Release candidate deployments for AWS Managed Rules - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Release candidate deployments for AWS Managed Rules

When AWS has a candidate set of rule changes for a managed rule group, it tests them in a temporary release candidate deployment. AWS evaluates the candidate rules in count mode against production traffic, and performs final tuning activities, including mitigating false positives. AWS tests release candidate rules in this way for all customers who use the default version of the rule group. Release candidate deployments don't apply to customers who use a static version of the rule group.

If you use the default version, a release candidate deployment won't alter how your web traffic is managed by the rule group. You might notice the following while the candidate rules are being tested:

  • Default version name change from Default (using Version_X.Y) to Default (using Version_X.Y_PLUS_RC_COUNT).

  • Additional count metrics in Amazon CloudWatch with RC_COUNT in their names. These are generated by the release candidate rules.

AWS tests a release candidate for about a week, then removes it and resets the default version to the current recommended static version.

AWS performs the following steps for a release candidate deployment:

  1. Create the release candidate – AWS adds a release candidate based on the current recommended static version, which is the version that the default is pointing to.

    The name of the release candidate is the static version name appended with _PLUS_RC_COUNT. For example, if the current recommended static version is Version_2.1, then the release candidate would be named Version_2.1_PLUS_RC_COUNT.

    The release candidate contains the following rules:

    • Rules copied exactly from the current recommended static version, with no changes to rule configurations.

    • Candidate new rules with rule action set to Count and with names that end with _RC_COUNT.

      Most candidate rules provide proposed improvements to rules that exist already in the rule group. The name for each of these rules is the existing rule's name appended with _RC_COUNT.

  2. Set the default version to the release candidate and test – AWS sets the default version to point to the new release candidate, to perform testing against your production traffic. Testing usually takes about a week.

    You'll see the default version's name change from the one that indicates only the static version, such as Default (using Version_1.4), to one that indicates the static version plus the release candidate rules, such as Default (using Version_1.4_PLUS_RC_COUNT). This naming scheme lets you identify which static version you're using to manage your web traffic.

    The following diagram shows the state of the example rule group versions at this point.

    At the top of the figure are three stacked static versions, with Version_1.4 on the top. Separate from the static versions stack is the version Version_1.4_PLUS_RC_COUNT. This version contains the rules from Version_1.4 and it also contains two release candidate rules, RuleB_RC_COUNT and RuleZ_RC_COUNT, both with count action. The default version indicator points to Version_1.4_PLUS_RC_COUNT.

    The release candidate rules are always configured with Count action, so they don't alter how the rule group manages web traffic.

    The release candidate rules generate Amazon CloudWatch count metrics that AWS uses to verify behavior and to identify false positives. AWS makes adjustments as needed, to tune the behavior of the release candidate count rules.

    The release candidate version isn't a static version, and it's not available for you to choose from the list of static rule group versions. You can only see the name of the release candidate version in the default version specification.

  3. Return the default version to the recommended static version – After testing the release candidate rules, AWS sets the default version back to the current recommended static version. The default version name setting drops the _PLUS_RC_COUNT ending, and the rule group stops generating CloudWatch count metrics for the release candidate rules. This is a silent change, and is not the same as a deployment of a default version rollback.

    The following diagram shows the state of the example rule group versions after the testing of the release candidate is complete.

    This is the typical version states figure again. Three static versions Version_1.2, Version_1.3, and Version_1.4 are stacked with Version_1.4 on the top. Version_1.4 has two rules, RuleA and RuleB, both with production action. A default version indicator points to Version_1.4.
Timing and notifications

AWS deploys release candidate versions on an as-needed basis, to test improvements to a rule group.

  • SNS – AWS sends an SNS notification at the start of the deployment. The notification indicates the estimated time that the release candidate will be tested. When testing is complete, AWS silently returns the default to the static version setting, without a second notification.

  • Change log – AWS doesn't update the change log or other parts of this guide for this type of deployment.