Waf Charm

Blog

AWS WAF, Managed rules

Version control feature is now offered for managed rules

This post was originally written in Japanese in the past.

Table of Contents

  1. 1. Introduction
  2. 2. What is Managed Rules?
  3. 3. How to switch versions
  4. 4. How to receive updates' notifications
  5. 5. Expiration date for versions
  6. 6. Conclusion

1. Introduction

The versioning feature for managed rules was released on August 9th, 2021 (PTD).
Before this feature, managed rules were updated without users being notified, but from now on updates and their information will be notified to users by vendors or AWS, allowing them to choose the version based on the updates.

AWS WAF now offers managed rule group versioning

2. What is Managed Rules?

Let’s go over the basics of managed rules before we jump into the main topic.
Managed rules are pre-defined rulesets you can apply to ACLs without creating your own rules.

There are many rulesets provided by AWS and other security vendors including Cyber Security Cloud (CSC). Most of the managed rules created by AWS can be used for free. To use managed rules, you can subscribe to them via AWS Marketplace for a certain fee.

The benefit of managed rules is the easiness; you can start using them by just applying them to your ACL.
The disadvantage is that you are limited in what you can do if you want to adjust each rule when false positives occur.

Please also refer to the blog posts about the managed rules listed below.

3. How to switch versions

Open the managed rule applied to your ACL and click [Edit].

Select the version you want to use in the [Version] field.

If you choose the “Default” option, the version recommended by a vendor will be applied automatically. If you do not want to experience false positives due to unintended updates in rules, select a version other than default and fix the version you are using.

4. How to receive updates' notifications

Notifications are provided via Amazon SNS.
You can receive notifications in many ways. You could set it up to send notifications to Slack or configure Lambda to run subsequent processes as well as email notifications.

When you click edit for managed rules on the ACL editing page, there is a link to Amazon SNS’s subscription page.

You can complete the configuration by adding ARN and recipient of the notifications in Amazon SNS, but you’ll need to make sure that you are in the correct region to successfully subscribe to the SNS topic.
After you’ve opened the subscription page, change the region of your management console to where Topic ARN is located (in this case, us-east-1) before creating a subscription.

If the regions are different, you will see an error message and not be able to complete the process.

5. Expiration date for versions

In many cases, there is an expiration date for versions.
Depending on the ruleset, there might not be an expiration date at all.
Check the ruleset description or contact the vendor for the effects it might have when a version you are using expires.

6. Conclusion

This new feature is helpful for users who want to be aware of possibilities of false positive occurrences from rule changes. You could fix the version you use, while you test the updates simultaneously before updating to the latest version.

Because expiration dates for versions are controlled by vendors, if you would like to avoid the cycle of updating and testing rules, you could choose to apply Default option.This will allow you to use managed rules just like you have been using before this new feature was introduced.

Managed rules provided by CSC will also be updated accordingly to follow this new feature.