AWS Managed Rules for AWS WAF
AWS Managed Rules for AWS WAF is a managed service that provides protection against common application vulnerabilities or other unwanted traffic, without having to write your own rules. You have the option of selecting one or more rule groups from AWS Managed Rules for each web ACL, up to the allowed maximum web ACL capacity unit (WCU) limit. You can choose whether to count (monitor) or block requests that are matched by the managed rules.
As a best practice, before using a rule group in production, test it in a non-production environment, with the action override set to count. Evaluate the rule group using Amazon CloudWatch metrics combined with AWS WAF sampled requests or AWS WAF logs. When you're satisfied that the rule group does what you want, remove the override on the group.
Mitigating False Positive Scenarios
If you are encountering false-positive scenarios with AWS Managed Rules rule groups, perform the following steps:
1. In the web ACL configuration, override the actions in the rules of the rule groups, putting them into count (alert) mode. This stops them from blocking legitimate traffic.
2. Use either AWS WAF sampled requests or AWS WAF logs to identify which AWS Managed Rules rule group is triggering the false positive. You can identify the AWS Managed Rules rule group by looking at the ruleGroupId field in the log or the RuleWithinRuleGroup in the sampled request. The rule name follows this pattern: AWS#<AMR RuleGroup Name>#<AMR Rule Name>.
3. On the AWS WAF console, edit the web ACL, locate the AWS Managed Rules rule group that you've identified, remove your count override for the rules that aren't causing the false positive, and leave the rule that is causing the false positive in count mode.
For more information about a rule in an AWS Managed Rules rule group, contact the AWS Support Center.
AWS Managed Rules rule groups list
This section describes the most recent versions of the AWS Managed Rules rule groups. You see these on the console when you add a managed rule group to your web ACL. Through the API, you can retrieve
this list along with the AWS Marketplace managed rule groups that you're subscribed to by calling ListAvailableManagedRuleGroups.
NoteFor information about retrieving an AWS Managed Rules rule group's versions, see Retrieving the available versions for a managed rule group (p. 29).
All AWS Managed Rules rule groups support labeling, and the rule listings in this section include label specifications. You can retrieve the labels for a managed rule group through the API by calling DescribeManagedRuleGroup. The labels are listed in the AvailableLabels property in the response. For information about labeling, see Labels on web requests (p. 95).
AWS Managed Rules rule groups
• Baseline rule groups (p. 34)
• Core rule set (CRS) managed rule group (p. 34)
• Admin protection managed rule group (p. 38)
• Known bad inputs managed rule group (p. 38)
• Use-case specific rule groups (p. 40)
• SQL database managed rule group (p. 40)
• Linux operating system managed rule group (p. 41)
• POSIX operating system managed rule group (p. 42)
• Windows operating system managed rule group (p. 42)
• PHP application managed rule group (p. 44)
• WordPress application managed rule group (p. 44)
• IP reputation rule groups (p. 45)
• Amazon IP reputation list managed rule group (p. 45)
• Anonymous IP list managed rule group (p. 45)
• AWS WAF Bot Control rule group (p. 46)
• AWS WAF Fraud Control account takeover prevention (ATP) rule group (p. 47)
Baseline rule groups
Baseline managed rule groups provide general protection against a wide variety of common threats.
Choose one or more of these rule groups to establish baseline protection for your resources.
Core rule set (CRS) managed rule group
VendorName: AWS, Name: AWSManagedRulesCommonRuleSet, WCU: 700
The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including many high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.
Rule name Description and label
NoUserAgent_HEADER Blocks requests with no HTTP User-Agent
header.
Label: awswaf:managed:aws:core-rule-set:NoUserAgent_Header
UserAgent_BadBots_HEADER Inspects for the presence of common User-Agent header values indicating the request to be
Rule name Description and label
a bad bot. Example patterns include nessus, and nmap. For bot management, see also AWS WAF Bot Control rule group (p. 46).
Label: awswaf:managed:aws:core-rule-set:UserAgent_BadBots_Header
SizeRestrictions_QUERYSTRING Verifies that the URI query string length is at most 2,048 bytes.
Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_QueryString SizeRestrictions_Cookie_HEADER Verifies that the cookie header length is at most
10,240 bytes.
Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Cookie_Header SizeRestrictions_BODY Verifies that the request body size is at most 8 KB
(8,192 bytes).
Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Body
SizeRestrictions_URIPATH Verifies that the URI path length is at most 1,024 bytes.
Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_URIPath
EC2MetaDataSSRF_BODY Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body
EC2MetaDataSSRF_COOKIE Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.
Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Cookie
EC2MetaDataSSRF_URIPATH Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.
Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_URIPath
EC2MetaDataSSRF_QUERYARGUMENTS Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.
Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_QueryArguments
Rule name Description and label
GenericLFI_QUERYARGUMENTS Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like ../../.
Label: awswaf:managed:aws:core-rule-set:GenericLFI_QueryArguments
GenericLFI_URIPATH Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like ../../.
Label: awswaf:managed:aws:core-rule-set:GenericLFI_URIPath
GenericLFI_BODY Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like ../../.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:core-rule-set:GenericLFI_Body
RestrictedExtensions_URIPATH Inspects requests whose URI path includes system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.
Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_URIPath RestrictedExtensions_QUERYARGUMENTS Inspects requests whose query arguments are
system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.
Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_QueryArguments GenericRFI_QUERYARGUMENTS Inspects the values of all query parameters
and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses.
Examples include patterns like http://,
https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.
Label: awswaf:managed:aws:core-rule-set:GenericRFI_QueryArguments
Rule name Description and label
GenericRFI_BODY Inspects the request body and blocks requests
that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:core-rule-set:GenericRFI_Body
GenericRFI_URIPATH Inspects the URI path and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.
Label: awswaf:managed:aws:core-rule-set:GenericRFI_URIPath
CrossSiteScripting_COOKIE Inspects the value of cookie headers and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like
<script>alert("hello")</script>.
NoteThe rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.
Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Cookie
CrossSiteScripting_QUERYARGUMENTS Inspects the value of query arguments and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like
<script>alert("hello")</script>.
NoteThe rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.
Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_QueryArguments
Rule name Description and label
CrossSiteScripting_BODY Inspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like
<script>alert("hello")</script>.
Note
The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body
CrossSiteScripting_URIPATH Inspects the value of the URI path and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like
<script>alert("hello")</script>.
NoteThe rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.
Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_URIPath
Admin protection managed rule group
VendorName: AWS, Name: AWSManagedRulesAdminProtectionRuleSet, WCU: 100
The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.
Rule name Description and label
AdminProtection_URIPATH Inspects requests for URI paths that are generally reserved for administration of a webserver or application. Example patterns include sqlmanager.
Label: awswaf:managed:aws:admin-protection:AdminProtection_URIPath
Known bad inputs managed rule group
VendorName: AWS, Name: AWSManagedRulesKnownBadInputsRuleSet, WCU: 200
The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.
Rule name Description and label
Host_localhost_HEADER Inspects the host header in the request for patterns indicating localhost. Example patterns include localhost.
Label: awswaf:managed:aws:known-bad-inputs:Host_localhost_Header
PROPFIND_METHOD Inspects the HTTP method in the request for
PROPFIND, which is a method similar to HEAD, but with the extra intention to exfiltrate XML objects.
Label: awswaf:managed:aws:known-bad-inputs:Propfind_Method
ExploitablePaths_URIPATH Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like web-inf.
Label: awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath
Log4JRCE_HEADER Inspects the values of common HTTP request
headers for the presence of the Log4j
vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.
Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_HEADER
Log4JRCE_QUERYSTRING Inspects the value of the query string for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046,
CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.
Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_QUERYSTRING
Log4JRCE_URI Inspects the value of the URI path for
the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046,
CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.
Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_URI
Log4JRCE_BODY Inspects the value of the request body for
the presence of the Log4j vulnerability
Rule name Description and label
(CVE-2021-44228, CVE-2021-45046,
CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_BODY
Use-case specific rule groups
Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases.
Choose the rule groups that apply to your application.
SQL database managed rule group
VendorName: AWS, Name: AWSManagedRulesSQLiRuleSet, WCU: 200
The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.
Rule name Description and label
SQLi_QUERYARGUMENTS Uses the built-in AWS WAF SQL injection match statement to inspect the values of all query parameters for patterns that match malicious SQL code.
Label: awswaf:managed:aws:sql-database:SQLi_QueryArguments SQLiExtendedPatterns_QUERYARGUMENTS Inspects the values of all query parameters
for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the built-in AWS WAF SQL injection match statement used in the rule SQLi_QUERYARGUMENTS.
awswaf:managed:aws:sql-database:SQLiExtendedPatterns_QueryArguments
SQLi_BODY Uses the built-in AWS WAF SQL injection match
statement to inspect the request body for patterns that match malicious SQL code.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:sql-database:SQLi_Body
Rule name Description and label
SQLiExtendedPatterns_BODY Inspects the request body for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the built-in AWS WAF SQL injection match statement used in the rule SQLi_BODY.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
awswaf:managed:aws:sql-database:SQLiExtendedPatterns_Body
SQLi_COOKIE Uses the built-in AWS WAF SQL injection match
statement to inspect the request cookie header for patterns that match malicious SQL code.
Label: awswaf:managed:aws:sql-database:SQLi_Cookie
Linux operating system managed rule group
VendorName: AWS, Name: AWSManagedRulesLinuxRuleSet, WCU: 200
The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks.
This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system (p. 42) rule group.
Rule name Description and label
LFI_URIPATH Inspects the request path for attempts to exploit
Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like / proc/version, which could provide operating system information to attackers.
Label: awswaf:managed:aws:linux-os:LFI_URIPath
LFI_QUERYSTRING Inspects the values of querystring for attempts
to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version, which could provide operating system information to attackers.
Label: awswaf:managed:aws:linux-os:LFI_QueryString
LFI_COOKIE Inspects the request cookie header for attempts
to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version, which could provide operating system information to attackers.
Rule name Description and label
Label: awswaf:managed:aws:linux-os:LFI_Cookie
POSIX operating system managed rule group
VendorName: AWS, Name: AWSManagedRulesUnixRuleSet, WCU: 100
The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.
Rule name Description and label
UNIXShellCommandsVariables_QUERYARGUMENTSInspects the values of all query parameters for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo $HOME and echo $PATH.
Label:
awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_QueryArguments UNIXShellCommandsVariables_BODY Inspects the request body for attempts to exploit
command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo
$HOME and echo $PATH.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_Body
Windows operating system managed rule group
VendorName: AWS, Name: AWSManagedRulesWindowsRuleSet, WCU: 200
The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that allow an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.
Rule name Description and label
WindowsShellCommands_COOKIE Inspects the request cookie header and blocks WindowsShell command injection attempts in web applications. The match patterns represent
Rule name Description and label
WindowsShell commands. For example, patterns such as ||nslookup or ;cmd are blocked.
Label: awswaf:managed:aws:windows-os:WindowsShellCommands_Cookie WindowsShellCommands_QUERYARGUMENTS Inspects the values of all query parameters and
blocks WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. For example, patterns such as ||nslookup or ;cmd are blocked.
Label: awswaf:managed:aws:windows-os:WindowsShellCommands_QueryArguments WindowsShellCommands_BODY Inspects the values of the request body and blocks
WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. For example, patterns such as ||nslookup or ;cmd are blocked.
Warning
This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection (p. 84).
Label: awswaf:managed:aws:windows-os:WindowsShellCommands_Body PowerShellCommands_COOKIE Inspects the request header and blocks
PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example,
PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example,