see the partner’s listing on Amazon Web Services Marketplace.

Creating and selling Amazon Web Services Marketplace rule groups

If you want to sell Amazon Web Services Marketplace rule groups on Amazon Web Services Marketplace, see How to Sell Your Software on Amazon Web Services Marketplace.