Best practices for using automatic mitigation - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Best practices for using automatic mitigation

Adhere to the guidance provided in this section when you use automatic mitigation.

General protections management

Follow these guidelines for planning and implementing your automatic mitigation protections.

  • Manage all of your automatic mitigation protections either through Shield Advanced or, if you're using AWS Firewall Manager to manage your Shield Advanced automatic mitigation settings, through Firewall Manager. Don't mix your use of Shield Advanced and Firewall Manager to manage these protections.

  • Manage similar resources using the same web ACLs and protection settings, and manage dissimilar resources using different web ACLs. When Shield Advanced mitigates a DDoS attack on a protected resource, it defines rules for the web ACL that's associated with the resource and then tests the rules against traffic of all resources that are associated with the web ACL. Shield Advanced will only apply the rules if they don't negatively impact any of the associated resources. For more information, see How Shield Advanced manages automatic mitigation.

  • For Application Load Balancers that have all their internet traffic proxied through a Amazon CloudFront distribution, only enable automatic mitigation on the CloudFront distribution. The CloudFront distribution will always have the greatest number of original traffic attributes, which Shield Advanced leverages to mitigate attacks.

Detection and mitigation optimization

Follow these guidelines to optimize the protections that automatic mitigation provides to protected resources. For an overview of application layer detection and mitigation, see Detection and mitigation.

  • Configure health checks for your protected resources and use them to enable health-based detection in your Shield Advanced protections. For guidance, see Health-based detection using health checks.

  • Enable automatic mitigation in Count mode until Shield Advanced has established a baseline for normal, historic traffic. Shield Advanced needs from 24 hours to 30 days to establish a baseline.

    Establishing a baseline of normal traffic patterns requires the following:

    • The association of a web ACL with the protected resource. You can use AWS WAF directly to associate your web ACL or you can have Shield Advanced associate it when you enable the Shield Advanced application layer protection and specify a web ACL to use.

    • Normal traffic flow to your protected application. If your application isn't experiencing normal traffic, such as before the application is launched or if it lacks production traffic for extended periods of time, the historical data can't be gathered.

Web ACL management

Follow these guidelines for managing the web ACLs that you use with automatic mitigation.

  • If you need to replace the web ACL that's associated with the protected resource, make the following changes in order:

    1. In Shield Advanced, disable automatic mitigation.

    2. In AWS WAF, disassociate the old web ACL and associate the new web ACL.

    3. In Shield Advanced, enable automatic mitigation.

    Shield Advanced doesn't automatically transfer automatic mitigation from the old web ACL to the new one.

  • Don't delete any rule group rule from your web ACLs whose name starts with ShieldMitigationRuleGroup. If you do delete this rule group, you disable the protections provided by Shield Advanced automatic mitigation for every resource that's associated with the web ACL. Additionally, it can take Shield Advanced some time to receive notice of the change and to update its settings. During this time, the Shield Advanced console pages will provide incorrect information.

    For more information about the rule group, see The Shield Advanced rule group.

  • Don't modify the name of a rule group rule whose name starts with ShieldMitigationRuleGroup. Doing so can interfere with the protections provided by Shield Advanced automatic mitigation through the web ACL.

  • When you create rules and rule groups, don't use names that start with ShieldMitigationRuleGroup. This string is used by Shield Advanced to manage your automatic mitigations.

  • In your management of your web ACL rules, don't assign a priority setting of 10,000,000. Shield Advanced assigns this priority setting to its automatic mitigation rule group rule when it adds it.

  • Keep the ShieldMitigationRuleGroup rule prioritized so that it runs when you want it to in relation to the other rules in your web ACL. Shield Advanced adds the rule group rule to the web ACL with priority 10,000,000, to run after your other rules. If you use the AWS WAF console wizard to manage your web ACL, adjust the priority settings as needed after you add rules to the web ACL.

  • If you use AWS CloudFormation to manage your web ACLs, you don't need to manage the ShieldMitigationRuleGroup rule group rule. Follow the guidance at Using AWS CloudFormation with automatic application layer DDoS mitigation.