Use-case specific rule groups
Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases. Choose the rule groups that apply to your application.
SQL database managed rule group
VendorName: AWS, Name:
AWSManagedRulesSQLiRuleSet, WCU: 200
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
SQLi_QUERYARGUMENTS |
Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the values of all query parameters for patterns that match malicious SQL code. Rule action: Block Label:
|
SQLiExtendedPatterns_QUERYARGUMENTS |
Inspects the values of all query parameters for
patterns that match malicious SQL code. The patterns
this rule inspects for aren't covered by the
rule Rule action: Block Label:
|
SQLi_BODY |
Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the request body for patterns that match malicious SQL code. WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
SQLiExtendedPatterns_BODY |
Inspects the request body for patterns that match
malicious SQL code. The patterns this rule inspects
for aren't covered by the rule
WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
SQLi_COOKIE |
Uses the built-in AWS WAF SQL injection attack rule statement, with sensitivity level set to Low, to inspect the request cookie headers for patterns that match malicious SQL code. Rule action: Block Label:
|
Linux operating system managed rule group
VendorName: AWS, Name:
AWSManagedRulesLinuxRuleSet, WCU: 200
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the POSIX operating system rule group.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
LFI_URIPATH |
Inspects the request path for attempts to exploit
Local File Inclusion (LFI) vulnerabilities in web
applications. Example patterns include files like
Rule action: Block Label:
|
LFI_QUERYSTRING |
Inspects the values of querystring for attempts to
exploit Local File Inclusion (LFI) vulnerabilities
in web applications. Example patterns include files
like Rule action: Block Label:
|
LFI_HEADER |
Inspects request headers for attempts to exploit Local File Inclusion
(LFI) vulnerabilities in web applications. Example
patterns include files like
WarningThis rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the Rule action: Block Label:
|
POSIX operating system managed rule group
VendorName: AWS, Name:
AWSManagedRulesUnixRuleSet, WCU: 100
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
UNIXShellCommandsVariables_QUERYSTRING |
Inspects the values of the query string for
attempts to exploit command injection, LFI, and path
traversal vulnerabilities in web applications that
run on Unix systems. Examples include patterns like
Rule action: Block Label:
|
UNIXShellCommandsVariables_BODY |
Inspects the request body for attempts to exploit
command injection, LFI, and path traversal
vulnerabilities in web applications that run on Unix
systems. Examples include patterns like WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
UNIXShellCommandsVariables_HEADER |
Inspects all request headers for attempts to exploit
command injection, LFI, and path traversal
vulnerabilities in web applications that run on Unix
systems. Examples include patterns like WarningThis rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the Rule action: Block Label:
|
Windows operating system managed rule group
VendorName: AWS, Name:
AWSManagedRulesWindowsRuleSet, WCU: 200
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that permit an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
WindowsShellCommands_COOKIE |
Inspects the request cookie headers for WindowsShell command injection attempts in
web applications. The match patterns represent
WindowsShell commands. Example patterns include
Rule action: Block Label:
|
WindowsShellCommands_QUERYARGUMENTS |
Inspects the values of all query parameters for
WindowsShell command injection attempts in web
applications. The match patterns represent
WindowsShell commands. Example patterns include
Rule action: Block Label:
|
WindowsShellCommands_BODY |
Inspects the request body for WindowsShell command
injection attempts in web applications. The match
patterns represent WindowsShell commands. Example
patterns include WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
PowerShellCommands_COOKIE |
Inspects the request cookie headers for PowerShell command injection attempts in
web applications. The match patterns represent
PowerShell commands. For example,
Rule action: Block Label:
|
PowerShellCommands_QUERYARGUMENTS |
Inspects the values of all query parameters for
PowerShell command injection attempts in web
applications. The match patterns represent
PowerShell commands. For example,
Rule action: Block Label:
|
PowerShellCommands_BODY |
Inspects the request body for PowerShell command
injection attempts in web applications. The match
patterns represent PowerShell commands. For example,
WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
PHP application managed rule group
VendorName: AWS, Name:
AWSManagedRulesPHPRuleSet, WCU: 100
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that permit an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
PHPHighRiskMethodsVariables_HEADER |
Inspects all headers for
PHP script code injection attempts.
Example patterns
include functions like WarningThis rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the Rule action: Block Label:
|
PHPHighRiskMethodsVariables_QUERYSTRING |
Inspects everything after the first
Rule action: Block Label:
|
PHPHighRiskMethodsVariables_BODY |
Inspects the values of the request body for PHP
script code injection attempts. Example patterns
include functions like WarningThis rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the Rule action: Block Label:
|
WordPress application managed rule group
VendorName: AWS, Name:
AWSManagedRulesWordPressRuleSet, WCU: 100
Note
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at AWS Managed Rules changelog. For information about other versions, use the API command DescribeManagedRuleGroup.
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the AWS Support Center
The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the SQL database and PHP application rule groups.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see Web request labeling and Label metrics and dimensions.
| Rule name | Description and label |
|---|---|
WordPressExploitableCommands_QUERYSTRING |
Inspects the request query string for high risk
WordPress commands that can be exploited in
vulnerable installations or plugins. Examples
patterns include commands like
Rule action: Block Label:
|
WordPressExploitablePaths_URIPATH |
Inspects the request URI path for WordPress files
like Rule action: Block Label:
|
