Version expiration for managed rule groups
This section explains how version expiration works for a versioned managed rule group.
If you use a specific version of a rule group, make sure that you don't keep using a version past its expiration date. You can monitor version expiration through the rule group's SNS notifications and through Amazon CloudWatch metrics.
If a version that you're using in a web ACL is expired, Amazon WAF blocks any updates to the web ACL that don't include moving the rule group to an unexpired version. You can update the rule group to an available version or remove it from your web ACL.
Expiration handling for a managed rule group depends on the rule group provider. For Amazon Managed Rules rule groups, an expired version is automatically changed to the rule group's default version. For Amazon Web Services Marketplace rule groups, ask the provider how they handle expiration.
When the provider creates a new version of the rule group, it sets the version's forecasted lifetime. While the version isn't scheduled to expire, the Amazon CloudWatch metric value is set to the forecasted lifetime setting, and in CloudWatch, you'll see a flat value for the metric. After the provider schedules the metric to expire, the metric value diminishes each day until it reaches zero on the day of expiration. For information about monitoring expiration, see Tracking version expiration.