Amazon WAF rule groups - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Amazon WAF rule groups

This section explains what a rule group is and how it works.

A rule group is a reusable set of rules that you can add to a web ACL. For more information about web ACLs, see Using web ACLs in Amazon WAF.

Rule groups fall into the following main categories:

  • Your own rule groups, which you create and maintain.

  • Managed rule groups that Amazon Managed Rules teams create and maintain for you.

  • Managed rule groups that Amazon Web Services Marketplace sellers create and maintain for you.

  • Rule groups that are owned and managed by other services like Amazon Firewall Manager and Shield Advanced.

Differences between rule groups and web ACLs

Rule groups and web ACLs both contain rules, which are defined in the same manner in both places. Rule groups differ from web ACLs in the following ways:

  • Rule groups can't contain rule group reference statements.

  • You can reuse a single rule group in multiple web ACLs by adding a rule group reference statement to each web ACL. You can't reuse a web ACL.

  • Rule groups don't have default actions. In a web ACL, you set a default action for each rule or rule group that you include. Each individual rule inside a rule group or web ACL has an action defined.

  • You don't directly associate a rule group with an Amazon resource. To protect resources using a rule group, you use the rule group in a web ACL.

  • Web ACLs have a system-defined maximum capacity of 5,000 web ACL capacity units (WCUs). Each rule group has a WCU setting that must be set at creation. You can use this setting to calculate the additional capacity requirements that using a rule group would add to your web ACL. For more information about WCUs, see Web ACL capacity units (WCUs) in Amazon WAF.

For information about rules, see Amazon WAF rules.

This section provides guidance for creating and managing your own rule groups, describes the managed rule groups that are available to you, and provides guidance for using managed rule groups.