Waf Charm

Blog

AWS WAF, Managed rules

Introduction to AWS WAF Managed Rules

[Contents]

  1. 1. Introduction
  2. 2. What is Managed Rules?
  3. 3. Pros
  4. 4. Cons
  5. 5. Misunderstandings about Managed Rules
  6. 6. Conclusion

1. Introduction

From our users who are using “WafCharm”, we often get the following questions & comments.
“What’s the difference between WafCharm and Managed Rules?”
“It’s really hard to effectively use Managed Rules.”
“Can we use both WafCharm and Managed Rules?”
etc...

In this blog, we will introduce pros & cons of Managed Rules and clear the doubts that users generally have regarding WafCharm and Managed Rules.
 

2. What is Managed Rules?

Managed rules for AWS Web Application Firewall (WAF) are a set of rules written, curated and managed by AWS Marketplace Sellers that can be easily deployed in front of your web applications running on AWS Application Load Balancers or Amazon CloudFront. Currently, along with Cyber Security Cloud, only trusted security vendors such as F5, Imperva, TrendMicro, Fortinet and Trustwave (Aug. 2019 info), sell Managed Rules on AWS Marketplace.
With these managed rules, you can quickly and inexpensively get started and protect your web application or APIs against common threats like the OWASP Top 10 security risks, threats specific to Content Management Systems (CMS) like WordPress or Joomla, or even emerging Common Vulnerabilities and Exposures (CVE) without having to manage infrastructure.

AWS WAF is self-service so not only you have to make your own rules to defend your system from attacks but you have to update & maintain it on a regular basis. For these reasons, using AWS WAF itself is considered hard to use by most of the users.
However, with the introduction of Managed Rules, the difficulty of using AWS WAF have gotten much lower.
For more details, visit Managed Rules page on our website.
 

3. Pros

✔︎ The cost is cheap
With a pay-as-you-go pricing format, using AWS WAF Managed Rules gets very cheap. Usage cost consists of:

  • Cost of rule itself: Ranges from hundreds to several thousand yen
  • Cost per million web requests: Ranges from tens to hundreds of yen

The total sum of "Cost of rule itself" and "Cost per million web requests" is the total cost of Managed Rules.

If something inexpensive, it can be used from a few hundred yen!
This price range is overwhelmingly cheap compared to Appliance type WAF and SaaS type WAF!!

✔︎ No need to make rules by yourself. Just choose it.
・Can start using immediately by choosing Managed Rules you want.
・You can learn more about how quickly you can start using Managed Rules on a future article on our blog page.

 

4. Cons

✖︎ Rules in Managed Rules are in blackbox, so users are unable to see or change it.
・The rules are predefined (in a black box). If you created the rules of AWS WAF by yourself, then the contents of the rules are known (in a whitebox) and the reason behind the detection can be confirmed. However, for Managed Rules, the rules are predefined and unknown.

✖︎ Cannot change individual rules.
・When false positive occurs, it is necessary to change the action of the entire Managed Rules from “BLOCK” to “COUNT”. You can’t change the action of a single rule which caused the false positive in Managed Rules.

✖︎ Not sure how much customer-support can cope up with a problem.
・Not sure how far it will be supported when a false positive occurs.
・Support is available only in English. No Japanese language support for local users in Japan.

 

5. Misunderstanding about Managed Rules

▼No need to manage all the rules since they are automatically updated
・Managed Rules Sellers automatically update their Managed Rules from time to time and therefore there is no need to manage it. However, if you have created rules of your own within AWS WAF, you will need to update it by yourself.

▼New vulnerabilities will automatically be taken care of
・Each Managed Rules has a concept such as "Managed Rules for OWASP Top 10" or "Managed Rules for WordPress", etc. In case the new vulnerabilities are not of the same concept, they won't be updated and users will have to create their own rules to keep their web applications secure.

In other words, you have to deal with all the rules that are not supported by Managed Rules vendors by yourself.
 

6. Conclusion

AWS WAF Managed Rules is cheap and easy to implement and you can start protecting your web applications immediately.