Migrating a web ACL: additional considerations - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Migrating a web ACL: additional considerations

Review your new web ACL and consider the options available to you in the new Amazon WAF to be sure that the configuration is as efficient as possible and that it's using the latest available security options.

Additional Amazon Managed Rules

Consider implementing additional Amazon Managed Rules in your web ACL to increase the security posture for your application. These are included with Amazon WAF at no additional cost. Amazon Managed Rules feature the following types of rule groups:

  • Baseline rule groups provide general protection against a variety of common threats, such as stopping known bad inputs from making it into your application and preventing admin page access.

  • Use-case specific rule groups provide incremental protection for many diverse use cases and environments.

  • IP reputation lists provide threat intelligence based on the client’s source IP.

For more information, see Amazon Managed Rules for Amazon WAF.

Rule optimization and cleanup

Revisit your old rules and consider optimizing them by rewriting them or removing outdated ones. For example, if in the past, you deployed an Amazon CloudFormation template from the technical paper for OWASP Top 10 Web Application Vulnerabilities, Prepare for the OWASP Top 10 Web Application Vulnerabilities Using Amazon WAF and Our New White Paper, you should consider replacing that with Amazon Managed Rules. While the concept found within the document is still applicable and may assist you in writing your own rules, the rules created by the template have been largely superseded by Amazon Managed Rules.

Amazon CloudWatch metrics and alarms

Revisit your Amazon CloudWatch metrics and set up alarms as needed. The migration doesn't carry over CloudWatch alarms and it's possible that your metric names aren't what you want.

Review with your application team

Work with your application team and check your security posture. Find out what fields are parsed frequently by the application and add rules to sanitize the input accordingly. Check for any edge cases and add rules to catch these cases if the application’s business logic fails to process them.

Plan the switchover

Plan the timing of the switch with your application team. The switch from the old web ACL association to the new one can take a small amount of time to propagate to all areas where your resources are stored. The propagation time can be from a few seconds to a number of minutes. During this time, some requests will be processed by the old web ACL and others will be processed by the new web ACL. Your resources will be protected throughout the switch, but you might notice inconsistencies in request handling while the switch is underway.

When you are ready to switch over, follow the procedure at Migrating a web ACL: switchover.