Statements that reference a set or a rule group - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Statements that reference a set or a rule group

Some rules use entities that are reusable and that are managed outside of your web ACLs, either by you, Amazon, or an Amazon Web Services Marketplace seller. When the reusable entity is updated, Amazon WAF propagates the update to your rule. For example, if you use an Amazon Managed Rules rule group in a web ACL, when Amazon updates the rule group, Amazon propagates the change to your web ACL, to update its behavior. If you use an IP set statement in a rule, when you update the set, Amazon WAF propagates the change to all rules that reference it, so any web ACLs that use those rules are kept up-to-date with your changes.

The following are the reusable entities that you can use in a rule statement.

  • IP sets – You create and manage your own IP sets. On the console, you can access these from the navigation pane. For information about managing IP sets, see IP sets and regex pattern sets in Amazon WAF.

  • Regex match sets – You create and manage your own regex match sets. On the console, you can access these from the navigation pane. For information about managing regex pattern sets, see IP sets and regex pattern sets in Amazon WAF.

  • Amazon Managed Rules rule groups – Amazon manages these rule groups. On the console, these are available for your use when you add a managed rule group to your web ACL. For more information about these, see Amazon Managed Rules rule groups list.

  • Amazon Web Services Marketplace managed rule groups – Amazon Web Services Marketplace sellers manage these rule groups and you can subscribe to them to use them. To manage your subscriptions, on the navigation pane of the console, choose Amazon Web Services Marketplace. The Amazon Web Services Marketplace managed rule groups are listed when you add a managed rule group to your web ACL. For rule groups that you haven't yet subscribed to, you can find a link to Amazon Web Services Marketplace on that page as well. For more information about Amazon Web Services Marketplace seller managed rule groups, see Amazon Web Services Marketplace managed rule groups.

  • Your own rule groups – You manage your own rule groups, usually when you need some behavior that isn't available through the managed rule groups. On the console, you can access these from the navigation pane. For more information, see Managing your own rule groups.

Deleting a referenced set or rule group

When you delete a referenced entity, Amazon WAF checks to see if it's currently being used in a web ACL. If Amazon WAF finds that it's in use, it warns you. Amazon WAF is almost always able to determine if an entity is being referenced by a web ACL. However, in rare cases, it might not be able to do so. If you need to be sure that the entity that you want to delete isn't in use, check for it in your web ACLs before deleting it.