Rule group management for Amazon WAF policies

The web ACLs that are managed by Firewall Manager Amazon WAF policies contain three sets of rules. These sets provide a higher level of prioritization for the rules and rule groups in the web ACL:

Within each of these sets of rules, Amazon WAF evaluates rules and rule groups as usual, according to their priority settings within the set.

In the policy's first and last rule groups sets, you can only add rule groups and not individual rules. You can use managed rule groups, which Amazon Managed Rules and Amazon Web Services Marketplace sellers create and maintain for you. You can also manage and use your own rule groups. For more information about all of these options, see Amazon WAF rule groups.

If you want to use your own rule groups, you create those before you create your Firewall Manager Amazon WAF policy. For guidance, see Managing your own rule groups. To use an individual custom rule, you must define your own rule group, define your rule within that, and then use the rule group in your policy.

The first and last Amazon WAF rule groups that you manage through Firewall Manager have names that begin with PREFMManaged- or POSTFMManaged-, respectively, followed by the Firewall Manager policy name, and the rule group creation timestamp, in UTC milliseconds. For example, PREFMManaged-MyWAFPolicyName-1621880555123.

For information about how Amazon WAF evaluates web requests, see Using web ACLs with rules and rule groups in Amazon WAF.

Firewall Manager enables sampling and Amazon CloudWatch metrics for the rule groups that you define for the Amazon WAF policy.

Individual account owners have complete control over the metrics and sampling configuration for any rule or rule group that they add to the policy's managed web ACLs.