How Firewall Manager manages web ACLs Rule groups in AWS WAF policies

Using AWS WAF policies with Firewall Manager

This page explains how to use AWS WAF policies with Firewall Manager. In a Firewall Manager AWS WAF policy, you specify the AWS WAF rule groups that you want to use across your resources. When you apply the policy, Firewall Manager creates web ACLs in accounts within policy scope depending on how you configure management of web ACLs in your policy. In the web ACLs created by the policy, individual account managers can add rules and rule groups, in addition to the rule groups that you defined through Firewall Manager.

How Firewall Manager manages web ACLs

Firewall Manager creates web ACLs based on how you configure the Manage unassociated web ACLs setting in your policy, or the optimizeUnassociatedWebACL setting in the SecurityServicePolicyData data type in the API.

If you enable management of unassociated web ACLs, Firewall Manager creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource. If at any time an account comes into policy scope, Firewall Manager automatically creates a web ACL in the account if at least one resource will use the web ACL. When you enable management of unassociated web ACLs, Firewall Manager performs a one-time cleanup of unassociated web ACLs in your account. During the cleanup, Firewall Manager skips any web ACLs that you've modified after their creation, for example, if you added a rule group to the web ACL or modified it's settings. The cleanup process can take several hours. If a resource leaves policy scope after Firewall Manager creates a web ACL, Firewall Manager disassociates the resource from the web ACL, but won't clean up the unassociated web ACL. Firewall Manager only cleans up unassociated web ACLs when you first enable management of unassociated web ACLs in a policy.

If you don't enable this option, Firewall Manager doesn't manage unassociated web ACLs, and Firewall Manager automatically creates a web ACL in each account that's within policy scope.

Sampling and CloudWatch metrics

AWS Firewall Manager enables sampling and Amazon CloudWatch metrics for the web ACLs and rule groups that it creates for an AWS WAF policy.

Web ACL naming structure

When Firewall Manager creates a web ACL for the policy, it names the web ACL FMManagedWebACLV2-policy name-timestamp. The timestamp is in UTC milliseconds. For example, FMManagedWebACLV2-MyWAFPolicyName-1621880374078.

Note

If a resource configured with advanced automatic application layer DDoS mitigation comes into scope of a AWS WAF policy, Firewall Manager will be unable to associate the web ACL created by the AWS WAF policy to the resource.

Rule groups in AWS WAF policies

The web ACLs that are managed by Firewall Manager AWS WAF policies contain three sets of rules. These sets provide a higher level of prioritization for the rules and rule groups in the web ACL:

First rule groups, defined by you in the Firewall Manager AWS WAF policy. AWS WAF evaluates these rule groups first.
Rules and rule groups that are defined by the account managers in the web ACLs. AWS WAF evaluates any account-managed rules or rule groups next.
Last rule groups, defined by you in the Firewall Manager AWS WAF policy. AWS WAF evaluates these rule groups last.

Within each of these sets of rules, AWS WAF evaluates rules and rule groups as usual, according to their priority settings within the set.

In the policy's first and last rule groups sets, you can only add rule groups. You can use managed rule groups, which AWS Managed Rules and AWS Marketplace sellers create and maintain for you. You can also manage and use your own rule groups. For more information about all of these options, see Using AWS WAF rule groups.

If you want to use your own rule groups, you create those before you create your Firewall Manager AWS WAF policy. For guidance, see Managing your own rule groups. To use an individual custom rule, you must define your own rule group, define your rule within that, and then use the rule group in your policy.

The first and last AWS WAF rule groups that you manage through Firewall Manager have names that begin with PREFMManaged- or POSTFMManaged-, respectively, followed by the Firewall Manager policy name, and the rule group creation timestamp, in UTC milliseconds. For example, PREFMManaged-MyWAFPolicyName-1621880555123.

For information about how AWS WAF evaluates web requests, see Using web ACLs with rules and rule groups in AWS WAF.

For the procedure to create a Firewall Manager AWS WAF policy, see Creating an AWS Firewall Manager policy for AWS WAF.

Firewall Manager enables sampling and Amazon CloudWatch metrics for the rule groups that you define for the AWS WAF policy.

Individual account owners have complete control over the metrics and sampling configuration for any rule or rule group that they add to the policy's managed web ACLs.

Topics

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Using the policy scope

Logging destinations