Recognizing rule groups provided by other services - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Recognizing rule groups provided by other services

If you or an administrator in your organization uses Amazon Firewall Manager or Amazon Shield Advanced to manage resource protections using Amazon WAF, you might see rule group reference statements added to protection pack or web ACLs in your account.

The names of these rule groups begin with the following strings:

  • ShieldMitigationRuleGroup – These rule groups are managed by Amazon Shield Advanced and used to provide automatic application layer DDoS mitigation to protected application layer (layer 7) resources.

    When you enable automatic application layer DDoS mitigation for a protected resource, Shield Advanced adds one of these rule groups to the protection pack or web ACL that you have associated with the resource. Shield Advanced assigns the rule group reference statement a priority setting of 10,000,000, so that it runs after the rules that you have configured in the protection pack or web ACL. For more information about these rule groups, see Automating application layer DDoS mitigation with Shield Advanced .

    Warning

    Don't try to manually manage this rule group in your protection pack or web ACL. In particular, don't manually delete the ShieldMitigationRuleGroup rule group reference statement from your protection pack or web ACL. Doing this could have unintended consequences for all resources that are associated with the protection pack or web ACL. Instead, use Shield Advanced to disable automatic mitigation for the resources that are associated with the protection pack or web ACL. Shield Advanced will remove the rule group for you when it's not needed for automatic mitigation.

  • PREFMManaged and POSTFMManaged – These rule groups are managed by Amazon Firewall Manager based on Firewall Manager Amazon WAF policy configurations. Firewall Manager provides these rule groups inside protection pack or web ACLs that Firewall Manager manages.

    Firewall Manager creates protection pack or web ACLs for you with names that begin with FMManagedWebACLV2. You can configure Firewall Manager to retrofit your existing protection pack or web ACLs as well. For these, the protection pack or web ACL name is the one that you specified when you created it. In either case, Firewall Manager will add these rule groups to the protection pack or web ACL. For more information, see Using Amazon WAF policies with Firewall Manager.