Version life cycle for managed rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Version life cycle for managed rule groups

Providers handle the following life cycle stages of a managed rule group static version:

  • Release and updates – A managed rule group provider announces upcoming and new static versions of their managed rule groups through notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Providers might also use the topic to communicate other important information about their rule groups, such as urgent required updates.

    You can subscribe to the rule group's topic and configure how you want to receive notifications. For more information see Getting notified of new versions and updates.

  • Expiration scheduling – A managed rule group provider schedules older versions of a rule group for expiration. A version that's scheduled to expire cannot be added to your web ACL rules. After expiration is scheduled for a version, Amazon WAF tracks the expiration with a countdown metric in Amazon CloudWatch.

  • Version expiration – If you have a web ACL configured to use an expired version of a managed rule group, then during web ACL evaluation, Amazon WAF uses the rule group's default version. Additionally, Amazon WAF blocks any updates to the web ACL that don't either remove the rule group or change its version to an unexpired one.

If you use Amazon Web Services Marketplace managed rule groups, ask the provider for any additional information about version life cycles.