Preparing for testing your Amazon WAF protections - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Preparing for testing your Amazon WAF protections

This section describes how to get set up to test and tune your Amazon WAF protections.

Note

To follow the guidance in this section, you need to understand generally how to create and manage Amazon WAF protections like protection pack or web ACLs, rules, and rule groups. That information is covered in earlier sections of this guide.

To prepare for testing
  1. Enable protection pack or web ACL logging, Amazon CloudWatch metrics, and web request sampling for the protection pack or web ACL

    Use logging, metrics, and sampling to monitor the interaction of the protection pack or web ACL rules with your web traffic.

    • Logging – You can configure Amazon WAF to log the web requests that a protection pack or web ACL evaluates. You can send logs to CloudWatch logs, an Amazon S3 bucket, or an Amazon Data Firehose delivery stream. You can redact fields and apply filtering. For more information, see Logging Amazon WAF protection pack or web ACL traffic.

    • Amazon Security Lake – You can configure Security Lake to collect protection pack or web ACL data. Security Lake collects log and event data from various sources for normalization, analysis, and management. For information about this option, see What is Amazon Security Lake? and Collecting data from Amazon services in the Amazon Security Lake user guide.

    • Amazon CloudWatch metrics – In your protection pack or web ACL configuration, provide metric specifications for everything that you want to monitor. You can view metrics through the Amazon WAF and CloudWatch consoles. For more information, see Monitoring with Amazon CloudWatch.

    • Web request sampling – You can view a sample of all web requests that your protection pack or web ACL evaluates. For information about web request sampling, see Viewing a sample of web requests.

  2. Set your protections to Count mode

    In your protection pack or web ACL configuration, switch anything that you want to test to count mode. This causes the test protections to record matches against web requests without altering how the requests are handled. You'll be able to see the matches in your metrics, logs, and sampled requests, to verify the match criteria and to understand what the effects might be on your web traffic. Rules that add labels to matching requests will add labels regardless of the rule action.

    • Rule defined in the protection pack or web ACL – Edit the rules in the protection pack or web ACL and set their actions to Count.

    • Rule group – In your protection pack or web ACL configuration, edit the rule statement for the rule group and, in the Rules pane, open the Override all rule actions dropdown and choose Count. If you manage the protection pack or web ACL in JSON, add the rules to the RuleActionOverrides settings in the rule group reference statement, with ActionToUse set to Count. The following example listing shows overrides for two rules in the AWSManagedRulesAnonymousIpList Amazon Managed Rules rule group. 

        "ManagedRuleGroupStatement": {
    "VendorName": "AWS",
    "Name": "AWSManagedRulesAnonymousIpList",
      "RuleActionOverrides": [
        {
          "ActionToUse": {
            "Count": {}
          },
          "Name": "AnonymousIPList"
        },
        {
          "ActionToUse": {
            "Count": {}
          },
          "Name": "HostingProviderIPList"
        }
      ],
      "ExcludedRules": []
    }
  },

      For more information about rule action overrides, see Overriding rule actions in a rule group.

      For your own rule group, don't modify the rule actions in the rule group itself. Rule group rules with Count action don't generate the metrics or other artifacts that you need for your testing. In addition, changing a rule group affects all protection pack or web ACLs that use it, while the changes inside the protection pack or web ACL configuration only affect the single protection pack or web ACL.

    • protection pack or web ACL – If you're testing a new protection pack or web ACL, set the default action for the protection pack or web ACL to allow requests. This lets you try out the web ACL without affecting traffic in any way.

    In general, count mode generates more matches than production. This is because a rule that counts requests doesn't stop the evaluation of the request by the protection pack or web ACL, so rules that run later in the protection pack or web ACL might also match the request. When you change your rule actions to their production settings, rules that allow or block requests will terminate the evaluation of requests that they match. As a result, matching requests will generally be inspected by fewer rules in the protection pack or web ACL. For more information about the effects of rule actions on the overall evaluation of a web request, see Using rule actions in Amazon WAF.

    With these settings, your new protections won't alter web traffic, but will generate match information in metrics, protection pack or web ACL logs, and request samples.

  3. Associate the protection pack or web ACL with a resource

    If the protection pack or web ACL isn't already associated with the resource, associate it.

    See Associating or disassociating protection with an Amazon resource.

You're now ready to monitor and tune your protection pack or web ACL.