Amazon WAF rule groups - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Amazon WAF rule groups

This section explains what a rule group is and how it works.

A rule group is a reusable set of rules that you can add to a protection pack or web ACL. For more information about protection pack or web ACLs, see Configuring protection in Amazon WAF.

Rule groups fall into the following main categories:

  • Your own rule groups, which you create and maintain.

  • Managed rule groups that Amazon Managed Rules teams create and maintain for you.

  • Managed rule groups that Amazon Web Services Marketplace sellers create and maintain for you.

  • Rule groups that are owned and managed by other services like Amazon Firewall Manager and Shield Advanced.

Differences between rule groups and protection pack or web ACLs

Rule groups and protection pack or web ACLs both contain rules, which are defined in the same manner in both places. Rule groups differ from protection pack or web ACLs in the following ways:

  • Rule groups can't contain rule group reference statements.

  • You can reuse a single rule group in multiple protection pack or web ACLs by adding a rule group reference statement to each protection pack or web ACL. You can't reuse a protection pack or web ACL.

  • Rule groups don't have default actions. In a protection pack or web ACL, you set a default action for each rule or rule group that you include. Each individual rule inside a rule group or protection pack or web ACL has an action defined.

  • You don't directly associate a rule group with an Amazon resource. To protect resources using a rule group, you use the rule group in a protection pack or web ACL.

  • The system defines a maximum capacity of 5,000 protection pack or web ACL capacity units (WCUs) for each protection pack or web ACL. Each rule group has a WCU setting that must be set at creation. You can use this setting to calculate the additional capacity requirements that using a rule group would add to your protection pack or web ACL. For more information about WCUs, see Web ACL capacity units (WCUs) in Amazon WAF.

For information about rules, see Amazon WAF rules.

This section provides guidance for creating and managing your own rule groups, describes the managed rule groups that are available to you, and provides guidance for using managed rule groups.

Topics