Baseline rule groups - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Baseline rule groups

Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.

Core rule set (CRS) managed rule group

VendorName: AWS, Name: AWSManagedRulesCommonRuleSet, WCU: 700

The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.

Rule name Description and label
NoUserAgent_HEADER Blocks requests with no HTTP User-Agent header.

Label: awswaf:managed:aws:core-rule-set:NoUserAgent_Header

UserAgent_BadBots_HEADER Inspects for the presence of common User-Agent header values indicating the request to be a bad bot. Example patterns include nessus, and nmap. For bot management, see also AWS WAF Bot Control rule group.

Label: awswaf:managed:aws:core-rule-set:BadBots_Header

SizeRestrictions_QUERYSTRING Verifies that the URI query string length is at most 2,048 bytes.

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_QueryString

SizeRestrictions_Cookie_HEADER Verifies that the cookie header length is at most 10,240 bytes.

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Cookie_Header

SizeRestrictions_BODY Verifies that the request body size is at most 8 KB (8,192 bytes).

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_Body

SizeRestrictions_URIPATH Verifies that the URI path length is at most 1,024 bytes.

Label: awswaf:managed:aws:core-rule-set:SizeRestrictions_URIPath

EC2MetaDataSSRF_BODY Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body.
Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body

EC2MetaDataSSRF_COOKIE Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Cookie

EC2MetaDataSSRF_URIPATH Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_URIPath

EC2MetaDataSSRF_QUERYARGUMENTS Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.

Label: awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_QueryArguments

GenericLFI_QUERYARGUMENTS Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like ../../.

Label: awswaf:managed:aws:core-rule-set:GenericLFI_QueryArguments

GenericLFI_URIPATH Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like ../../.

Label: awswaf:managed:aws:core-rule-set:GenericLFI_URIPath

GenericLFI_BODY Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like ../../.
Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:core-rule-set:GenericLFI_Body

RestrictedExtensions_URIPATH Inspects requests whose URI path includes system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.

Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_URIPath

RestrictedExtensions_QUERYARGUMENTS Inspects requests whose query arguments are system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.

Label: awswaf:managed:aws:core-rule-set:RestrictedExtensions_QueryArguments

GenericRFI_QUERYARGUMENTS Inspects the values of all query parameters and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.

Label: awswaf:managed:aws:core-rule-set:GenericRFI_QueryArguments

GenericRFI_BODY Inspects the request body and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.
Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:core-rule-set:GenericRFI_Body

GenericRFI_URIPATH Inspects the URI path and blocks requests that attempt to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like http://, https://, ftp://, ftps://, and file://, with an IPv4 host header in the exploit attempt.

Label: awswaf:managed:aws:core-rule-set:GenericRFI_URIPath

CrossSiteScripting_COOKIE Inspects the value of cookie headers and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Cookie

CrossSiteScripting_QUERYARGUMENTS Inspects the value of query arguments and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_QueryArguments

CrossSiteScripting_BODY Inspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body

CrossSiteScripting_URIPATH Inspects the value of the URI path and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
Note

The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group.

Label: awswaf:managed:aws:core-rule-set:CrossSiteScripting_URIPath

Admin protection managed rule group

VendorName: AWS, Name: AWSManagedRulesAdminProtectionRuleSet, WCU: 100

The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

Rule name Description and label
AdminProtection_URIPATH Inspects requests for URI paths that are generally reserved for administration of a webserver or application. Example patterns include sqlmanager.

Label: awswaf:managed:aws:admin-protection:AdminProtection_URIPath

Known bad inputs managed rule group

VendorName: AWS, Name: AWSManagedRulesKnownBadInputsRuleSet, WCU: 200

The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.

Rule name Description and label
JavaDeserializationRCE_HEADER Inspects the values of common HTTP request headers for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_HEADER

JavaDeserializationRCE_BODY Inspects the request body for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").
Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_BODY

JavaDeserializationRCE_URI Inspects the request URI for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URI

JavaDeserializationRCE_QUERYSTRING Inspects the request query string for patterns indicating Java deserialization Remote Command Execution(RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include (java.lang.Runtime).getRuntime().exec("whoami").

Label: awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QUERYSTRING

Host_localhost_HEADER Inspects the host header in the request for patterns indicating localhost. Example patterns include localhost.

Label: awswaf:managed:aws:known-bad-inputs:Host_localhost_Header

PROPFIND_METHOD Inspects the HTTP method in the request for PROPFIND, which is a method similar to HEAD, but with the extra intention to exfiltrate XML objects.

Label: awswaf:managed:aws:known-bad-inputs:Propfind_Method

ExploitablePaths_URIPATH Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like web-inf.

Label: awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath

Log4JRCE Inspects the query string, body, uri, and values of common HTTP request headers for the presence of the Log4j vulnerability (CVE-2021-44228, CVE-2021-45046, CVE-2021-45105) and protects against Remote Code Execution (RCE) attempts. Example patterns include ${jndi:ldap://example.com/}.
Warning

This rule only inspects the first 8 KB of the request body. For information, see Inspection of the request body, headers, and cookies.

Label: awswaf:managed:aws:known-bad-inputs:Log4JRCE