AWS Managed Rules rule groups list - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

AWS Managed Rules rule groups list

This section describes the AWS Managed Rules rule groups that are currently available. You see these on the console when you add a managed rule group to your web ACL. Through the API, you can retrieve this list along with the AWS Marketplace managed rule groups that you're subscribed to by calling ListAvailableManagedRuleGroups.

Baseline rule groups

Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.

Core rule set (CRS)

VendorName: AWS, Name: AWSManagedRulesCommonRuleSet, WCU: 700

The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including high risk and commonly occurring vulnerabilities described in OWASP publications. Consider using this rule group for any AWS WAF use case.

Rule name Description
NoUserAgent_HEADER Blocks requests with no HTTP User-Agent header.
UserAgent_BadBots_HEADER Inspects for the presence of common User-Agent header values indicating the request to be a bad bot. Example patterns include nessus, and nmap.
SizeRestrictions_QUERYSTRING Verifies that the URI query string length is within the standard boundary for applications.
SizeRestrictions_Cookie_HEADER Verifies that the cookie header length is within the bounds common for many applications.
SizeRestrictions_BODY Verifies that the request body size is within the bounds common for many applications.
SizeRestrictions_URIPATH Verifies that the URI path length is within specification.
EC2MetaDataSSRF_BODY Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body.
EC2MetaDataSSRF_COOKIE Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.
EC2MetaDataSSRF_URIPATH Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.
EC2MetaDataSSRF_QUERYARGUMENTS Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.
GenericLFI_QUERYARGUMENTS Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like ../../.
GenericLFI_URIPATH Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like ../../.
GenericLFI_BODY Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like ../../.
RestrictedExtensions_URIPATH Inspects requests whose URI path includes system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.
RestrictedExtensions_QUERYARGUMENTS Inspects requests whose query arguments are system file extensions that the clients shouldn't read or run. Example patterns include extensions like .log and .ini.
GenericRFI_QUERYARGUMENTS Inspects the values of all query parameters and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like ://.
GenericRFI_BODY Inspects the values of the request body and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like ://.
GenericRFI_URIPATH Inspects the values of the URI path and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like ://.
CrossSiteScripting_COOKIE Inspects the value of cookie headers and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
CrossSiteScripting_QUERYARGUMENTS Inspects the value of query arguments and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
CrossSiteScripting_BODY Inspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.
CrossSiteScripting_URIPATH Inspects the value of the URI path and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like <script>alert("hello")</script>.

Admin protection

VendorName: AWS, Name: AWSManagedRulesAdminProtectionRuleSet, WCU: 100

The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

Rule name Description
AdminProtection_URIPATH Inspects requests for URI paths that are generally reserved for administration of a webserver or application. Example patterns include sqlmanager.

Known bad inputs

VendorName: AWS, Name: AWSManagedRulesKnownBadInputsRuleSet, WCU: 200

The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.

Rule name Description
Host_localhost_HEADER Inspects the host header in the request for patterns indicating localhost. Example patterns include localhost.
PROPFIND_METHOD Inspects the HTTP method in the request for PROPFIND, which is a method similar to HEAD, but with the extra intention to exfiltrate XML objects.
ExploitablePaths_URIPATH Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like web-inf.
BadAuthToken_COOKIE_AUTHORIZATION Inspects the request for the presence of an unsolicited JSON Web Token (JWT). This protects against a malicious actor attempting to guess the secret key.

Use-case specific rule groups

Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases. Choose the rule groups that apply to your application.

SQL database

VendorName: AWS, Name: AWSManagedRulesSQLiRuleSet, WCU: 200

The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.

Rule name Description
SQLiExtendedPatterns_QUERYARGUMENTS Inspects the values of all query parameters for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the built-in AWS WAF SQL injection match statement.
SQLi_QUERYARGUMENTS Uses the built-in AWS WAF SQL injection match statement to inspect the values of all query parameters for patterns that match malicious SQL code.
SQLi_BODY Uses the built-in AWS WAF SQL injection match statement to inspect the request body for patterns that match malicious SQL code.
SQLi_COOKIE Uses the built-in AWS WAF SQL injection match statement to inspect the request cookie header for patterns that match malicious SQL code.
SQLi_URIPATH Uses the built-in AWS WAF injection match statement to inspect the request URI path for patterns that match malicious SQL code.

Linux operating system

VendorName: AWS, Name: AWSManagedRulesLinuxRuleSet, WCU: 200

The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.

Rule name Description
LFI_URIPATH Inspects the request path for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version, which could provide operating system information to attackers.
LFI_QUERYARGUMENTS Inspects the values of all query parameters for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version, which could provide operating system information to attackers.
LFI_BODY Inspects the request body for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like /proc/version, which could provide operating system information to attackers.

POSIX operating system

VendorName: AWS, Name: AWSManagedRulesUnixRuleSet, WCU: 100

The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.

Rule name Description
UNIXShellCommandsVariables_QUERYARGUMENTS Inspects the values of all query parameters for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo $HOME and echo $PATH.
UNIXShellCommandsVariables_BODY Inspects the request body for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like echo $HOME and echo $PATH.

Windows operating system

VendorName: AWS, Name: AWSManagedRulesWindowsRuleSet, WCU: 200

The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that allow an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.

Rule name Description
PowerShellCommands_Set1_QUERYARGUMENTS Inspects the values of all query parameters and blocks PowerShell command injection attempts in web applications. Example patterns include functions like Invoke-Expression.
PowerShellCommands_Set2_QUERYARGUMENTS Inspects the values of all query parameters and blocks PowerShell command injection attempts in web applications. Example patterns include functions like Invoke-Expression.
PowerShellCommands_Set1_BODY Inspects the request body and blocks PowerShell command injection attempts in web applications. Example patterns include functions like Invoke-Expression.
PowerShellCommands_Set2_BODY Inspects the request body and blocks PowerShell command injection attempts in web applications. Example patterns include functions like Invoke-Expression.

PHP application

VendorName: AWS, Name: AWSManagedRulesPHPRuleSet, WCU: 100

The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that allow an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.

Rule name Description
PHPHighRiskMethodsVariables_QUERYARGUMENTS Inspects the values of all query parameters for PHP script code injection attempts. Example patterns include functions like fsockopen and the $_GET superglobal variable.
PHPHighRiskMethodsVariables_BODY Inspects the values of the request body for PHP script code injection attempts. Example patterns include functions like fsockopen and the $_GET superglobal variable.

WordPress application

VendorName: AWS, Name: AWSManagedRulesWordPressRuleSet, WCU: 100

The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.

Rule name Description
WordPressExploitableCommands_QUERYSTRING Inspects the request query string for high risk WordPress commands that can be exploited in vulnerable installations or plugins. Examples patterns include commands like do-reset-wordpress.
WordPressExploitablePaths_URIPATH Inspects the request URI path for WordPress files like xmlrpc.php, which are known to have easily exploitable vulnerabilities.

IP reputation rule groups

IP reputation rule groups allow you to block requests based on their source. Choose one or more of these rule groups if you want to reduce your exposure to bot traffic or exploitation attempts, or if you are enforcing geographic restrictions on your content.

Amazon IP reputation list

VendorName: AWS, Name: AWSManagedRulesAmazonIpReputationList, WCU: 25

The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.

Rule name Description
AWSManagedIPReputationList_xxxx Inspects for a list of IP addresses that have been identified as malicious actors and bots by Amazon threat intelligence.

Anonymous IP list

VendorName: AWS, Name: AWSManagedRulesAnonymousIpList, WCU: 50

The Anonymous IP list rule group contains rules to block requests from services that allow the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and hosting providers (including AWS). This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.

Rule name Description
AnonymousIPList Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services.
HostingProviderIPList Inspects for a list of IP addresses from hosting and cloud providers, which are less likely to source end-user traffic. Examples include cloud providers like AWS.