Step 2: Create and apply an Amazon WAF policy - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Step 2: Create and apply an Amazon WAF policy

A Firewall Manager Amazon WAF policy contains the rule groups that you want to apply to your resources. Firewall Manager creates a Firewall Manager web ACL in each account where you apply the policy. The individual account managers can add rules and rule groups to the resulting web ACL, in addition to the rule groups that you define here. For information about Firewall Manager Amazon WAF policies, see Amazon WAF policies.

To create a Firewall Manager Amazon WAF policy (console)

Sign in to the Amazon Web Services Management Console using your Firewall Manager administrator account, and then open the Firewall Manager console at For information about setting up a Firewall Manager administrator account, see Amazon Firewall Manager prerequisites.

  1. In the navigation pane, choose Security policies.

  2. Choose Create policy.

  3. For Policy type, choose Amazon WAF.

  4. For Region, choose an Amazon Web Services Region. To protect Amazon CloudFront distributions, choose Global.

    To protect resources in multiple Regions (other than CloudFront distributions), you must create separate Firewall Manager policies for each Region.

  5. Choose Next.

  6. For Policy name, enter a descriptive name. Firewall Manager includes the policy name in the names of the web ACLs that it manages. The web ACL names have FMManagedWebACLV2- followed by the policy name that you enter here, -, and the web ACL creation timestamp, in UTC milliseconds. For example, FMManagedWebACLV2-MyWAFPolicyName-1621880374078.


    Web ACL names can't change after creation. If you update your policy's name, Firewall Manager won't update the associated web ACL name. To have Firewall Manager create a web ACL with a different name, you must create a new policy.

  7. Under Policy rules, for First rule groups, choose Add rule groups. Expand the Amazon managed rule groups. For Core rule set, toggle Add to web ACL. For Amazon known bad inputs, toggle Add to web ACL. Choose Add rules.

    For Last rule groups, choose Add rule groups. Expand the Amazon managed rule groups and for the Amazon IP reputation list, toggle Add to web ACL. Choose Add rules.

    Under First rule groups, select Core rule set and choose Move down. Amazon WAF evaluates web requests against the Amazon known bad inputs rule group before it evaluates against the Core rule set.

    You can also create your own Amazon WAF rule groups if you want, using the Amazon WAF console. Any rule groups that you create show up under Your rule groups in the Describe policy : Add rule groups page.

    The first and last Amazon WAF rule groups that you manage through Firewall Manager have names that begin with PREFMManaged- or POSTFMManaged-, respectively, followed by the Firewall Manager policy name, and the rule group creation timestamp, in UTC milliseconds. For example, PREFMManaged-MyWAFPolicyName-1621880555123.

  8. Leave the default action for the web ACL at Allow.

  9. Leave the Policy action at the default, to not automatically remediate noncompliant resources. You can change the option later.

  10. Choose Next.

  11. For Policy scope, you provide the settings for the accounts, resource types, and tagging that identify the resources you want to apply the policy to. For this tutorial, leave the Amazon Web Services accounts and Resources settings, and choose one or more resource types.

  12. For Resources, you can narrow the scope of the policy using tagging, by either including or excluding resources with the tags that you specify. You can use inclusion or exclusion, and not both. For more information about tags, see Working with Tag Editor.

    If you enter more than one tag, a resource must have all of the tags to be included or excluded.

    Resource tags can only have non-null values. If you omit the value for a tag, Firewall Manager saves the tag with an empty string value: "". Resource tags only match with tags that have the same key and the same value.

  13. Choose Next.

  14. For Policy tags, add any identifying tags that you want to add to the Firewall Manager policy resource. For more information about tags, see Working with Tag Editor.

  15. Choose Next.

  16. Review the new policy settings and return to any pages where you need to any adjustments.

    Check to be sure that Policy actions is set to Identify resources that don’t comply with the policy rules, but don’t auto remediate. This allows you to review the changes that your policy would make before you enable them.

  17. When you are satisfied with the policy, choose Create policy.

    In the Amazon Firewall Manager policies pane, your policy should be listed. It will probably indicate Pending under the accounts headings and it will indicate the status of the Automatic remediation setting. The creation of a policy can take several minutes. After the Pending status is replaced with account counts, you can choose the policy name to explore the compliance status of the accounts and resources. For information, see Viewing compliance information for an Amazon Firewall Manager policy