Waf Charm

Blog

AWS WAF, Managed rules

How to choose AWS Managed Rules

This post was originally written in Japanese in the past.

On March 6th, 2020, Anonymous IP List was added to AWS Managed Rules. Please refer to the post below for more information.
Configure the Anonymous IP List settings in the AWS Management Console

Table of Contents

  1. 1. Introduction
  2. 2. What is Managed Rules?
  3. 3. Types of AWS Managed Rules
  4. 4. Explanations of AWS Managed Rules
  5. 5. Combinations of AWS Managed Rules
  6. 6. Conclusion

1. Introduction

On November 25th, 2019, AWS WAF was updated. AWS Managed Rules were also released at the same time. There are several rulesets in AWS Managed Rules, so users are required to choose which set to use.
In this post, we will be explaining how to choose which AWS Managed Rules to use.

*There are differences depending on the AWS WAF version you use. In this post, AWS WAF Classic refers to the previous version of AWS WAF, and AWS WAF refers to the new version of AWS WAF.

2. What is Managed Rules?

Managed rules are rulesets you can use on AWS WAF Classic and AWS WAF.
Several security vendors sell managed rules, including us, and AWS has released their own managed rules as well. With managed rules, you can attach a ruleset to protect your environment instantly, and you don’t have to create your own rules. These have been sold for AWS WAF Classic, and with the newly released AWS Managed Rules, you can select the rulesets for AWS WAF as well.
*You need to attach rulesets for each AWS WAF version. You could purchase rulesets from security vendors on AWS WAF Classic, but some rulesets may be specific to AWS WAF Classic and not be available for AWS WAF.

3. Types of AWS Managed Rules

Several rule groups are provided for AWS Managed Rules that were released.

Name Capacity
Core Rule Set 700
Admin Protection 100
Known Bad Inputs 200
SQL Database 200
LINUX operating system 200
POSIX Operating System 100
Windows Operating System 200
PHP Application 100
WordPress Application 100
Amazon IP Reputation 25

A new method based on the capacity has been introduced to measure the cost by WCU, and a limitation AWS WAF Classic had (each ACL can have a maximum of 10 rules) will no longer apply to AWS WAF.
Please refer to the post below for more information.
Part 1: [New AWS WAF] Summary of Changes

Default WCU is set to 1,500, so you will not be able to apply all of the managed rules. We are going to explain how to choose which ruleset to apply.

4. Explanations of AWS Managed Rules

Details of managed rules are not made publicly available, so we cannot fully understand what each rule does.
In the list below, we will explain each rule based on the official information AWS has provided.
AWS Managed Rules rule groups list

  • Core Rule Set
    This contains basic rules applicable to web applications. With this, protection from a wide range of vulnerabilities like those listed in OWASP publications and Common Vulnerabilities and Exposures (CVE) can be provided.
  • Admin Protection
    This includes rules to block access to a public administrative page.
    It will be useful if you use third-party software or want to mitigate the risks from attackers to gain administrative access to applications.
  • Known Bad Inputs
    This includes a rule to block request patterns that are known to be invalid and related to the discovery or misuse of vulnerabilities. With this rule, it can reduce the risk of malicious actors discovering vulnerable applications.
  • SQL Database
    This includes rules to block request patterns that exploit SQL databases like SQL injection attacks. With this rule, you can prevent the remote injection of fraudulent queries.
  • LINUX operating system
    This includes rules to block request patterns that exploit vulnerabilities specific to Linux like Local File Inclusion (LFI) attacks. With this rule, you can prevent attacks that expose file contents or let attackers run codes that shouldn’t have allowed access.
  • POSIX Operating System
    This includes rules to block request patterns related to exploiting vulnerabilities specific to POSIX/POSIX-like OS including Local File Inclusion (LFI) attacks. With this rule, you can prevent attacks that expose file contents or let attackers run codes that shouldn’t have allowed access.
  • Windows Operating System
    This includes rules to block request patterns related to exploiting vulnerabilities specific to Windows (e.g. PowerShell commands). With this rule, you can prevent attackers to run codes that are not allowed or that are malicious.
  • PHP Application
    This includes rules to block request patterns related to the exploitation of vulnerabilities specific to the use of PHP such as inserting fraudulent PHP functions. With this rule, you can prevent attackers from remotely running codes or commands.
  • WordPress Application
    This includes a rule to block request patterns related to the exploitation of vulnerabilities specific to WordPress sites.
  • Amazon IP Reputation
    In this group, rules based on Amazon internal threat intelligence are included. This is useful to block sources related to other threats.

5. Combinations of AWS Managed Rules

Based on the summary of AWS Managed Rules above, we have created a table to illustrate the combination of rules by categorizing rules into common rules to apply and rules to choose from according to your needs.

Name Required OS App Capacity
Core Rule Set 700
Admin Protection 100
Known Bad Inputs 200
SQL Database 200
LINUX Operating System 200
POSIX Operating System 100
Windows Operating System 200
PHP Application 100
WordPress Application 100
Amazon IP Reputation 25
Sets WCU WCU WCU Total
Linux Full Set (◎ + △ + ▲*3) 1,125 200 300 1,625
Recommended Set *with Linux (◎ + △) 1,125 200 0 1,325
Admin, Linux, WordPress set (◎ + △ + ▲) 1,125 200 100 1,425
  • ◎: Recommended to implement
  • △: Select one of the rulesets with this symbol
  • ▲: Select depending on your environment

Recommended set (the rulesets with the symbol “◎”) would be enough for basic protection.
Add rulesets with the symbol “▲” according to the environment.

To operate them, you will need rules other than managed rules. Create your own rules to manage your WAF.

  • Whitelist (WCU: 1)
  • Blacklist (WCU: 1)
  • Other rules

*You can request an increase in WCU to AWS Support if you need more capacity.

*In a session in re:Invent 2019, AWS recommended having multi-layer protection. E.g., add recommended managed rules explained above to WAF attached to CloudFront; additionally, attach WAF to ALB or API Gateway and apply managed rules targeted to protect OS and application.

Many managed rules provided by security vendors are not separated into small groups, so you could choose to set only one managed ruleset. Consider adding to a list of candidates of rulesets to apply.

6. Conclusion

Managed rules are easy to implement without intense knowledge of security. However, because the details of each rule are not available, it might be difficult to adjust in case of false positives.
In such a case, we recommend you to utilize COUNT mode since actions can be switched for each group within a rule group.
You could also receive support from security vendors if you choose to apply managed rules provided by them, so you may also want to consider that for operational reasons.