Using managed rule groups in Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using managed rule groups in Amazon WAF

This section explains what managed rule groups are and how they work.

Managed rule groups are collections of predefined, ready-to-use rules that Amazon and Amazon Web Services Marketplace sellers write and maintain for you. Basic Amazon WAF pricing applies to your use of any managed rule group. For Amazon WAF pricing information, see Amazon WAF Pricing.

  • The Amazon Managed Rules rule groups for Amazon WAF Bot Control, Amazon WAF Fraud Control account takeover prevention (ATP), and Amazon WAF Fraud Control account creation fraud prevention (ACFP) are available for additional fees, beyond the basic Amazon WAF charges. For pricing details, see Amazon WAF Pricing.

  • All other Amazon Managed Rules rule groups are available to Amazon WAF customers at no additional cost.

  • Amazon Web Services Marketplace managed rule groups are available by subscription through Amazon Web Services Marketplace. Each of these rule groups is owned and managed by the Amazon Web Services Marketplace seller. For pricing information to use a Amazon Web Services Marketplace managed rule group, contact the Amazon Web Services Marketplace seller.

Some managed rule groups are designed to help protect specific types of web applications like WordPress, Joomla, or PHP. Others offer broad protection against known threats or common web application vulnerabilities, including some of the ones listed in the OWASP Top 10. If you're subject to regulatory compliance like PCI or HIPAA, you might be able to use managed rule groups to satisfy web application firewall requirements.

Automatic updates

Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Managed rule groups can save you time when you implement and use Amazon WAF. Many Amazon and Amazon Web Services Marketplace sellers automatically update managed rule groups and provide new versions of rule groups when new vulnerabilities and threats emerge.

In some cases, Amazon is notified of new vulnerabilities before public disclosure, due to its participation in a number of private disclosure communities. In those cases, Amazon can update the Amazon Managed Rules rule groups and deploy them for you even before a new threat is widely known.

Restricted access to rules in a managed rule group

Each managed rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view all of the details for the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules.