Amazon Web Services Marketplace managed rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon Web Services Marketplace managed rule groups

This section explains how to use Amazon Web Services Marketplace managed rule groups.

Amazon Web Services Marketplace managed rule groups are available by subscription through the Amazon Web Services Marketplace console at Amazon Web Services Marketplace. After you subscribe to a Amazon Web Services Marketplace managed rule group, you can use it in Amazon WAF. To use an Amazon Web Services Marketplace rule group in an Amazon Firewall Manager Amazon WAF policy, each account in your organization must subscribe to it.

Test and tune any changes to your Amazon WAF protections before you use them for production traffic. For information, see Testing and tuning your Amazon WAF protections.

Amazon Web Services Marketplace Rule Group Pricing

Amazon Web Services Marketplace rule groups are available with no long-term contracts, and no minimum commitments. When you subscribe to a rule group, you are charged a monthly fee (prorated hourly) and ongoing request fees based on volume. For more information, see Amazon WAF Pricing and the description for each Amazon Web Services Marketplace rule group at Amazon Web Services Marketplace.

Have questions about an Amazon Web Services Marketplace rule group?

For questions about a rule group that's managed by an Amazon Web Services Marketplace seller and to request changes in functionality, contact the provider's customer support team. To find contact information, see the provider's listing at Amazon Web Services Marketplace.

The Amazon Web Services Marketplace rule group provider determines how to manage the rule group, for example how to update the rule group and whether the rule group is versioned. The provider also determines the details of the rule group, including the rules, rule actions, and any labels that the rules add to matching web requests.

Subscribing to Amazon Web Services Marketplace managed rule groups

You can subscribe to and unsubscribe from Amazon Web Services Marketplace rule groups on the Amazon WAF console.

Important

To use an Amazon Web Services Marketplace rule group in an Amazon Firewall Manager policy, each account in your organization must first subscribe to that rule group.

To subscribe to an Amazon Web Services Marketplace managed rule group
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. In the navigation pane, choose Amazon Web Services Marketplace.

  3. In the Available marketplace products section, choose the name of a rule group to view the details and pricing information.

  4. If you want to subscribe to the rule group, choose Continue.

    Note

    If you don't want to subscribe to this rule group, simply close this page in your browser.

  5. Choose Set up your account.

  6. Add the rule group to a web ACL, similar to how you add an individual rule. For more information, see Creating a web ACL in Amazon WAF or Editing a web ACL in Amazon WAF.

    Note

    When adding a rule group to a web ACL, you can override the actions of rules in the rule group and of the rule group result. For more information, see Overriding rule group actions in Amazon WAF.

After you're subscribed to an Amazon Web Services Marketplace rule group, you use it in your web ACLs as you do other managed rule groups. For information, see Creating a web ACL in Amazon WAF.

Unsubscribing from Amazon Web Services Marketplace managed rule groups

You can unsubscribe from Amazon Web Services Marketplace rule groups on the Amazon WAF console.

Important

To stop the subscription charges for an Amazon Web Services Marketplace managed rule group, you must remove it from all web ACLs in Amazon WAF and in any Firewall Manager Amazon WAF policies, in addition to unsubscribing from it. If you unsubscribe from an Amazon Web Services Marketplace managed rule group but don't remove it from your web ACLs, you will continue to be charged for the subscription.

To unsubscribe from an Amazon Web Services Marketplace managed rule group
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. Remove the rule group from all web ACLs. For more information, see Editing a web ACL in Amazon WAF.

  3. In the navigation pane, choose Amazon Web Services Marketplace.

  4. Choose Manage your subscriptions.

  5. Choose Cancel subscription next to the name of the rule group that you want to unsubscribe from.

  6. Choose Yes, cancel subscription.

Troubleshooting Amazon Web Services Marketplace rule groups

If you find that an Amazon Web Services Marketplace rule group is blocking legitimate traffic, you can troubleshoot the problem by performing the following steps.

To troubleshoot an Amazon Web Services Marketplace rule group
  1. Override the actions to count for the rules that are blocking legitimate traffic. You can identify which rules are blocking specific requests using either the Amazon WAF sampled requests or Amazon WAF logs. You can identify the rules by looking at the ruleGroupId field in the log or the RuleWithinRuleGroup in the sampled request. You can identify the rule in the pattern <Seller Name>#<RuleGroup Name>#<Rule Name>.

  2. If setting specific rules to only count requests doesn't solve the problem, you can override all of the rule actions or change the action for the Amazon Web Services Marketplace rule group itself from No override to Override to count. This allows the web request to pass through, regardless of the individual rule actions within the rule group.

  3. After overriding either the individual rule action or the entire Amazon Web Services Marketplace rule group action, contact the rule group provider‘s customer support team to further troubleshoot the issue. For contact information, see the rule group listing on the product listing pages on Amazon Web Services Marketplace.

Contacting Amazon support

For problems with Amazon WAF or a rule group that is managed by Amazon, contact Amazon Web Services Support. For problems with a rule group that is managed by an Amazon Web Services Marketplace seller, contact the provider's customer support team. To find contact information, see the provider's listing on Amazon Web Services Marketplace.