Baseline rule groups Use-case specific rule groups IP reputation rule groups AWS WAF Bot Control rule group

AWS Managed Rules rule groups list

This section describes the AWS Managed Rules rule groups that are currently available. You see these on the console when you add a managed rule group to your web ACL. Through the API, you can retrieve this list along with the AWS Marketplace managed rule groups that you're subscribed to by calling ListAvailableManagedRuleGroups.

Baseline rule groups

Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.

Core rule set (CRS)

VendorName: AWS, Name: AWSManagedRulesCommonRuleSet, WCU: 700

The Core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including high risk and commonly occurring vulnerabilities described in OWASP publications such as OWASP Top 10. Consider using this rule group for any AWS WAF use case.

Rule name	Description
`NoUserAgent_HEADER`	Blocks requests with no HTTP `User-Agent` header.
`UserAgent_BadBots_HEADER`	Inspects for the presence of common `User-Agent` header values indicating the request to be a bad bot. Example patterns include `nessus`, and `nmap`. For bot management, see also AWS WAF Bot Control rule group.
`SizeRestrictions_QUERYSTRING`	Verifies that the URI query string length is at most 2,048 bytes.
`SizeRestrictions_Cookie_HEADER`	Verifies that the cookie header length is at most 10,240 bytes.
`SizeRestrictions_BODY`	Verifies that the request body size is at most 10,240 bytes.
`SizeRestrictions_URIPATH`	Verifies that the URI path length is at most 1,024 bytes.
`EC2MetaDataSSRF_BODY`	Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`EC2MetaDataSSRF_COOKIE`	Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie.
`EC2MetaDataSSRF_URIPATH`	Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path.
`EC2MetaDataSSRF_QUERYARGUMENTS`	Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments.
`GenericLFI_QUERYARGUMENTS`	Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like `../../`.
`GenericLFI_URIPATH`	Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like `../../`.
`GenericLFI_BODY`	Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like `../../`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`RestrictedExtensions_URIPATH`	Inspects requests whose URI path includes system file extensions that the clients shouldn't read or run. Example patterns include extensions like `.log` and `.ini`.
`RestrictedExtensions_QUERYARGUMENTS`	Inspects requests whose query arguments are system file extensions that the clients shouldn't read or run. Example patterns include extensions like `.log` and `.ini`.
`GenericRFI_QUERYARGUMENTS`	Inspects the values of all query parameters and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like `://`.
`GenericRFI_BODY`	Inspects the values of the request body and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like `://`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`GenericRFI_URIPATH`	Inspects the values of the URI path and blocks requests attempting to exploit RFI (Remote File Inclusion) in web applications. Examples include patterns like `://`.
`CrossSiteScripting_COOKIE`	Inspects the value of cookie headers and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like `<script>alert("hello")</script>`.
`CrossSiteScripting_QUERYARGUMENTS`	Inspects the value of query arguments and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like `<script>alert("hello")</script>`.
`CrossSiteScripting_BODY`	Inspects the value of the request body and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like `<script>alert("hello")</script>`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`CrossSiteScripting_URIPATH`	Inspects the value of the URI path and blocks common cross-site scripting (XSS) patterns using the built-in XSS detection rule in AWS WAF. Example patterns include scripts like `<script>alert("hello")</script>`.

Admin protection

VendorName: AWS, Name: AWSManagedRulesAdminProtectionRuleSet, WCU: 100

The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.

Rule name	Description
`AdminProtection_URIPATH`	Inspects requests for URI paths that are generally reserved for administration of a webserver or application. Example patterns include `sqlmanager`.

Known bad inputs

VendorName: AWS, Name: AWSManagedRulesKnownBadInputsRuleSet, WCU: 200

The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.

Rule name	Description
`Host_localhost_HEADER`	Inspects the host header in the request for patterns indicating localhost. Example patterns include `localhost`.
`PROPFIND_METHOD`	Inspects the HTTP method in the request for `PROPFIND`, which is a method similar to `HEAD`, but with the extra intention to exfiltrate XML objects.
`ExploitablePaths_URIPATH`	Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like `web-inf`.
`BadAuthToken_COOKIE_AUTHORIZATION`	Inspects the request for the presence of an unsolicited JSON Web Token (JWT). This protects against a malicious actor attempting to guess the secret key.

Use-case specific rule groups

Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases. Choose the rule groups that apply to your application.

SQL database

VendorName: AWS, Name: AWSManagedRulesSQLiRuleSet, WCU: 200

The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.

Rule name	Description
`SQLiExtendedPatterns_QUERYARGUMENTS`	Inspects the values of all query parameters for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the built-in AWS WAF SQL injection match statement.
`SQLi_QUERYARGUMENTS`	Uses the built-in AWS WAF SQL injection match statement to inspect the values of all query parameters for patterns that match malicious SQL code.
`SQLi_BODY`	Uses the built-in AWS WAF SQL injection match statement to inspect the request body for patterns that match malicious SQL code. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`SQLi_COOKIE`	Uses the built-in AWS WAF SQL injection match statement to inspect the request cookie header for patterns that match malicious SQL code.
`SQLi_URIPATH`	Uses the built-in AWS WAF injection match statement to inspect the request URI path for patterns that match malicious SQL code.

Linux operating system

VendorName: AWS, Name: AWSManagedRulesLinuxRuleSet, WCU: 200

The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.

Rule name	Description
`LFI_URIPATH`	Inspects the request path for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers.
`LFI_QUERYARGUMENTS`	Inspects the values of all query parameters for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers.
`LFI_BODY`	Inspects the request body for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.

POSIX operating system

VendorName: AWS, Name: AWSManagedRulesUnixRuleSet, WCU: 100

The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.

Rule name	Description
`UNIXShellCommandsVariables_QUERYARGUMENTS`	Inspects the values of all query parameters for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like `echo $HOME` and `echo $PATH`.
`UNIXShellCommandsVariables_BODY`	Inspects the request body for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like `echo $HOME` and `echo $PATH`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.

Windows operating system

VendorName: AWS, Name: AWSManagedRulesWindowsRuleSet, WCU: 200

The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that allow an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.

Rule name	Description
`PowerShellCommands_Set1_QUERYARGUMENTS`	Inspects the values of all query parameters and blocks PowerShell command injection attempts in web applications. This inspection requires two rules, to accommodate the size of the pattern matching set. The match patterns represent PowerShell commands, for example, `Invoke-Expression`.
`PowerShellCommands_Set2_QUERYARGUMENTS`	Inspects the values of all query parameters and blocks PowerShell command injection attempts in web applications. This inspection requires two rules, to accommodate the size of the pattern matching set. The match patterns represent PowerShell commands, for example, `Invoke-Expression`.
`PowerShellCommands_Set1_BODY`	Inspects the values of the request body and blocks PowerShell command injection attempts in web applications. This inspection requires two rules, to accommodate the size of the pattern matching set. The match patterns represent PowerShell commands, for example, `Invoke-Expression`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.
`PowerShellCommands_Set2_BODY`	Inspects the values of the request body and blocks PowerShell command injection attempts in web applications. This inspection requires two rules, to accommodate the size of the pattern matching set. The match patterns represent PowerShell commands, for example, `Invoke-Expression`. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.

PHP application

VendorName: AWS, Name: AWSManagedRulesPHPRuleSet, WCU: 100

The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that allow an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.

Rule name	Description
`PHPHighRiskMethodsVariables_QUERYARGUMENTS`	Inspects the values of all query parameters for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable.
`PHPHighRiskMethodsVariables_BODY`	Inspects the values of the request body for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable. Warning This rule only inspects the first 8 KB of the request body. For information, see Web request body inspection.

WordPress application

VendorName: AWS, Name: AWSManagedRulesWordPressRuleSet, WCU: 100

The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.

Rule name	Description
`WordPressExploitableCommands_QUERYSTRING`	Inspects the request query string for high risk WordPress commands that can be exploited in vulnerable installations or plugins. Examples patterns include commands like `do-reset-wordpress`.
`WordPressExploitablePaths_URIPATH`	Inspects the request URI path for WordPress files like `xmlrpc.php`, which are known to have easily exploitable vulnerabilities.

IP reputation rule groups

IP reputation rule groups allow you to block requests based on their source. Choose one or more of these rule groups if you want to reduce your exposure to bot traffic or exploitation attempts, or if you are enforcing geographic restrictions on your content. For bot management, see also AWS WAF Bot Control rule group.

Amazon IP reputation list

VendorName: AWS, Name: AWSManagedRulesAmazonIpReputationList, WCU: 25

The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.

The rules in this rule group add labels to matching requests. For information about labeling, see AWS WAF labels on web requests.

Rule name	Description
`AWSManagedIPReputationList`	Inspects for a list of IP addresses that have been identified as bots by Amazon threat intelligence. Label: `awswaf:managed:aws:amazon-ip-list:AWSManagedIPReputationList`.

Anonymous IP list

VendorName: AWS, Name: AWSManagedRulesAnonymousIpList, WCU: 50

The Anonymous IP list rule group contains rules to block requests from services that allow the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and hosting providers (including AWS). This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.

The rules in this rule group add labels to matching requests. For information about labeling, see AWS WAF labels on web requests.

Rule name	Description
`AnonymousIPList`	Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services. Label: `awswaf:managed:aws:anonymous-ip-list:AnonymousIPList`.
`HostingProviderIPList`	Inspects for a list of IP addresses from hosting and cloud providers, which are less likely to source end-user traffic. Examples include cloud providers like AWS. Label: `awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList`.

AWS WAF Bot Control rule group

The Bot Control managed rule group available from AWS Managed Rules.

AWS WAF Bot Control

VendorName: AWS, Name: AWSManagedRulesBotControlRuleSet, WCU: 50

The Bot Control managed rule group contains rules to block and manage requests from bots. You are charged additional fees when you use this rule group. For more information, see AWS WAF Pricing.

In order to keep your costs down and to be sure you're managing your bot traffic as you want, use this rule group in accordance with the guidance at AWS WAF Bot Control.

The Bot Control managed rule group generates labels for each rule. You can retrieve the labels through the API by calling DescribeManagedRuleGroup. The labels are listed in the AvailableLabels property in the response.

The Bot Control labels are generated in the following namespaces, depending on the rule:

bot:category: – The category of bot, as defined by AWS WAF, for example bot:category:search_engine: and bot:category:content_fetcher:.
bot:name: – The bot name, if one is available, for example bot:name:slurp, bot:name:googlebot, and bot:name:pocket_parser.
bot: – Used to indicate a verified bot with the label bot:verified. This is used for common desirable bots, like googlebot and bingbot.

Bot Control uses the IP addresses from AWS WAF to verify bots. If you have verified bots that route through a proxy or load balancer, you might need to explicitly allow them. For information, see Forwarded IP address.
signal: – Used for attributes of the request that are indicative of bots that are not more commonly used or verified.

The Bot Control managed rule group applies labels to a set of verifiable bots that are commonly allowed. The rule group doesn't block this category of bots and doesn't apply any signal: labels. If you want, you can block them, or a subset of them, by writing a custom rule that uses the labels applied by the Bot Control managed rule group. For more information about this and examples, see AWS WAF Bot Control.

Rule name	Description
`CategoryAdvertising`	Inspects for bots that are used for advertising purposes.
`CategoryArchiver`	Inspects for bots that are used for archiving purposes.
`CategoryContentFetcher`	Inspects for bots that are fetching content on behalf of an end user.
`CategoryHttpLibrary`	Inspects for HTTP libraries that are often used by bots.
`CategoryLinkChecker`	Inspects for bots that check for broken links.
`CategoryMiscellaneous`	Inspects for miscellaneous bots.
`CategoryMonitoring`	Inspects for bots that are used for monitoring purposes.
`CategoryScrapingFramework`	Inspects for web scraping frameworks.
`CategorySecurity`	Inspects for security-related bots.
`CategorySeo`	Inspects for bots that are used for search engine optimization.
`CategorySocialMedia`	Inspects for bots that are used by social media platforms to provide content summaries. Verified social media bots are not blocked.
`CategorySearchEngine`	Inspects for search engine bots. Verified search engines are not blocked.
`SignalAutomatedBrowser`	Inspects for indications of an automated web browser.
`SignalKnownBotDataCenter`	Inspects for data centers that are typically used by bots.
`SignalNonBrowserUserAgent`	Inspects for user agent strings that don't seem to be from a web browser.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS Managed Rules for AWS WAF

AWS Managed Rules disclaimer