Rule groups provided by other services

If you or an administrator in your organization uses AWS Firewall Manager or AWS Shield Advanced to manage resource protections using AWS WAF, you might see rule group reference statements added to web ACLs in your account.

The names of these rule groups begin with the following strings:

• ShieldMitigationRuleGroup – These rule groups are managed by AWS Shield Advanced and used to provide automatic application layer DDoS mitigation to protected application layer (layer 7) resources.

  When you enable automatic application layer DDoS mitigation for a protected resource, Shield Advanced adds one of these rule groups to the web ACL that you have associated with the resource. Shield Advanced assigns the rule group reference statement a priority setting of 10,000,000, so that it runs after the rules that you have configured in the web ACL. For more information about these rule groups, see Shield Advanced automatic application layer DDoS mitigation.

  Warning

  Don't try to manually manage this rule group in your web ACL. In particular, don't manually delete the ShieldMitigationRuleGroup rule group reference statement from your web ACL. Doing this could have unintended consequences for all resources that are associated with the web ACL. Instead, use Shield Advanced to disable automatic mitigation for the resources that are associated with the web ACL. Shield Advanced will remove the rule group for you when it's not needed for automatic mitigation.

• PREFMManaged and POSTFMManaged – These rule groups are managed by AWS Firewall Manager. Firewall Manager provides them inside web ACLs that Firewall Manager creates and manages. The names of the web ACLs begin with FMManagedWebACLV2. For information about these web ACLs and rule groups, see AWS WAF policies.