AWS Managed Rules changelog
This section lists changes to the AWS Managed Rules for AWS WAF since their release in November, 2019.
This changelog reports changes to the rules and rule groups in AWS Managed Rules for AWS WAF.
For the IP reputation rule groups, this changelog reports changes to the rules and rule group, but it doesn't report changes to the IP address lists that are used by the rules, due to the dynamic nature of those lists.
Rule group and rules | Description | Date |
---|---|---|
PHP application managed rule group
|
Released static version 2.0 of this rule group. Added signatures to improve detection in all rules. Replaced the rule Added the rule Updated the following labels to align with standard AWS Managed Rules labeling:
|
2023-02-27 |
AWS WAF Fraud Control account takeover prevention (ATP) rule group
|
Added login response inspection rules for use with protected Amazon CloudFront distributions. These rules can block new login attempts from IP addresses and client sessions that have recently been the source of too many failed login attempts. |
2023-02-15 |
Core rule set (CRS) managed rule group
|
Released static version 1.5 of this rule group. Updated Cross Site Scripting (XSS) filters to improve detection. |
2023-01-25 |
Linux operating system managed rule group
|
Released static version 2.1 of this rule group. Removed the rule Added text transformations and signatures to all rules to improve detection. |
2022-12-15 |
Core rule set (CRS) managed rule group
|
Released static version 1.4 of this rule group. Added a text transformation to |
2022-12-05 |
Known bad inputs managed rule group
|
Released static version 1.17 of this rule group. Updated the Java deserialization rules to add detection for requests matching Apache CVE-2022-42889,
a remote code execution (RCE) vulnerability in Apache Commons Text versions prior to 1.10.0.
For more information, see NIST: National Vulnerability Database: CVE-2022-42889 Detail Improved detection in |
2022-10-20 |
Known bad inputs managed rule group
|
Released static version 1.16 of this rule group. Removed false positives that AWS identified in version 1.15. |
2022-10-05 |
POSIX operating system managed rule group |
Corrected the documented label names. |
2022-09-19 |
IP reputation rule
groups
|
This change doesn't alter how the rule group handles your web traffic. Added a new rule with Count action to inspect for IP addresses that are actively engaging in DDoS activities, according to Amazon threat intelligence. |
2022-08-30 |
Known bad inputs managed rule group
|
Released static version 1.15 of this rule group. Removed Added signatures for improved detection and blocking to Updated labels to correct capitalization in Corrected the description of |
2022-08-22 |
AWS WAF Fraud Control account takeover prevention (ATP) rule group
|
Added a rule to prevent the use of the account takeover prevention managed rule group for Amazon Cognito user pool web traffic. |
2022-08-11 |
Core rule set (CRS) managed rule group | AWS has scheduled expiration for versions |
2022-06-09 |
Core rule set (CRS) managed rule group
|
Released version 1.3 of this rule group. This release updates the match signatures in the rules |
2022-05-24 |
AWS WAF Bot Control rule group
|
Added the rule |
2022-04-06 |
Known bad inputs managed rule group
|
Released version 1.14 of this rule group. The four |
2022-03-31 |
Known bad inputs managed rule group
|
Released version 1.13 of this rule group. Updated the text transformation for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode. |
2022-03-31 |
Known bad inputs managed rule group
|
Released version 1.12 of this rule group. Added signatures for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode. Removed the rules |
2022-03-30 |
IP reputation rule
groups
|
Updated the AWSManagedReconnaissanceList rule to change the action from count to block. |
2022-02-15 |
AWS WAF Fraud Control account takeover prevention (ATP) rule group
All rules in new rule group |
Added the rule group AWSManagedRulesATPRuleSet . |
2022-02-11 |
Known bad inputs managed rule group
|
Released version 1.9 of this rule group. Removed the rule |
2022-01-28 |
Core rule set (CRS)
|
Released version 2.0 of this rule group. For these rules,
tuned detection signatures to reduce false positives.
Replaced the |
2022-01-10 |
Core rule set (CRS)
|
As part of the release of version 2.0 of this rule group,
added the |
2022-01-10 |
SQL database
|
Released version 2.0 of this rule group.
Replaced the Added more detection signatures to
Added JSON inspection to Added the rule
Removed the rule |
2022-01-10 |
Known bad inputs
|
Released version 1.8 of the rule |
2021-12-17 |
Known bad inputs
|
Released version 1.4 of the rule |
2021-12-11 |
Known bad inputs
|
Added the rule Removed the rule |
2021-12-10 |
The following table lists changes prior to December, 2021.
Rule group and rules | Description | Date | |
---|---|---|---|
Amazon IP reputation list |
|
Added the AWSManagedReconnaissanceList rule in
monitoring/count mode. This rule contains IP addresses that are
performing reconnaissance against AWS resources. |
2021-11-23 |
Windows operating system |
|
Added three new rules for WindowsShell commands: Added a new PowerShell rule: Restructured the Added more comprehensive detection signatures to Added |
2021-11-23 |
Linux operating system |
|
Replaced double Added Replaced the Added more comprehensive detection signatures for all |
2021-11-23 |
Core rule set (CRS) |
|
Reduced the size limit to block web requests with body payloads larger than 8 KB. Previously, the limit was 10 KB. | 2021-10-27 |
Core rule set (CRS) |
|
Added more detection signatures. Added double unicode URL decode to improve blocking. | 2021-10-27 |
Core rule set (CRS) |
|
Added double unicode URL decode to improve blocking. | 2021-10-27 |
Core rule set (CRS) |
|
Updated the rule signatures to reduce false positives, based on customer feedback. Added double unicode URL decode to improve blocking. | 2021-10-27 |
All | All rules |
Added support for AWS WAF labels to all rules that didn't already support labeling. | 2021-10-25 |
Amazon IP reputation list |
|
Restructured the IP reputation list, removed suffixes from rule name, and added support for AWS WAF labels. | 2021-05-04 |
Anonymous IP list |
|
Added support for AWS WAF labels. | 2021-05-04 |
Bot Control | All | Added the Bot Control rule set. | 2021-04-01 |
Core rule set (CRS) |
|
Added double URL decode. | 2021-03-03 |
Core rule set (CRS) |
|
Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
Admin protection |
|
Added double URL decode. | 2021-03-03 |
Known bad inputs |
|
Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
Linux operating system |
|
Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
Windows operating system | All | Improved the configuration of the rules. | 2020-09-23 |
PHP application |
|
Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-09-16 |
POSIX operating system |
|
Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-09-16 |
Core rule set |
GenericLFI_BODY |
Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-08-07 |
Linux operating system |
|
Changed the text transformation from HTML entity decode to URL decode, to improve detection and blocking. | 2020-05-19 |
Anonymous IP List | All | New rule group in IP reputation rule groups to block requests from services that permit the obfuscation of viewer identity, to help mitigate bots and evasion of geographic restrictions. | 2020-03-06 |
WordPress application |
|
New rule that checks for exploitable commands in the query string. | 2020-03-03 |
Core rule set (CRS) |
|
Adjusted the size value constraints for improved accuracy. | 2020-03-03 |
SQL database |
|
The rules now check the message URI. | 2020-01-23 |
SQL database |
|
Updated text transformations. | 2019-12-20 |
Core rule set (CRS) |
|
Updated text transformations. | 2019-12-20 |