Migrating a web ACL: additional considerations
Review your new web ACL and consider the options available to you in the new Amazon WAF to be sure that the configuration is as efficient as possible and that it's using the latest available security options.
Additional Amazon Managed Rules
Consider implementing additional Amazon Managed Rules in your web ACL to increase the security posture for your application. These are included with Amazon WAF at no additional cost. Amazon Managed Rules feature the following types of rule groups:
-
Baseline rule groups provide general protection against a variety of common threats, such as stopping known bad inputs from making it into your application and preventing admin page access.
-
Use-case specific rule groups provide incremental protection for many diverse use cases and environments.
-
IP reputation lists provide threat intelligence based on the client’s source IP.
For more information, see Amazon Managed Rules for Amazon WAF.
Rule optimization and cleanup
Revisit your old rules and consider optimizing them by rewriting them or removing outdated
ones. For example, if in the past, you deployed an Amazon CloudFormation template from the
technical paper for OWASP Top 10 Web Application Vulnerabilities, Prepare for the OWASP Top 10 Web Application Vulnerabilities Using Amazon WAF
and Our New White Paper
Amazon CloudWatch metrics and alarms
Revisit your Amazon CloudWatch metrics and set up alarms as needed. The migration doesn't carry over CloudWatch alarms and it's possible that your metric names aren't what you want.
Review with your application team
Work with your application team and check your security posture. Find out what fields are parsed frequently by the application and add rules to sanitize the input accordingly. Check for any edge cases and add rules to catch these cases if the application’s business logic fails to process them.
Plan the switchover
Plan the timing of the switch with your application team. The switch from the old web ACL association to the new one can take a small amount of time to propagate to all areas where your resources are stored. The propagation time can be from a few seconds to a number of minutes. During this time, some requests will be processed by the old web ACL and others will be processed by the new web ACL. Your resources will be protected throughout the switch, but you might notice inconsistencies in request handling while the switch is underway.
When you are ready to switch over, follow the procedure at Migrating a web ACL: switchover.