**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Using managed rule groups in AWS WAF
This section explains what managed rule groups are and how they work.
Managed rule groups are collections of predefined, ready-to-use rules that AWS and AWS Marketplace sellers write and maintain for you. Basic AWS WAF pricing applies to your use of any managed rule group. For AWS WAF pricing information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
+ *The AWS Managed Rules rule groups for AWS WAF Bot Control, AWS WAF Fraud Control account takeover prevention (ATP), and AWS WAF Fraud Control account creation fraud prevention (ACFP)* are available for additional fees, beyond the basic AWS WAF charges. For pricing details, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
+ *All other AWS Managed Rules rule groups* are available to AWS WAF customers at no additional cost.
+ *AWS Marketplace rule groups* are available by subscription through AWS Marketplace. Each of these rule groups is owned and managed by the AWS Marketplace seller. For pricing information to use an AWS Marketplace rule group, contact the AWS Marketplace seller.
Some managed rule groups are designed to help protect specific types of web applications like WordPress, Joomla, or PHP. Others offer broad protection against known threats or common web application vulnerabilities, including some of the ones listed in the [OWASP Top 10](https://owasp.org/www-project-top-ten/). If you're subject to regulatory compliance like PCI or HIPAA, you might be able to use managed rule groups to satisfy web application firewall requirements.
**Automatic updates**
Keeping up to date on the constantly changing threat landscape can be time consuming and expensive. Managed rule groups can save you time when you implement and use AWS WAF. Many AWS and AWS Marketplace sellers automatically update managed rule groups and provide new versions of rule groups when new vulnerabilities and threats emerge.
In some cases, AWS is notified of new vulnerabilities before public disclosure, due to its participation in a number of private disclosure communities. In those cases, AWS can update the AWS Managed Rules rule groups and deploy them for you even before a new threat is widely known.
**Restricted access to rules in a managed rule group**
Each managed rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view all of the details for the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules.
**Topics**
+ [
# Using versioned managed rule groups in AWS WAF
](waf-managed-rule-groups-versioning.md)
+ [
# Working with managed rule groups
](waf-using-managed-rule-groups.md)
+ [
# AWS Managed Rules for AWS WAF
](aws-managed-rule-groups.md)
# Using versioned managed rule groups in AWS WAF
This section explains how versioning is handled for managed rule groups.
Many managed rule group providers use versioning to update a rule group's options and capabilities. Usually, a specific version of a managed rule group is static. Occasionally, a provider might need to update some or all of the static versions of a managed rule group, for example, to respond to an emerging security threat.
When you use a versioned managed rule group in your protection pack (web ACL), you can select the default version and let the provider manage which static version you use, or you can select a specific static version.
**Can't find the version you want?**
If you don't see a version in a rule group's version listing, the version is probably scheduled for expiration or already expired. After a version is scheduled for expiration, AWS WAF no longer lets you to choose it for the rule group.
**SNS notifications for AWS Managed Rules rule groups**
The AWS Managed Rules rule groups all provide versioning and SNS update notifications except for the IP reputation rule groups. The AWS Managed Rules rule groups that provide notifications all use the same SNS topic Amazon Resource Name (ARN). To sign up for SNS notifications, see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
**Topics**
+ [
# Version life cycle for managed rule groups
](waf-managed-rule-groups-versioning-lifecycle.md)
+ [
# Version expiration for managed rule groups
](waf-managed-rule-groups-versioning-expiration.md)
+ [
# Best practices for handling managed rule group versions
](waf-managed-rule-groups-best-practice.md)
# Version life cycle for managed rule groups
Providers handle the following life cycle stages of a managed rule group static version:
+ **Release and updates** – A managed rule group provider announces upcoming and new static versions of their managed rule groups through notifications to an Amazon Simple Notification Service (Amazon SNS) topic. Providers might also use the topic to communicate other important information about their rule groups, such as urgent required updates.
You can subscribe to the rule group's topic and configure how you want to receive notifications. For more information see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
+ **Expiration scheduling** – A managed rule group provider schedules older versions of a rule group for expiration. A version that's scheduled to expire cannot be added to your protection pack (web ACL) rules. After expiration is scheduled for a version, AWS WAF tracks the expiration with a countdown metric in Amazon CloudWatch.
+ **Version expiration** – If you have a protection pack (web ACL) configured to use an expired version of a managed rule group, then during protection pack (web ACL) evaluation, AWS WAF uses the rule group's default version. Additionally, AWS WAF blocks any updates to the protection pack (web ACL) that don't either remove the rule group or change its version to an unexpired one.
If you use AWS Marketplace managed rule groups, ask the provider for any additional information about version life cycles.
# Version expiration for managed rule groups
This section explains how version expiration works for a versioned managed rule group.
If you use a specific version of a rule group, make sure that you don't keep using a version past its expiration date. You can monitor version expiration through the rule group's SNS notifications and through Amazon CloudWatch metrics.
If a version that you're using in a protection pack (web ACL) is expired, AWS WAF blocks any updates to the protection pack (web ACL) that don't include moving the rule group to an unexpired version. You can update the rule group to an available version or remove it from your protection pack (web ACL).
Expiration handling for a managed rule group depends on the rule group provider. For AWS Managed Rules rule groups, an expired version is automatically changed to the rule group's default version. For AWS Marketplace rule groups, ask the provider how they handle expiration.
When the provider creates a new version of the rule group, it sets the version's forecasted lifetime. While the version isn't scheduled to expire, the Amazon CloudWatch metric value is set to the forecasted lifetime setting, and in CloudWatch, you'll see a flat value for the metric. After the provider schedules the metric to expire, the metric value diminishes each day until it reaches zero on the day of expiration. For information about monitoring expiration, see [Tracking version expiration](waf-using-managed-rule-groups-expiration.md).
# Best practices for handling managed rule group versions
Follow this best practice guidance for handling versioning when you use a versioned managed rule group.
When you use a managed rule group in your protection pack (web ACL), you can choose to use a specific, static version of the rule group, or you can choose to use the default version:
+ **Default version** – AWS WAF always sets the default version to the static version that's currently recommended by the provider. When the provider updates their recommended static version, AWS WAF automatically updates the default version setting for the rule group in your protection pack (web ACL).
When you use the default version of a managed rule group, do the following as best practice:
+ **Subscribe to notifications** – Subscribe to notifications for changes to the rule group and keep an eye on those. Most providers send advanced notification of new static versions and of default version changes. These let you check the effects of a new static version before AWS switches the default version to it. For more information see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
+ **Review the effects of static version settings and make adjustments as needed before your default is set to it** – Before your default is set to a new static version, review the effects of the static version on the monitoring and management of your web requests. The new static version might have new rules to review. Look for false positives or other unexpected behavior, in case you need to modify how you use the rule group. You can set rules to count, for example, to stop them from blocking traffic while you figure out how you want to handle the new behavior. For more information, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
+ **Static version** – If you choose to use a static version, you must manually update the version setting when you're ready to adopt a new version of the rule group.
When you use a static version of a managed rule group, do the following as best practice:
+ **Keep your version up to date** – Keep your managed rule group as close as you can to the latest version. When a new version is released, test it, adjust settings as needed, and implement it in a timely manner. For information about testing, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
+ **Subscribe to notifications** – Subscribe to notifications for changes to the rule group, so you know when your provider releases new static versions. Most providers give advanced notification of version changes. Additionally, your provider might need to update the static version that you're using to close a security loophole or for other urgent reasons. You'll know what's happening if you're subscribed to the provider's notifications. For more information, see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
+ **Avoid version expiration** – Don't allow a static version to expire while you're using it. Provider handling of expired versions can vary and might include forcing an upgrade to an available version or other changes that can have unexpected consequences. Track the AWS WAF expiry metric and set an alarm that gives you a sufficient number of days to successfully upgrade to a supported version. For more information, see [Tracking version expiration](waf-using-managed-rule-groups-expiration.md).
# Working with managed rule groups
This section provides guidance for accessing and managing your managed rule groups.
When you add a managed rule group to your protection pack (web ACL), you can choose the same configuration options as you can your own rule groups, plus additional settings.
Through the console, you access managed rule group information during the process of adding and editing the rules in your protection packs (web ACLs). Through the APIs and the command line interface (CLI), you can directly request managed rule group information.
When you use a managed rule group in your protection pack (web ACL), you can edit the following settings:
+ **Version** – This is available only if the rule group is versioned. For more information, see [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md).
+ **Override rule actions** – You can override the actions for rules in the rule group to any action. Setting them to Count is useful for testing a rule group before using it to manage your web requests. For more information, see [Rule group rule action overrides](web-acl-rule-group-override-options.md#web-acl-rule-group-override-options-rules).
+ **Scope-down statement** – You can add a scope-down statement, to filter out web requests that you don't want to evaluate with the rule group. For more information, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md).
+ **Override rule group action** – You can override the action that results from the rule group evaluation, and set it to Count only. This option isn't commonly used. It doesn't alter how AWS WAF evaluates the rules in the rule group. For more information, see [Rule group return action override to Count](web-acl-rule-group-override-options.md#web-acl-rule-group-override-options-rule-group).
**To edit the managed rule group settings in your protection pack (web ACL)**
+ **Console**
+ (Option) When you add the managed rules group to your protection pack (web ACL), you can choose **Edit** to view and edit the settings.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), from the **protection packs (web ACLs)** page, choose the protection pack (web ACL) you just created. This takes you to the protection pack (web ACL) edit page.
+ Choose **Rules**.
+ Select the rule group, then choose **Edit** to view and edit the settings.
+ **APIs and CLI** – Outside of the console, you can manage the managed rule group settings when you create and update the protection pack (web ACL).
# Retrieving the list of managed rule groups
You can retrieve the list of managed rule groups that are available for you to use in your protection packs (web ACLs). The list includes the following:
+ All AWS Managed Rules rule groups.
+ The AWS Marketplace rule groups that you have subscribed to.
**Note**
For information about subscribing to AWS Marketplace rule groups, see [AWS Marketplace rule groups](marketplace-rule-groups.md).
When you retrieve the list of managed rule groups, the list you get back depends on the interface that you're using:
+ **Console** – Through the console, you can see all managed rule groups, including the AWS Marketplace rule groups that you haven't subscribed to yet. For the ones that you haven't subscribed to yet, the interface provides links that you can follow to subscribe.
+ **APIs and CLI** – Outside of the console, your request returns only the rule groups that are available for you to use.
**To retrieve the list of managed rule groups**
+ **Console** – During the process of creating a web ACL, on the **Add rules and rule groups** page, choose **Add managed rule groups**. At the top level, the provider names are listed. Expand each provider listing to see the list of managed rule groups. For versioned rule groups, the information shown at this level is for the default version. When you add a managed rule group to your protection pack (web ACL), the console lists it based on the naming scheme `-`.
+ **API** –
+ `ListAvailableManagedRuleGroups`
+ **CLI** –
+ `aws wafv2 list-available-managed-rule-groups --scope=`
# Retrieving the rules in a managed rule group
You can retrieve a list of the rules in a managed rule group. The API and CLI calls return the rules specifications that you can reference in the JSON model or through AWS CloudFormation.
**To retrieve the list of rules in a managed rule group**
+ **Console**
+ (Option) When you add the managed rules group to your protection pack (web ACL), you can choose **Edit** to view the rules.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), from the **protection packs (web ACLs)** page, choose the protection pack (web ACL) you just created. This takes you to the protection pack (web ACL) edit page.
+ Choose **Rules**.
+ Select the rule group you want to see a rules list for, then choose **Edit**. AWS WAF shows the list of rules in the rule group.
+ **API** – `DescribeManagedRuleGroup`
+ **CLI** – `aws wafv2 describe-managed-rule-group --scope= --vendor-name --name `
# Retrieving the available versions for a managed rule group
The available versions of a managed rule group are versions that haven't yet been scheduled to expire. The list indicates which version is the current default version for the rule group.
**To retrieve a list of the available versions of a managed rule group**
+ **Console**
+ (Option) When you add the managed rule group to your protection pack (web ACL), choose **Edit** to see the rule group's information. Expand the **Version** dropdown to see the list of available versions.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), choose **Edit** on the protection pack (web ACL), and then select and edit the rule group rule. Expand the **Version** dropdown to see the list of available versions.
+ **API** –
+ `ListAvailableManagedRuleGroupVersions`
+ **CLI** –
+ `aws wafv2 list-available-managed-rule-group-versions --scope= --vendor-name --name `
# Adding a managed rule group to a protection pack (web ACL) through the console
This section explains how to add a managed rule group to a protection pack (web ACL) through the console. This guidance applies to all AWS Managed Rules rule groups and to the AWS Marketplace rule groups that you're subscribed to.
**Production traffic risk**
Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
**Note**
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
**To add a managed rule group to a protection pack (web ACL) through the console**
**To add a managed rule group to a web ACL through the console**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. Choose **protection packs (web ACLs)** in the navigation pane.
1. In the **protection packs (web ACLs)** page, from the list of protection packs (web ACLs), select the one that you want to add the rule group to. This takes you to the page for the single protection pack (web ACL).
1. In your protection pack (web ACL)'s page, choose the **Rules** tab.
1. In the **Rules** pane, choose **Add rules**, then choose **Add managed rule groups**.
1. In the **Add managed rule groups** page, expand the selection for your rule group vendor, to see the list of available rule groups.
1. For each rule group that you want to add, choose **Add to protection pack (web ACL)**. If you want to change the protection pack (web ACL)'s configuration for the rule group, choose **Edit**, make your changes, and then choose **Save rule**. For information about the options, see the versioning guidance at [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md) and the guidance for using a managed rule group in a protection pack (web ACL) at [Using managed rule group statements in AWS WAF](waf-rule-statement-type-managed-rule-group.md).
1. At the bottom of the **Add managed rule groups** page, choose **Add rules**.
1. In the **Set rule priority** page, adjust the order that the rules run as needed, then choose **Save**. For more information, see [Setting rule priority](web-acl-processing-order.md).
In your protection pack (web ACL)'s page, the managed rule groups that you've added are listed under the **Rules** tab.
Test and tune any changes to your AWS WAF protections before you use them for production traffic. For information, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
**Temporary inconsistencies during updates**
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
The following are examples of the temporary inconsistencies that you might notice during change propagation:
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable.
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others.
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
# Getting notified of new versions and updates to a managed rule group
This section explains how to receive Amazon SNS notifications of new versions and updates.
A managed rule group provider uses SNS notifications to announce rule group changes, like upcoming new versions and urgent security updates.
**How to subscribe to SNS notifications**
To subscribe to notifications for a rule group, you create an Amazon SNS subscription for the rule group's Amazon SNS topic ARN in the US East (N. Virginia) Region us-east-1.
For information about how to subscribe, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/).
**Note**
Create your subscription for the SNS topic only in the us-east-1 Region.
The versioned AWS Managed Rules rule groups all use the same SNS topic Amazon Resource Name (ARN). For more information about AWS Managed Rules rule group notifications, see [Deployment notifications](waf-managed-rule-groups-deployments-notifications.md).
**Where to find the Amazon SNS topic ARN for a managed rule group**
AWS Managed Rules rule groups use a single SNS topic ARN, so you can retrieve the topic ARN from one of the rule groups and subscribe to it to get notifications for all of the AWS Managed Rules rule groups that provide SNS notifications.
+ **Console**
+ (Option) When you add the managed rule group to your protection pack (web ACL), choose **Edit** to see the rule group's information, which includes the rule group's Amazon SNS topic ARN.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), choose **Edit** on the protection pack (web ACL), and then select and edit the rule group rule to see the rule group's Amazon SNS topic ARN.
+ **API** – `DescribeManagedRuleGroup`
+ **CLI** – `aws wafv2 describe-managed-rule-group --scope= --vendor-name --name `
For general information about Amazon SNS notification formats and how to filter the notifications that you receive, see [Parsing message formats](https://docs.aws.amazon.com/sns/latest/dg/sns-message-and-json-formats.html) and [Amazon SNS subscription filter policies](https://docs.aws.amazon.com/sns/latest/dg/sns-subscription-filter-policies.html) in the Amazon Simple Notification Service Developer Guide.
# Tracking a rule group's version expiration
This section explains how to monitor expiration scheduling for a managed rule group through Amazon CloudWatch.
If you use a specific version of a rule group, make sure that you don't keep using a version past its expiration date.
**Tip**
Sign up for Amazon SNS notifications for managed rule groups, and keep current with managed rule group versions. You'll benefit from the most up-to-date protections from the rule group and stay ahead of expiration. For information, see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
**To monitor expiration scheduling for a managed rule group through Amazon CloudWatch**
1. In CloudWatch, locate the expiry metrics from AWS WAF for your managed rule group. The metrics have the following metric names and dimensions:
+ Metric name: DaysToExpiry
+ Metric dimensions: Region, ManagedRuleGroup, Vendor, and Version
If you have a managed rule group in your protection pack (web ACL) that's evaluating traffic, you will get a metric for it. The metric isn't available for rule groups that you don't use.
1. Set an alarm on the metrics that you're interested in, so that you're notified in time to switch to a newer version of the rule group.
For information about using Amazon CloudWatch metrics and configuring alarms, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
# Example managed rule group configurations in JSON and YAML
This section provides example managed rule group configurations.
The API and CLI calls return a list of all rules in the managed rule group that you can reference in the JSON model or through AWS CloudFormation.
**JSON**
You can reference and modify managed rule groups within a rule statement using JSON. The following listing shows the AWS Managed Rules rule group, `AWSManagedRulesCommonRuleSet`, in JSON format. The RuleActionOverrides specification lists a rule whose action has been overridden to Count.
```
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"RuleActionOverrides": [
{
"ActionToUse": {
"Count": {}
},
"Name": "NoUserAgent_HEADER"
}
],
"ExcludedRules": []
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesCommonRuleSet"
}
}
```
**YAML**
You can reference and modify managed rule groups within a rule statement using the CloudFormation YAML template. The following listing shows the AWS Managed Rules rule group, `AWSManagedRulesCommonRuleSet`, in CloudFormation template. The RuleActionOverrides specification lists a rule whose action has been overridden to Count.
```
Name: AWS-AWSManagedRulesCommonRuleSet
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
RuleActionOverrides:
- ActionToUse:
Count: {}
Name: NoUserAgent_HEADER
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesCommonRuleSet
```
# AWS Managed Rules for AWS WAF
This section explains what AWS Managed Rules for AWS WAF is.
AWS Managed Rules for AWS WAF is a managed service that provides protection against application vulnerabilities or other unwanted traffic. You have the option of selecting one or more rule groups from AWS Managed Rules for each web ACL, up to the maximum protection pack (web ACL) capacity unit (WCU) limit.
**Mitigating false positives and testing rule group changes**
Before using any managed rule group in production, test it in a non-production environment according to the guidance at [Testing and tuning your AWS WAF protections](web-acl-testing.md). Follow the testing and tuning guidance when you add a rule group to your protection pack (web ACL), to test a new version of a rule group, and whenever a rule group isn't handling your web traffic as you need it to.
**Shared security responsibilities**
AWS Managed Rules are designed to protect you from common web threats. When used in accordance with the documentation, AWS Managed Rules rule groups add another layer of security for your applications. However, AWS Managed Rules rule groups aren't intended as a replacement for your security responsibilities, which are determined by the AWS resources that you select. Refer to the [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) to ensure that your resources in AWS are properly protected.
**Important**
AWS Managed Rules are designed to protect you from common web threats. When used in accordance with the documentation, AWS Managed Rules rule groups add another layer of security for your applications. However, AWS Managed Rules rule groups aren't intended as a replacement for your security responsibilities, which are determined by the AWS resources that you select. Refer to the [Shared Responsibility Model](https://aws.amazon.com/compliance/shared-responsibility-model/) to ensure that your resources in AWS are properly protected.
# AWS Managed Rules rule groups list
This section provides a list of available AWS Managed Rules rule groups.
This section describes the most recent versions of the AWS Managed Rules rule groups. You see these on the console when you add a managed rule group to your protection pack (web ACL). Through the API, you can retrieve this list along with the AWS Marketplace rule groups that you're subscribed to by calling `ListAvailableManagedRuleGroups`.
**Note**
For information about retrieving an AWS Managed Rules rule group's versions, see [Retrieving the available versions for a managed rule group](waf-using-managed-rule-groups-versions.md).
All AWS Managed Rules rule groups support labeling, and the rule listings in this section include label specifications. You can retrieve the labels for a managed rule group through the API by calling `DescribeManagedRuleGroup`. The labels are listed in the AvailableLabels property in the response. For information about labeling, see [Web request labeling in AWS WAF](waf-labels.md).
Test and tune any changes to your AWS WAF protections before you use them for production traffic. For information, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
**Contents**
+ [
# Baseline rule groups
](aws-managed-rule-groups-baseline.md)
+ [
## Core rule set (CRS) managed rule group
](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs)
+ [
## Admin protection managed rule group
](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-admin)
+ [
## Known bad inputs managed rule group
](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)
+ [
# Use-case specific rule groups
](aws-managed-rule-groups-use-case.md)
+ [
## SQL database managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-sql-db)
+ [
## Linux operating system managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os)
+ [
## POSIX operating system managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os)
+ [
## Windows operating system managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-windows-os)
+ [
## PHP application managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-php-app)
+ [
## WordPress application managed rule group
](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-wordpress-app)
+ [
# IP reputation rule groups
](aws-managed-rule-groups-ip-rep.md)
+ [
## Amazon IP reputation list managed rule group
](aws-managed-rule-groups-ip-rep.md#aws-managed-rule-groups-ip-rep-amazon)
+ [
## Anonymous IP list managed rule group
](aws-managed-rule-groups-ip-rep.md#aws-managed-rule-groups-ip-rep-anonymous)
+ [
# AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group
](aws-managed-rule-groups-acfp.md)
+ [
## Considerations for using this rule group
](aws-managed-rule-groups-acfp.md#aws-managed-rule-groups-acfp-using)
+ [
## Labels added by this rule group
](aws-managed-rule-groups-acfp.md#aws-managed-rule-groups-acfp-labels)
+ [
### Token labels
](aws-managed-rule-groups-acfp.md#aws-managed-rule-groups-acfp-labels-token)
+ [
### ACFP labels
](aws-managed-rule-groups-acfp.md#aws-managed-rule-groups-acfp-labels-rg)
+ [
## Account creation fraud prevention rules listing
](aws-managed-rule-groups-acfp.md#aws-managed-rule-groups-acfp-rules)
+ [
# AWS WAF Fraud Control account takeover prevention (ATP) rule group
](aws-managed-rule-groups-atp.md)
+ [
## Considerations for using this rule group
](aws-managed-rule-groups-atp.md#aws-managed-rule-groups-atp-using)
+ [
## Labels added by this rule group
](aws-managed-rule-groups-atp.md#aws-managed-rule-groups-atp-labels)
+ [
### Token labels
](aws-managed-rule-groups-atp.md#aws-managed-rule-groups-atp-labels-token)
+ [
### ATP labels
](aws-managed-rule-groups-atp.md#aws-managed-rule-groups-atp-labels-rg)
+ [
## Account takeover prevention rules listing
](aws-managed-rule-groups-atp.md#aws-managed-rule-groups-atp-rules)
+ [
# AWS WAF Bot Control rule group
](aws-managed-rule-groups-bot.md)
+ [
## Protection levels
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-prot-levels)
+ [
## Considerations for using this rule group
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-using)
+ [
## Labels added by this rule group
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-labels)
+ [
### Token labels
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-labels-token)
+ [
### Bot Control labels
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-labels-rg)
+ [
## Bot Control rules listing
](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-rules)
+ [
# AWS WAF Distributed Denial of Service (DDoS) prevention rule group
](aws-managed-rule-groups-anti-ddos.md)
+ [
## Considerations for using this rule group
](aws-managed-rule-groups-anti-ddos.md#aws-managed-rule-groups-anti-ddos-using)
+ [
## Labels added by this rule group
](aws-managed-rule-groups-anti-ddos.md#aws-managed-rule-groups-anti-ddos-labels)
+ [
### Token labels
](aws-managed-rule-groups-anti-ddos.md#aws-managed-rule-groups-anti-ddos-labels-token)
+ [
### Anti-DDoS labels
](aws-managed-rule-groups-anti-ddos.md#aws-managed-rule-groups-anti-ddos-labels-rg)
+ [
## Anti-DDoS rules listing
](aws-managed-rule-groups-anti-ddos.md#aws-managed-rule-groups-anti-ddos-rules)
# Baseline rule groups
Baseline managed rule groups provide general protection against a wide variety of common threats. Choose one or more of these rule groups to establish baseline protection for your resources.
## Core rule set (CRS) managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesCommonRuleSet`, WCU: 700
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The core rule set (CRS) rule group contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including some of the high risk and commonly occurring vulnerabilities described in OWASP publications such as [OWASP Top 10](https://owasp.org/www-project-top-ten/). Consider using this rule group for any AWS WAF use case.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| NoUserAgent\$1HEADER | Inspects for requests that are missing the HTTP `User-Agent` header. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:NoUserAgent_Header` |
| UserAgent\$1BadBots\$1HEADER | Inspects for common `User-Agent` header values that indicate that the request is a bad bot. Example patterns include `nessus`, and `nmap`. For bot management, see also [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:BadBots_Header` |
| SizeRestrictions\$1QUERYSTRING | Inspects for URI query strings that are over 2,048 bytes. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:SizeRestrictions_QueryString` |
| SizeRestrictions\$1Cookie\$1HEADER | Inspects for cookie headers that are over 10,240 bytes. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:SizeRestrictions_Cookie_Header` |
| SizeRestrictions\$1BODY | Inspects for request bodies that are over 8 KB (8,192 bytes). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:SizeRestrictions_Body` |
| SizeRestrictions\$1URIPATH | Inspects for URI paths that are over 1,024 bytes. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:SizeRestrictions_URIPath` |
| EC2MetaDataSSRF\$1BODY | Inspects for attempts to exfiltrate Amazon EC2 metadata from the request body. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body` |
| EC2MetaDataSSRF\$1COOKIE | Inspects for attempts to exfiltrate Amazon EC2 metadata from the request cookie. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Cookie` |
| EC2MetaDataSSRF\$1URIPATH | Inspects for attempts to exfiltrate Amazon EC2 metadata from the request URI path. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_URIPath` |
| EC2MetaDataSSRF\$1QUERYARGUMENTS | Inspects for attempts to exfiltrate Amazon EC2 metadata from the request query arguments. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_QueryArguments` |
| GenericLFI\$1QUERYARGUMENTS | Inspects for the presence of Local File Inclusion (LFI) exploits in the query arguments. Examples include path traversal attempts using techniques like `../../`. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericLFI_QueryArguments` |
| GenericLFI\$1URIPATH | Inspects for the presence of Local File Inclusion (LFI) exploits in the URI path. Examples include path traversal attempts using techniques like `../../`. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericLFI_URIPath` |
| GenericLFI\$1BODY | Inspects for the presence of Local File Inclusion (LFI) exploits in the request body. Examples include path traversal attempts using techniques like `../../`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericLFI_Body` |
| RestrictedExtensions\$1URIPATH | Inspects for requests whose URI paths contain system file extensions that are unsafe to read or run. Example patterns include extensions like `.log` and `.ini`. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:RestrictedExtensions_URIPath` |
| RestrictedExtensions\$1QUERYARGUMENTS | Inspects for requests whose query arguments contain system file extensions that are unsafe to read or run. Example patterns include extensions like `.log` and `.ini`. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:RestrictedExtensions_QueryArguments` |
| GenericRFI\$1QUERYARGUMENTS | Inspects the values of all query parameters for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like `http://`, `https://`, `ftp://`, `ftps://`, and `file://`, with an IPv4 host header in the exploit attempt. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericRFI_QueryArguments` |
| GenericRFI\$1BODY | Inspects the request body for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like `http://`, `https://`, `ftp://`, `ftps://`, and `file://`, with an IPv4 host header in the exploit attempt. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericRFI_Body` |
| GenericRFI\$1URIPATH | Inspects the URI path for attempts to exploit RFI (Remote File Inclusion) in web applications by embedding URLs that contain IPv4 addresses. Examples include patterns like `http://`, `https://`, `ftp://`, `ftps://`, and `file://`, with an IPv4 host header in the exploit attempt. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericRFI_URIPath` |
| CrossSiteScripting\$1COOKIE | Inspects the values of cookie headers for common cross-site scripting (XSS) patterns using the built-in AWS WAF [Cross-site scripting attack rule statement](waf-rule-statement-type-xss-match.md). Example patterns include scripts like ``. The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_Cookie` |
| CrossSiteScripting\$1QUERYARGUMENTS | Inspects the values of query arguments for common cross-site scripting (XSS) patterns using the built-in AWS WAF [Cross-site scripting attack rule statement](waf-rule-statement-type-xss-match.md). Example patterns include scripts like ``. The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_QueryArguments` |
| CrossSiteScripting\$1BODY | Inspects the request body for common cross-site scripting (XSS) patterns using the built-in AWS WAF [Cross-site scripting attack rule statement](waf-rule-statement-type-xss-match.md). Example patterns include scripts like ``. The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body` |
| CrossSiteScripting\$1URIPATH | Inspects the value of the URI path for common cross-site scripting (XSS) patterns using the built-in AWS WAF [Cross-site scripting attack rule statement](waf-rule-statement-type-xss-match.md). Example patterns include scripts like ``. The rule match details in the AWS WAF logs is not populated for version 2.0 of this rule group. Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_URIPath` |
## Admin protection managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesAdminProtectionRuleSet`, WCU: 100
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Admin protection rule group contains rules that allow you to block external access to exposed administrative pages. This might be useful if you run third-party software or want to reduce the risk of a malicious actor gaining administrative access to your application.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| AdminProtection\$1URIPATH | Inspects for URI paths that are generally reserved for administration of a web server or application. Example patterns include `sqlmanager`. Rule action: Block Label: `awswaf:managed:aws:admin-protection:AdminProtection_URIPath` |
## Known bad inputs managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesKnownBadInputsRuleSet`, WCU: 200
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Known bad inputs rule group contains rules to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| JavaDeserializationRCE\$1HEADER | Inspects the keys and values of HTTP request headers for patterns indicating Java deserialization Remote Command Execution (RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include `(java.lang.Runtime).getRuntime().exec("whoami")`. This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Header` |
| JavaDeserializationRCE\$1BODY | Inspects the request body for patterns indicating Java deserialization Remote Command Execution (RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include `(java.lang.Runtime).getRuntime().exec("whoami")`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body` |
| JavaDeserializationRCE\$1URIPATH | Inspects the request URI for patterns indicating Java deserialization Remote Command Execution (RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include `(java.lang.Runtime).getRuntime().exec("whoami")`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_URIPath` |
| JavaDeserializationRCE\$1QUERYSTRING | Inspects the request query string for patterns indicating Java deserialization Remote Command Execution (RCE) attempts, such as the Spring Core and Cloud Function RCE vulnerabilities (CVE-2022-22963, CVE-2022-22965). Example patterns include `(java.lang.Runtime).getRuntime().exec("whoami")`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_QueryString` |
| Host\$1localhost\$1HEADER | Inspects the host header in the request for patterns indicating localhost. Example patterns include `localhost`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Host_Localhost_Header` |
| PROPFIND\$1METHOD | Inspects the HTTP method in the request for `PROPFIND`, which is a method similar to `HEAD`, but with the extra intention to exfiltrate XML objects. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Propfind_Method` |
| ExploitablePaths\$1URIPATH | Inspects the URI path for attempts to access exploitable web application paths. Example patterns include paths like `web-inf`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:ExploitablePaths_URIPath` |
| Log4JRCE\$1HEADER | Inspects the keys and values of request headers for the presence of the Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://www.cve.org/CVERecord?id=CVE-2021-45046), [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105)) and protects against Remote Code Execution (RCE) attempts. Example patterns include `${jndi:ldap://example.com/}`. This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_Header` |
| Log4JRCE\$1QUERYSTRING | Inspects the query string for the presence of the Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://www.cve.org/CVERecord?id=CVE-2021-45046), [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105)) and protects against Remote Code Execution (RCE) attempts. Example patterns include `${jndi:ldap://example.com/}`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_QueryString` |
| Log4JRCE\$1BODY | Inspects the body for the presence of the Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://www.cve.org/CVERecord?id=CVE-2021-45046), [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105)) and protects against Remote Code Execution (RCE) attempts. Example patterns include `${jndi:ldap://example.com/}`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body` |
| Log4JRCE\$1URIPATH | Inspects the URI path for the presence of the Log4j vulnerability ([CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228), [CVE-2021-45046](https://www.cve.org/CVERecord?id=CVE-2021-45046), [CVE-2021-45105](https://www.cve.org/CVERecord?id=CVE-2021-45105)) and protects against Remote Code Execution (RCE) attempts. Example patterns include `${jndi:ldap://example.com/}`. Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_URIPath` |
| ReactJSRCE\$1BODY | Inspects the request body for patterns indicating presence of CVE-2025-55182. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and AWS Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `CONTINUE` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:ReactJSRCE_Body` |
# Use-case specific rule groups
Use-case specific rule groups provide incremental protection for many diverse AWS WAF use cases. Choose the rule groups that apply to your application.
## SQL database managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesSQLiRuleSet`, WCU: 200
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The SQL database rule group contains rules to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries. Evaluate this rule group for use if your application interfaces with an SQL database.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| SQLi\$1QUERYARGUMENTS | Uses the built-in AWS WAF [SQL injection attack rule statement](waf-rule-statement-type-sqli-match.md), with sensitivity level set to Low, to inspect the values of all query parameters for patterns that match malicious SQL code. Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLi_QueryArguments` |
| SQLiExtendedPatterns\$1QUERYARGUMENTS | Inspects the values of all query parameters for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the rule `SQLi_QUERYARGUMENTS`. Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLiExtendedPatterns_QueryArguments` |
| SQLi\$1BODY | Uses the built-in AWS WAF [SQL injection attack rule statement](waf-rule-statement-type-sqli-match.md), with sensitivity level set to Low, to inspect the request body for patterns that match malicious SQL code. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLi_Body` |
| SQLiExtendedPatterns\$1BODY | Inspects the request body for patterns that match malicious SQL code. The patterns this rule inspects for aren't covered by the rule `SQLi_BODY`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLiExtendedPatterns_Body` |
| SQLi\$1COOKIE | Uses the built-in AWS WAF [SQL injection attack rule statement](waf-rule-statement-type-sqli-match.md), with sensitivity level set to Low, to inspect the request cookie headers for patterns that match malicious SQL code. Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLi_Cookie` |
| SQLi\$1URIPATH | Uses the built-in AWS WAF [SQL injection attack rule statement](waf-rule-statement-type-sqli-match.md), with sensitivity level set to Low, to inspect the request cookie headers for patterns that match malicious SQL code. Rule action: Block Label: `awswaf:managed:aws:sql-database:SQLi_URIPath` |
## Linux operating system managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesLinuxRuleSet`, WCU: 200
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Linux operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Linux, including Linux-specific Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on Linux. You should use this rule group in conjunction with the [POSIX operating system](#aws-managed-rule-groups-use-case-posix-os) rule group.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| LFI\$1URIPATH | Inspects the request path for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers. Rule action: Block Label: `awswaf:managed:aws:linux-os:LFI_URIPath` |
| LFI\$1QUERYSTRING | Inspects the values of querystring for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers. Rule action: Block Label: `awswaf:managed:aws:linux-os:LFI_QueryString` |
| LFI\$1HEADER | Inspects request headers for attempts to exploit Local File Inclusion (LFI) vulnerabilities in web applications. Example patterns include files like `/proc/version`, which could provide operating system information to attackers. This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:linux-os:LFI_Header` |
## POSIX operating system managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesUnixRuleSet`, WCU: 100
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The POSIX operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to POSIX and POSIX-like operating systems, including Local File Inclusion (LFI) attacks. This can help prevent attacks that expose file contents or run code for which the attacker should not have had access. You should evaluate this rule group if any part of your application runs on a POSIX or POSIX-like operating system, including Linux, AIX, HP-UX, macOS, Solaris, FreeBSD, and OpenBSD.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| UNIXShellCommandsVariables\$1QUERYSTRING | Inspects the values of the query string for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like `echo $HOME` and `echo $PATH`. Rule action: Block Label: `awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_QueryString` |
| UNIXShellCommandsVariables\$1BODY | Inspects the request body for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like `echo $HOME` and `echo $PATH`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_Body` |
| UNIXShellCommandsVariables\$1HEADER | Inspects all request headers for attempts to exploit command injection, LFI, and path traversal vulnerabilities in web applications that run on Unix systems. Examples include patterns like `echo $HOME` and `echo $PATH`. This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_Header` |
## Windows operating system managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesWindowsRuleSet`, WCU: 200
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Windows operating system rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to Windows, like remote execution of PowerShell commands. This can help prevent exploitation of vulnerabilities that permit an attacker to run unauthorized commands or run malicious code. Evaluate this rule group if any part of your application runs on a Windows operating system.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| WindowsShellCommands\$1COOKIE | Inspects the request cookie headers for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include `\|\|nslookup` and `;cmd`. Rule action: Block Label: `awswaf:managed:aws:windows-os:WindowsShellCommands_Cookie` |
| WindowsShellCommands\$1QUERYARGUMENTS | Inspects the values of all query parameters for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include `\|\|nslookup` and `;cmd`. Rule action: Block Label: `awswaf:managed:aws:windows-os:WindowsShellCommands_QueryArguments` |
| WindowsShellCommands\$1BODY | Inspects the request body for WindowsShell command injection attempts in web applications. The match patterns represent WindowsShell commands. Example patterns include `\|\|nslookup` and `;cmd`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:windows-os:WindowsShellCommands_Body` |
| PowerShellCommands\$1COOKIE | Inspects the request cookie headers for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, `Invoke-Expression`. Rule action: Block Label: `awswaf:managed:aws:windows-os:PowerShellCommands_Cookie` |
| PowerShellCommands\$1QUERYARGUMENTS | Inspects the values of all query parameters for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, `Invoke-Expression`. Rule action: Block Label: `awswaf:managed:aws:windows-os:PowerShellCommands_QueryArguments` |
| PowerShellCommands\$1BODY | Inspects the request body for PowerShell command injection attempts in web applications. The match patterns represent PowerShell commands. For example, `Invoke-Expression`. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:windows-os:PowerShellCommands_Body` |
## PHP application managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesPHPRuleSet`, WCU: 100
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The PHP application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to the use of the PHP programming language, including injection of unsafe PHP functions. This can help prevent exploitation of vulnerabilities that permit an attacker to remotely run code or commands for which they are not authorized. Evaluate this rule group if PHP is installed on any server with which your application interfaces.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| PHPHighRiskMethodsVariables\$1HEADER | Inspects all headers for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable. This rule only inspects the first 8 KB of the request headers or the first 200 headers, whichever limit is reached first, and it uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_Header` |
| PHPHighRiskMethodsVariables\$1QUERYSTRING | Inspects everything after the first `?` in the request URL, looking for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable. Rule action: Block Label: `awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_QueryString` |
| PHPHighRiskMethodsVariables\$1BODY | Inspects the values of the request body for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable. This rule only inspects the request body up to the body size limit for the protection pack (web ACL) and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack (web ACL) configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). Rule action: Block Label: `awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_Body` |
| PHPHighRiskMethodsVariables\$1URIPATH | Inspects the request path for PHP script code injection attempts. Example patterns include functions like `fsockopen` and the `$_GET` superglobal variable. Rule action: Block Label: `awswaf:managed:aws:php-app:PHPHighRiskMethodsVariables_URIPath` |
## WordPress application managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesWordPressRuleSet`, WCU: 100
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The WordPress application rule group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites. You should evaluate this rule group if you are running WordPress. This rule group should be used in conjunction with the [SQL database](#aws-managed-rule-groups-use-case-sql-db) and [PHP application](#aws-managed-rule-groups-use-case-php-app) rule groups.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| WordPressExploitableCommands\$1QUERYSTRING | Inspects the request query string for high risk WordPress commands that can be exploited in vulnerable installations or plugins. Examples patterns include commands like `do-reset-wordpress`. Rule action: Block Label: `awswaf:managed:aws:wordpress-app:WordPressExploitableCommands_QUERYSTRING` |
| WordPressExploitablePaths\$1URIPATH | Inspects the request URI path for WordPress files like `xmlrpc.php`, which are known to have easily exploitable vulnerabilities. Rule action: Block Label: `awswaf:managed:aws:wordpress-app:WordPressExploitablePaths_URIPATH` |
# IP reputation rule groups
IP reputation rule groups block requests based on their source IP address.
**Note**
These rules use the source IP address from the web request origin. If you have traffic that goes through one or more proxies or load balancers, the web request origin will contain the address of the last proxy, and not the originating address of the client.
Choose one or more of these rule groups if you want to reduce your exposure to bot traffic or exploitation attempts, or if you are enforcing geographic restrictions on your content. For bot management, see also [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md).
The rule groups in this category don't provide versioning or SNS update notifications.
## Amazon IP reputation list managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesAmazonIpReputationList`, WCU: 25
**Note**
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Amazon IP reputation list rule group contains rules that are based on Amazon internal threat intelligence. This is useful if you would like to block IP addresses typically associated with bots or other threats. Blocking these IP addresses can help mitigate bots and reduce the risk of a malicious actor discovering a vulnerable application.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| AWSManagedIPReputationList | Inspects for IP addresses that have been identified as actively engaging in malicious activities. AWS WAF collects the IP address list from various sources, including MadPot, a threat intelligence tool that Amazon uses to protect customers from cybercrime. For more information about MadPot, see [https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime](https://www.aboutamazon.com/news/aws/amazon-madpot-stops-cybersecurity-crime). Rule action: Block Label: `awswaf:managed:aws:amazon-ip-list:AWSManagedIPReputationList` |
| AWSManagedReconnaissanceList | Inspects for connections from IP addresses that are performing reconnaissance against AWS resources. Rule action: Block Label: `awswaf:managed:aws:amazon-ip-list:AWSManagedReconnaissanceList` |
| AWSManagedIPDDoSList | Inspects for IP addresses that have been identified as actively engaging in DDoS activities. Rule action: Count Label: `awswaf:managed:aws:amazon-ip-list:AWSManagedIPDDoSList` |
## Anonymous IP list managed rule group
VendorName: `AWS`, Name: `AWSManagedRulesAnonymousIpList`, WCU: 50
**Note**
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Anonymous IP list rule group contains rules to block requests from services that permit the obfuscation of viewer identity. These include requests from VPNs, proxies, Tor nodes, and web hosting providers. This rule group is useful if you want to filter out viewers that might be trying to hide their identity from your application. Blocking the IP addresses of these services can help mitigate bots and evasion of geographic restrictions.
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
| Rule name | Description and label |
| --- | --- |
| AnonymousIPList | Inspects for a list of IP addresses of sources known to anonymize client information, like TOR nodes, temporary proxies, and other masking services. Rule action: Block Label: `awswaf:managed:aws:anonymous-ip-list:AnonymousIPList` |
| HostingProviderIPList | Inspects for a list of IP addresses from web hosting and cloud providers, which are less likely to source end-user traffic. The IP list does not include AWS IP addresses. Rule action: Block Label: `awswaf:managed:aws:anonymous-ip-list:HostingProviderIPList` |
# AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group
This section explains what the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group does.
VendorName: `AWS`, Name: `AWSManagedRulesACFPRuleSet`, WCU: 50
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group labels and manages requests that might be part of fraudulent account creation attempts. The rule group does this by inspecting account creation requests that clients send to your application's registration and account creation endpoints.
The ACFP rule group inspects account creation attempts in various ways, to give you visibility and control over potentially malicious interactions. The rule group uses request tokens to gather information about the client browser and about the level of human interactivity in the creation of the account creation request. The rule group detects and manages bulk account creation attempts by aggregating requests by IP address and client session, and aggregating by the provided account information such as the physical address and phone number. Additionally, the rule group detects and blocks the creation of new accounts using credentials that have been compromised, which helps protect the security posture of your application and of your new users.
## Considerations for using this rule group
This rule group requires custom configuration, which includes the specification of your application's account registration and account creation paths. Except where noted, the rules in this rule group inspect all requests that your clients send to these two endpoints. To configure and implement this rule group, see the guidance at [AWS WAF Fraud Control account creation fraud prevention (ACFP)](waf-acfp.md).
**Note**
You are charged additional fees when you use this managed rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
This rule group is part of the intelligent threat mitigation protections in AWS WAF. For information, see [Intelligent threat mitigation in AWS WAF](waf-managed-protections.md).
To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at [Best practices for intelligent threat mitigation in AWS WAF](waf-managed-protections-best-practices.md).
This rule group isn't available for use with Amazon Cognito user pools. You can't associate a protection pack (web ACL) that uses this rule group with a user pool, and you can't add this rule group to a protection pack (web ACL) that's already associated with a user pool.
## Labels added by this rule group
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
### Token labels
This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.
For information about tokens and token management, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md).
For information about the label components described here, see [Label syntax and naming requirements in AWS WAF](waf-rule-label-requirements.md).
**Client session label**
The label `awswaf:managed:token:id:identifier` contains a unique identifier that AWS WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Browser fingerprint label**
The label `awswaf:managed:token:fingerprint:fingerprint-identifier` contains a robust browser fingerprint identifier that AWS WAF token management computes from various client browser signals. This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Token status labels: Label namespace prefixes**
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
+ `awswaf:managed:token:` – Used to report the general status of the token and to report on the status of the token's challenge information.
+ `awswaf:managed:captcha:` – Used to report on the status of the token's CAPTCHA information.
**Token status labels: Label names**
Following the prefix, the rest of the label provides detailed token status information:
+ `accepted` – The request token is present and contains the following:
+ A valid challenge or CAPTCHA solution.
+ An unexpired challenge or CAPTCHA timestamp.
+ A domain specification that's valid for the protection pack (web ACL).
Example: The label `awswaf:managed:token:accepted` indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.
+ `rejected` – The request token is present but doesn't meet the acceptance criteria.
Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
+ `rejected:not_solved` – The token is missing the challenge or CAPTCHA solution.
+ `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack (web ACL)'s configured token immunity times.
+ `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack (web ACL)'s token domain configuration.
+ `rejected:invalid` – AWS WAF couldn't read the indicated token.
Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack (web ACL).
+ `absent` – The request doesn't have the token or the token manager couldn't read it.
Example: The label `awswaf:managed:captcha:absent` indicates that the request doesn't have the token.
### ACFP labels
This rule group generates labels with the namespace prefix `awswaf:managed:aws:acfp:` followed by the custom namespace and label name. The rule group might add more than one label to a request.
You can retrieve all labels for a rule group through the API by calling `DescribeManagedRuleGroup`. The labels are listed in the `AvailableLabels` property in the response.
## Account creation fraud prevention rules listing
This section lists the ACFP rules in `AWSManagedRulesACFPRuleSet` and the labels that the rule group's rules add to web requests.
All of the rules in this rule group require a web request token, except for the first two `UnsupportedCognitoIDP` and `AllRequests`. For a description of the information that the token provides, see [AWS WAF token characteristics](waf-tokens-details.md).
Except where noted, the rules in this rule group inspect all requests that your clients send to the account registration and account creation page paths that you provide in the rule group configuration. For information about configuring this rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](waf-acfp.md).
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
| Rule name | Description and label |
| --- | --- |
| UnsupportedCognitoIDP | Inspects for web traffic going to an Amazon Cognito user pool. ACFP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ACFP rule group rules are not used to evaluate user pool traffic. Rule action: Block Labels: `awswaf:managed:aws:acfp:unsupported:cognito_idp` and `awswaf:managed:aws:acfp:UnsupportedCognitoIDP` |
| AllRequests | Applies the rule action to requests that access the registration page path. You configure the registration page path when you configure the rule group. By default, this rule applies the Challenge to requests. By applying this action, the rule ensures that the client acquires a challenge token before any requests are evaluated by the rest of the rules in the rule group. Ensure that your end users load the registration page path before they submit an account creation request. Tokens are added to requests by the client application integration SDKs and by the rule actions CAPTCHA and Challenge. For the most efficient token acquisition, we highly recommend that you use the application integration SDKs. For more information, see [Client application integrations in AWS WAF](waf-application-integration.md). Rule action: Challenge Labels: None |
| RiskScoreHigh | Inspects for account creation requests with IP addresses or other factors that are considered to be highly suspicious. This evaluation is usually based on multiple contributing factors, which you can see in `risk_score` labels that the rule group adds to the request. Rule action: Block Labels: `awswaf:managed:aws:acfp:risk_score:high` and `awswaf:managed:aws:acfp:RiskScoreHigh` The rule might also apply `medium` or `low` risk score labels to the request. If AWS WAF doesn't succeed at evaluating the risk score for the web request, the rule adds the label `awswaf:managed:aws:acfp:risk_score:evaluation_failed ` Additionally, the rule adds labels with the namespace `awswaf:managed:aws:acfp:risk_score:contributor:` that include risk score evaluation status and results for specific risk score contributors, such as IP reputation and stolen credentials evaluations. |
| SignalCredentialCompromised | Searches the stolen credential database for the credentials that were submitted in the account creation request. This rule ensures that new clients initialize their accounts with positive security posture. You can add a custom blocking response, to describe the problem to your end user and tell them how to proceed. For information, see [ACFP example: Custom response for compromised credentials](waf-acfp-control-example-compromised-credentials.md). Rule action: Block Labels: `awswaf:managed:aws:acfp:signal:credential_compromised` and `awswaf:managed:aws:acfp:SignalCredentialCompromised` The rule group applies the following related label, but takes no action on it, because not all requests in account creation will have credentials: `awswaf:managed:aws:acfp:signal:missing_credential` |
| SignalClientHumanInteractivityAbsentLow | Inspects the account creation request's token for data that indicates abnormal human interactivity with the application. Human interactivity is detected through interactions such as mouse movements and key presses. If the page has an HTML form, human interactivity includes interactions with the form. This rule only inspects requests to the account creation path and is only evaluated if you've implemented the application integration SDKs. The SDK implementations passively capture human interactivity and stores the information in the request token. For more information, see [AWS WAF token characteristics](waf-tokens-details.md) and [Client application integrations in AWS WAF](waf-application-integration.md). Rule action: CAPTCHA Labels: None. The rule determines a match based on varying factors, so there is no individual label that applies for every possible match scenario. The rule group can apply one or more of the following labels to requests: `awswaf:managed:aws:acfp:signal:client:human_interactivity:low\|medium\|high` `awswaf:managed:aws:acfp:SignalClientHumanInteractivityAbsentLow\|Medium\|High` `awswaf:managed:aws:acfp:signal:client:human_interactivity:insufficient_data` `awswaf:managed:aws:acfp:signal:form_detected`. |
| AutomatedBrowser | Inspects for indicators that the client browser might be automated. Rule action: Block Labels: `awswaf:managed:aws:acfp:signal:automated_browser` and `awswaf:managed:aws:acfp:AutomatedBrowser` |
| BrowserInconsistency | Inspects the request's token for inconsistent browser interrogation data. For more information, see [AWS WAF token characteristics](waf-tokens-details.md). Rule action: CAPTCHA Labels: `awswaf:managed:aws:acfp:signal:browser_inconsistency` and `awswaf:managed:aws:acfp:BrowserInconsistency` |
| VolumetricIpHigh | Inspects for high volumes of account creation requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window. The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied. Rule action: CAPTCHA Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:high` and `awswaf:managed:aws:acfp:VolumetricIpHigh` The rule applies the following labels to requests with medium volumes (more than 15 requests per 10 minute window) and low volumes (more than 10 requests per 10 minute window), but takes no action on them: `awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:medium` and `awswaf:managed:aws:acfp:aggregate:volumetric:ip:creation:low`. |
| VolumetricSessionHigh | Inspects for high volumes of account creation requests sent from individual client sessions. A high volume is more than 10 requests in a 30 minute window. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:high` and `awswaf:managed:aws:acfp:VolumetricSessionHigh` The rule group applies the following labels to requests with medium volumes (more than 5 requests per 30 minute window) and low volumes (more than 1 request per 30 minute window), but takes no action on them: `awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:medium` and `awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:low`. |
| AttributeUsernameTraversalHigh | Inspects for a high rate of account creation requests from a single client session that use different usernames. The threshold for a high evaluation is more than 10 requests in 30 minutes. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:high` and `awswaf:managed:aws:acfp:AttributeUsernameTraversalHigh` The rule group applies the following labels to requests with medium volumes (more than 5 requests per 30 minute window) and low volumes (more than 1 request per 30 minute window) of username traversal requests, but takes no action on them: `awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:medium` and `awswaf:managed:aws:acfp:aggregate:attribute:username_traversal:creation:low`. |
| VolumetricPhoneNumberHigh | Inspects for high volumes of account creation requests that use the same phone number. The threshold for a high evaluation is more than 10 requests in 30 minutes. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:high` and `awswaf:managed:aws:acfp:VolumetricPhoneNumberHigh` The rule group applies the following labels to requests with medium volumes (more than 5 requests per 30 minute window) and low volumes (more than 1 request per 30 minute window), but takes no action on them: `awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:medium` and `awswaf:managed:aws:acfp:aggregate:volumetric:phone_number:low`. |
| VolumetricAddressHigh | Inspects for high volumes of account creation requests that use the same physical address. The threshold for a high evaluation is more than 100 requests per 30 minute window. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:address:high` and `awswaf:managed:aws:acfp:VolumetricAddressHigh` |
| VolumetricAddressLow | Inspects for low and medium volumes of account creation requests that use the same physical address. The threshold for a medium evaluation is more than 50 requests per 30 minute window, and for a low evaluation is more than 10 requests per 30 minute window. The rule applies the action for either medium or low volumes. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: CAPTCHA Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:address:low\|medium` and `awswaf:managed:aws:acfp:VolumetricAddressLow\|Medium` |
| VolumetricIPSuccessfulResponse | Inspects for a high volume of successful account creation requests for a single IP address. This rule aggregates success responses from the protected resource to account creation requests. The threshold for a high evaluation is more than 10 requests per 10 minute window. This rule helps protect against bulk account creation attempts. It has a lower threshold than the rule `VolumetricIpHigh`, which counts just the requests. If you've configured the rule group to inspect the response body or JSON components, AWS WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from an IP address, based on the success and failure responses from the protected resource to recent login attempts from the same IP address. You define how to count successes and failures when you configure the rule group. AWS WAF only evaluates this rule in protection packs (web ACLs) that protect Amazon CloudFront distributions. The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more successful account creation attempts than are allowed before the rule starts matching on subsequent attempts. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:high` and `awswaf:managed:aws:acfp:VolumetricIPSuccessfulResponse` The rule group also applies the following related labels to requests, without any associated action. All counts are for a 10-minute window. `awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:medium` for more than 5 successful requests, `awswaf:managed:aws:acfp:aggregate:volumetric:ip:successful_creation_response:low` for more than 1 successful request, `awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:high` for more than 10 failed requests, `awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:medium` for more than 5 failed requests, and `awswaf:managed:aws:acfp:aggregate:volumetric:ip:failed_creation_response:low` for more than 1 failed request. |
| VolumetricSessionSuccessfulResponse | Inspects for a low volume of success responses from the protected resource to account creation requests that are being sent from a single client session. This helps to protect against bulk account creation attempts. The threshold for a low evaluation is more than 1 request per 30 minute window. This helps protect against bulk account creation attempts. This rule uses a lower threshold than the rule `VolumetricSessionHigh`, which tracks only the requests. If you've configured the rule group to inspect the response body or JSON components, AWS WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from a client session, based on the success and failure responses from the protected resource to recent login attempts from the same client session. You define how to count successes and failures when you configure the rule group. AWS WAF only evaluates this rule in protection packs (web ACLs) that protect Amazon CloudFront distributions. The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed account creation attempts than are allowed before the rule starts matching on subsequent attempts. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:low` and `awswaf:managed:aws:acfp:VolumetricSessionSuccessfulResponse` The rule group also applies the following related labels to requests. All counts are for a 30-minute window. `awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:high` for more than 10 successful requests, `awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:medium` for more than 5 successful requests, `awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:high` for more than 10 failed requests, `awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:medium` for more than 5 failed requests, and `awswaf:managed:aws:acfp:aggregate:volumetric:session:failed_creation_response:low` for more than 1 failed request. |
| VolumetricSessionTokenReuseIp | Inspects account creation requests for the use of a single token among more than 5 distinct IP addresses. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:acfp:aggregate:volumetric:session:creation:token_reuse:ip` and `awswaf:managed:aws:acfp:VolumetricSessionTokenReuseIp` |
# AWS WAF Fraud Control account takeover prevention (ATP) rule group
This section explains what the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group does.
VendorName: `AWS`, Name: `AWSManagedRulesATPRuleSet`, WCU: 50
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The AWS WAF Fraud Control account takeover prevention (ATP) managed rule group labels and manages requests that might be part of malicious account takeover attempts. The rule group does this by inspecting login attempts that clients send to your application's login endpoint.
+ **Request inspection** – ATP gives you visibility and control over anomalous login attempts and login attempts that use stolen credentials, to prevent account takeovers that might lead to fraudulent activity. ATP checks email and password combinations against its stolen credential database, which is updated regularly as new leaked credentials are found on the dark web. ATP aggregates data by IP address and client session, to detect and block clients that send too many requests of a suspicious nature.
+ **Response inspection** – For CloudFront distributions, in addition to inspecting incoming login requests, the ATP rule group inspects your application's responses to login attempts, to track success and failure rates. Using this information, ATP can temporarily block client sessions or IP addresses that have too many login failures. AWS WAF performs response inspection asynchronously, so this doesn't increase latency in your web traffic.
## Considerations for using this rule group
This rule group requires specific configuration. To configure and implement this rule group, see the guidance at [AWS WAF Fraud Control account takeover prevention (ATP)](waf-atp.md).
This rule group is part of the intelligent threat mitigation protections in AWS WAF. For information, see [Intelligent threat mitigation in AWS WAF](waf-managed-protections.md).
**Note**
You are charged additional fees when you use this managed rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at [Best practices for intelligent threat mitigation in AWS WAF](waf-managed-protections-best-practices.md).
This rule group isn't available for use with Amazon Cognito user pools. You can't associate a protection pack (web ACL) that uses this rule group with a user pool, and you can't add this rule group to a protection pack (web ACL) that's already associated with a user pool.
## Labels added by this rule group
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
### Token labels
This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.
For information about tokens and token management, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md).
For information about the label components described here, see [Label syntax and naming requirements in AWS WAF](waf-rule-label-requirements.md).
**Client session label**
The label `awswaf:managed:token:id:identifier` contains a unique identifier that AWS WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Browser fingerprint label**
The label `awswaf:managed:token:fingerprint:fingerprint-identifier` contains a robust browser fingerprint identifier that AWS WAF token management computes from various client browser signals. This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Token status labels: Label namespace prefixes**
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
+ `awswaf:managed:token:` – Used to report the general status of the token and to report on the status of the token's challenge information.
+ `awswaf:managed:captcha:` – Used to report on the status of the token's CAPTCHA information.
**Token status labels: Label names**
Following the prefix, the rest of the label provides detailed token status information:
+ `accepted` – The request token is present and contains the following:
+ A valid challenge or CAPTCHA solution.
+ An unexpired challenge or CAPTCHA timestamp.
+ A domain specification that's valid for the protection pack (web ACL).
Example: The label `awswaf:managed:token:accepted` indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.
+ `rejected` – The request token is present but doesn't meet the acceptance criteria.
Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
+ `rejected:not_solved` – The token is missing the challenge or CAPTCHA solution.
+ `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack (web ACL)'s configured token immunity times.
+ `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack (web ACL)'s token domain configuration.
+ `rejected:invalid` – AWS WAF couldn't read the indicated token.
Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack (web ACL).
+ `absent` – The request doesn't have the token or the token manager couldn't read it.
Example: The label `awswaf:managed:captcha:absent` indicates that the request doesn't have the token.
### ATP labels
The ATP managed rule group generates labels with the namespace prefix `awswaf:managed:aws:atp:` followed by the custom namespace and label name.
The rule group might add any of the following labels in addition to the labels that are noted in the rules listing:
+ `awswaf:managed:aws:atp:signal:credential_compromised` – Indicates that the credentials that were submitted in the request are in the stolen credential database.
+ `awswaf:managed:aws:atp:aggregate:attribute:suspicious_tls_fingerprint` – Available only for protected Amazon CloudFront distributions. Indicates that a client session has sent multiple requests that used a suspicious TLS fingerprint.
+ `awswaf:managed:aws:atp:aggregate:volumetric:session:token_reuse:ip` – Indicates the use of a single token among more than 5 distinct IP addresses. The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the label is applied.
You can retrieve all labels for a rule group through the API by calling `DescribeManagedRuleGroup`. The labels are listed in the `AvailableLabels` property in the response.
## Account takeover prevention rules listing
This section lists the ATP rules in `AWSManagedRulesATPRuleSet` and the labels that the rule group's rules add to web requests.
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
| Rule name | Description and label |
| --- | --- |
| UnsupportedCognitoIDP | Inspects for web traffic going to an Amazon Cognito user pool. ATP isn't available for use with Amazon Cognito user pools, and this rule helps to ensure that the other ATP rule group rules are not used to evaluate user pool traffic. Rule action: Block Labels: `awswaf:managed:aws:atp:unsupported:cognito_idp` and `awswaf:managed:aws:atp:UnsupportedCognitoIDP` |
| VolumetricIpHigh | Inspects for high volumes of requests sent from individual IP addresses. A high volume is more than 20 requests in a 10 minute window. The thresholds that this rule applies can vary slightly due to latency. For the high volume, a few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:volumetric:ip:high` and `awswaf:managed:aws:atp:VolumetricIpHigh` The rule group applies the following labels to requests with medium volumes (more than 15 requests per 10 minute window) and low volumes (more than 10 requests per 10 minute window), but takes no action on them: `awswaf:managed:aws:atp:aggregate:volumetric:ip:medium` and `awswaf:managed:aws:atp:aggregate:volumetric:ip:low`. |
| VolumetricSession | Inspects for high volumes of requests sent from individual client sessions. The threshold is more than 20 requests per 30 minute window. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). The thresholds that this rule applies can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:volumetric:session` and `awswaf:managed:aws:atp:VolumetricSession` |
| AttributeCompromisedCredentials | Inspects for multiple requests from the same client session that use stolen credentials. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials` and `awswaf:managed:aws:atp:AttributeCompromisedCredentials` |
| AttributeUsernameTraversal | Inspects for multiple requests from the same client session that use username traversal. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:attribute:username_traversal` and `awswaf:managed:aws:atp:AttributeUsernameTraversal` |
| AttributePasswordTraversal | Inspects for multiple requests with the same username that use password traversal. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:attribute:password_traversal` and `awswaf:managed:aws:atp:AttributePasswordTraversal` |
| AttributeLongSession | Inspects for multiple requests from the same client session that use long lasting sessions. The threshold is more than 6 hours of traffic that has at least one login request every 30 minutes. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:attribute:long_session` and `awswaf:managed:aws:atp:AttributeLongSession` |
| TokenRejected | Inspects for requests with tokens that are rejected by AWS WAF token management. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: Block Labels: None. To check for token rejected, use a label match rule to match on the label: `awswaf:managed:token:rejected`. |
| SignalMissingCredential | Inspects for requests with credentials that are missing the username or password. Rule action: Block Labels: `awswaf:managed:aws:atp:signal:missing_credential` and `awswaf:managed:aws:atp:SignalMissingCredential` |
| VolumetricIpFailedLoginResponseHigh | Inspects for IP addresses that have recently been the source of too high a rate of failed login attempts. A high volume is more than 10 failed login requests from an IP address in a 10 minute window. If you've configured the rule group to inspect the response body or JSON components, AWS WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from an IP address, based on the success and failure responses from the protected resource to recent login attempts from the same IP address. You define how to count successes and failures when you configure the rule group. AWS WAF only evaluates this rule in protection packs (web ACLs) that protect Amazon CloudFront distributions. The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed login attempts than are allowed before the rule starts matching on subsequent attempts. Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:high` and `awswaf:managed:aws:atp:VolumetricIpFailedLoginResponseHigh` The rule group also applies the following related labels to requests, without any associated action. All counts are for a 10-minute window. `awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:medium` for more than 5 failed requests, `awswaf:managed:aws:atp:aggregate:volumetric:ip:failed_login_response:low` for more than 1 failed request, `awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:high` for more than 10 successful requests, `awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:medium` for more than 5 successful requests, and `awswaf:managed:aws:atp:aggregate:volumetric:ip:successful_login_response:low` for more than 1 successful request. |
| VolumetricSessionFailedLoginResponseHigh | Inspects for client sessions that have recently been the source of too high a rate of failed login attempts. A high volume is more than 10 failed login requests from a client session in a 30 minute window. If you've configured the rule group to inspect the response body or JSON components, AWS WAF can inspect the first 65,536 bytes (64 KB) of these component types for success or failure indicators. This rule applies the rule action and labeling to new web requests from a client session, based on the success and failure responses from the protected resource to recent login attempts from the same client session. You define how to count successes and failures when you configure the rule group. AWS WAF only evaluates this rule in protection packs (web ACLs) that protect Amazon CloudFront distributions. The thresholds that this rule applies can vary slightly due to latency. It's possible for the client to send more failed login attempts than are allowed before the rule starts matching on subsequent attempts. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: Block Labels: `awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:high` and `awswaf:managed:aws:atp:VolumetricSessionFailedLoginResponseHigh` The rule group also applies the following related labels to requests, without any associated action. All counts are for a 30-minute window. `awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:medium` for more than 5 failed requests, `awswaf:managed:aws:atp:aggregate:volumetric:session:failed_login_response:low` for more than 1 failed request, `awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:high` for more than 10 successful requests, `awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:medium` for more than 5 successful requests, and `awswaf:managed:aws:atp:aggregate:volumetric:session:successful_login_response:low` for more than 1 successful request. |
# AWS WAF Bot Control rule group
This section explains what the Bot Control managed rule group does.
VendorName: `AWS`, Name: `AWSManagedRulesBotControlRuleSet`, WCU: 50
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need to request a new bot classification for Bot Control or require additional information not covered here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Bot Control managed rule group provides rules that manage requests from bots. Bots can consume excess resources, skew business metrics, cause downtime, and perform malicious activities.
## Protection levels
The Bot Control managed rule group provides two levels of protection that you can choose from:
+ **Common** – Detects a variety of self-identifying bots, such as web scraping frameworks, search engines, and automated browsers. Bot Control protections at this level identify common bots using traditional bot detection techniques, such as static request data analysis. The rules label traffic from these bots and block the ones that they cannot verify.
+ **Targeted** – Includes the common-level protections and adds targeted detection for sophisticated bots that do not self identify. Targeted protections mitigate bot activity using a combination of rate limiting and CAPTCHA and background browser challenges.
+ **`TGT_`** – Rules that provide targeted protection have names that begin with `TGT_`. All targeted protections use detection techniques such as browser interrogation, fingerprinting, and behavior heuristics to identify bad bot traffic.
+ **`TGT_ML_`** – Targeted protection rules that use machine learning have names that begin with `TGT_ML_`. These rules use automated, machine-learning analysis of website traffic statistics to detect anomalous behavior indicative of distributed, coordinated bot activity. AWS WAF analyzes statistics about your website traffic such as timestamps, browser characteristics, and previous URL visited, to improve the Bot Control machine learning model. Machine learning capabilities are enabled by default, but you can disable them in your rule group configuration. When machine learning is disabled, AWS WAF does not evaluate these rules.
The targeted protection level and the AWS WAF rate-based rule statement both provide rate limiting. For a comparison of the two options, see [Options for rate limiting in rate-based rules and targeted Bot Control rules](waf-rate-limiting-options.md).
## Considerations for using this rule group
This rule group is part of the intelligent threat mitigation protections in AWS WAF. For information, see [Intelligent threat mitigation in AWS WAF](waf-managed-protections.md).
**Note**
You are charged additional fees when you use this managed rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
To keep your costs down and to be sure you're managing your web traffic as you want, use this rule group in accordance with the guidance at [Best practices for intelligent threat mitigation in AWS WAF](waf-managed-protections-best-practices.md).
We periodically update our machine learning (ML) models for the targeted protection level ML-based rules, to improve bot predictions. The ML-based rules have names that start with `TGT_ML_`. If you notice a sudden and substantial change in the bot predictions made by these rules, contact us through your account manager or open a case at [AWS Support Center](https://console.aws.amazon.com/support/home#/).
## Labels added by this rule group
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
### Token labels
This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.
For information about tokens and token management, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md).
For information about the label components described here, see [Label syntax and naming requirements in AWS WAF](waf-rule-label-requirements.md).
**Client session label**
The label `awswaf:managed:token:id:identifier` contains a unique identifier that AWS WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Browser fingerprint label**
The label `awswaf:managed:token:fingerprint:fingerprint-identifier` contains a robust browser fingerprint identifier that AWS WAF token management computes from various client browser signals. This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Token status labels: Label namespace prefixes**
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
+ `awswaf:managed:token:` – Used to report the general status of the token and to report on the status of the token's challenge information.
+ `awswaf:managed:captcha:` – Used to report on the status of the token's CAPTCHA information.
**Token status labels: Label names**
Following the prefix, the rest of the label provides detailed token status information:
+ `accepted` – The request token is present and contains the following:
+ A valid challenge or CAPTCHA solution.
+ An unexpired challenge or CAPTCHA timestamp.
+ A domain specification that's valid for the protection pack (web ACL).
Example: The label `awswaf:managed:token:accepted` indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.
+ `rejected` – The request token is present but doesn't meet the acceptance criteria.
Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
+ `rejected:not_solved` – The token is missing the challenge or CAPTCHA solution.
+ `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack (web ACL)'s configured token immunity times.
+ `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack (web ACL)'s token domain configuration.
+ `rejected:invalid` – AWS WAF couldn't read the indicated token.
Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack (web ACL).
+ `absent` – The request doesn't have the token or the token manager couldn't read it.
Example: The label `awswaf:managed:captcha:absent` indicates that the request doesn't have the token.
### Bot Control labels
The Bot Control managed rule group generates labels with the namespace prefix `awswaf:managed:aws:bot-control:` followed by the custom namespace and label name. The rule group might add more than one label to a request.
Each label reflects the Bot Control rule findings:
+ `awswaf:managed:aws:bot-control:bot:` – Information about the bot associated with the request.
+ `awswaf:managed:aws:bot-control:bot:name:` – The bot name, if one is available, for example, the custom namespaces `bot:name:slurp`, `bot:name:googlebot`, and `bot:name:pocket_parser`.
+ `awswaf:managed:aws:bot-control:bot:name:` – Identifies the specific bot using the RFC product token from the WBA signature. This is used to create granular custom rules for specific bots. For example, allow `GoogleBot` but rate-limit other crawlers.
+ `awswaf:managed:aws:bot-control:bot:category:` – The category of bot, as defined by AWS WAF, for example, `bot:category:search_engine` and `bot:category:content_fetcher`.
+ `awswaf:managed:aws:bot-control:bot:account:` –For bots using Amazon Bedrock Agent Core only. This label contains an opaque hash uniquely identifying the AWS account that owns the agent. Use this label to create custom rules that allow, block, or rate-limit bots from specific AWS accounts without exposing account IDs in logs.
+ `awswaf:managed:aws:bot-control:bot:web_bot_auth:` – Applied when Web Bot Authentication (WBA) validation is performed on a request. The status suffix indicates the verification outcome:
+ `web_bot_auth:verified` – Signature successfully validated against public key directory
+ `web_bot_auth:invalid` – Signature present but cryptograpic validation failed
+ `web_bot_auth:expired` – Signature used an expired cryptograpic key
+ `web_bot_auth:unknown_bot` – Key ID not found in the key directory
**Note**
When the `web_bot_auth:verified` label is present, the `CategoryAI` and `TGT_TokenAbsent` rules do not match, allowing verified WBA hosts to proceed.
+ `awswaf:managed:aws:bot-control:bot:organization:` – The bot's publisher, for example, `bot:organization:google`.
+ `awswaf:managed:aws:bot-control:bot:verified` – Used to indicate a bot that identifies itself and that Bot Control has been able to verify. This is used for common desirable bots, and can be useful when combined with category labels like `bot:category:search_engine` or name labels like `bot:name:googlebot`.
**Note**
Bot Control uses the IP address from the web request origin to help determine whether a bot is verified. You can’t configure it to use the AWS WAF forwarded IP configuration, to inspect a different IP address source. If you have verified bots that route through a proxy or load balancer, you can add a rule that runs before the Bot Control rule group to help with this. Configure your new rule to use the forwarded IP address and explicitly allow requests from the verified bots. For information about using forwarded IP addresses, see [Using forwarded IP addresses in AWS WAF](waf-rule-statement-forwarded-ip-address.md).
+ `awswaf:managed:aws:bot-control:bot:vendor:` – Identifies the vendor or operator of a verified bot. Currently available only for Agentcore. Use to create custom rules that allow or block specific bot vendors regardless of individual bot names.
+ `awswaf:managed:aws:bot-control:bot:user_triggered:verified` – Used to indicate a bot that is similar to a verified bot, but that might be directly invoked by end users. This category of bot is treated by the Bot Control rules like an unverified bot.
+ `awswaf:managed:aws:bot-control:bot:developer_platform:verified` – Used to indicate a bot that is similar to a verified bot, but that is used by developer platforms for scripting, for example Google Apps Script. This category of bot is treated by the Bot Control rules like an unverified bot.
+ `awswaf:managed:aws:bot-control:bot:unverified` – Used to indicate a bot that identifies itself, so it can be named and categorized, but that doesn't publish information that can be used to independently verify its identify. These types of bot signatures can be falsified, and so are treated as unverified.
+ `awswaf:managed:aws:bot-control:targeted: ` – Used for labels that are specific to the Bot Control targeted protections.
+ `awswaf:managed:aws:bot-control:signal:` and `awswaf:managed:aws:bot-control:targeted:signal: `– Used to provide additional information about the request in some situations.
The following are examples of signal labels. This is not an exhaustive list:
+ `awswaf:managed:aws:bot-control:signal:cloud_service_provider:` – Indicates a cloud service provider (CSP) for the request. Examples of CSPs include `aws` for Amazon Web Services infrastructure, `gcp` for Google Cloud Platform (GCP) infrastructure, `azure` for Microsoft Azure cloud services, and `oracle` for Oracle Cloud services.
+ `awswaf:managed:aws:bot-control:targeted:signal:browser_automation_extension` – Indicates the detection of a browser extension that assists in automation, such as Selenium IDE.
This label is added whenever a user has this type of extension installed, even if they're not actively using it. If you implement a label match rule for this, be aware of this possibility of false positives in your rule logic and action settings. For example, you might use a CAPTCHA action instead of Block or you might combine this label match with other label matches, to increase your confidence that automation is in use.
+ `awswaf:managed:aws:bot-control:signal:automated_browser` – Indicates that the request contains indicators that the client browser might be automated.
+ `awswaf:managed:aws:bot-control:targeted:signal:automated_browser` – Indicates that the request's AWS WAF token contains indicators that the client browser might be automated.
You can retrieve all labels for a rule group through the API by calling `DescribeManagedRuleGroup`. The labels are listed in the `AvailableLabels` property in the response.
The Bot Control managed rule group applies labels to a set of verifiable bots that are commonly allowed. The rule group doesn't block these verified bots. If you want, you can block them, or a subset of them by writing a custom rule that uses the labels applied by the Bot Control managed rule group. For more information about this and examples, see [AWS WAF Bot Control](waf-bot-control.md).
## Bot Control rules listing
This section lists the Bot Control rules.
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need to request a new bot classification for Bot Control or require additional information not covered here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
| Rule name | Description |
| --- | --- |
| CategoryAdvertising | Inspects for bots that are used for advertising purposes. For example, you might use third-party advertising services that need to programmatically access your website. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:advertising` and `awswaf:managed:aws:bot-control:CategoryAdvertising` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryArchiver | Inspects for bots that are used for archiving purposes. These bots crawl the web and capture content for the purposes of creating archives. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:archiver` and `awswaf:managed:aws:bot-control:CategoryArchiver` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryContentFetcher | Inspects for bots that visit the application's website on behalf of a user, to fetch content like RSS feeds or to verify or validate your content. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:content_fetcher` and `awswaf:managed:aws:bot-control:CategoryContentFetcher` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryEmailClient | Inspects for bots that check links within emails that point to the application's website. This can include bots run by businesses and email providers, to verify links in emails and flag suspicious emails. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:email_client` and `awswaf:managed:aws:bot-control:CategoryEmailClient` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryHttpLibrary | Inspects for requests that are generated by bots from the HTTP libraries of various programming languages. These may include API requests that you choose to allow or monitor. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:http_library` and `awswaf:managed:aws:bot-control:CategoryHttpLibrary` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryLinkChecker | Inspects for bots that check for broken links. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:link_checker` and `awswaf:managed:aws:bot-control:CategoryLinkChecker` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryMiscellaneous | Inspects for miscellaneous bots that don't match other categories. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:miscellaneous` and `awswaf:managed:aws:bot-control:CategoryMiscellaneous` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryMonitoring | Inspects for bots that are used for monitoring purposes. For example, you might use bot monitoring services that periodically ping your application website to monitor things like performance and uptime. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:monitoring` and `awswaf:managed:aws:bot-control:CategoryMonitoring` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryPagePreview | Inspects for bots that generate page previews and link previews when content is shared on messaging platforms, social media, or collaboration tools. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:page_preview` and `awswaf:managed:aws:bot-control:CategoryPagePreview` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryScrapingFramework | Inspects for bots from web scraping frameworks, which are used to automate crawling and extracting content from websites. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:scraping_framework` and `awswaf:managed:aws:bot-control:CategoryScrapingFramework` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategorySearchEngine | Inspects for search engine bots, which crawl websites to index content and make the information available for search engine results. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:search_engine` and `awswaf:managed:aws:bot-control:CategorySearchEngine` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategorySecurity | Inspects for bots that scan web applications for vulnerabilities or that perform security audits. For example, you might use a third-party security vendor that scans, monitors, or audits your web application’s security. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:security` and `awswaf:managed:aws:bot-control:CategorySecurity` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategorySeo | Inspects for bots that are used for search engine optimization. For example, you might use search engine tools that crawl your site to help you improve your search engine rankings. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:seo` and `awswaf:managed:aws:bot-control:CategorySeo` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategorySocialMedia | Inspects for bots that are used by social media platforms to provide content summaries when users share your content. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:social_media` and `awswaf:managed:aws:bot-control:CategorySocialMedia` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryWebhooks | Inspects for bots that deliver automated notifications and data updates from one application to another through HTTP callbacks. Rule action, applied only to unverified bots: Block Labels: `awswaf:managed:aws:bot-control:bot:category:webhooks` and `awswaf:managed:aws:bot-control:CategoryWebhooks` For verified bots, the rule group does not match this rule and takes no action, but it adds the bot name and category labeling plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| CategoryAI | Inspects for artificial intelligence (AI) bots. This rule applies the action to all matches, regardless of whether the bots are verified or unverified. Rule action: Block Labels: `awswaf:managed:aws:bot-control:bot:category:ai` and `awswaf:managed:aws:bot-control:CategoryAI` For verified bots, the rule group matches this rule and takes an action. It additionally adds the bot name and category labeling, the rule labeling, plus the label `awswaf:managed:aws:bot-control:bot:verified`. |
| SignalAutomatedBrowser | Inspects requests that are not from verified bots for indicators that the client browser might be automated. Automated browsers can be used for testing or scraping. For example, you might use these types of browsers to monitor or verify your application website. Rule action: Block Labels: `awswaf:managed:aws:bot-control:signal:automated_browser` and `awswaf:managed:aws:bot-control:SignalAutomatedBrowser` For verified bots, the rule group does not match this rule and does not apply any signal or rule labels. |
| SignalKnownBotDataCenter | Inspects requests that are not from verified bots for indicators of data centers that are typically used by bots. Rule action: Block Labels: `awswaf:managed:aws:bot-control:signal:known_bot_data_center` and `awswaf:managed:aws:bot-control:SignalKnownBotDataCenter` For verified bots, the rule group does not match this rule and does not apply any signal or rule labels. |
| SignalNonBrowserUserAgent | Inspects requests that are not from verified bots for user agent strings that don't seem to be from a web browser. This category can include API requests. Rule action: Block Labels: `awswaf:managed:aws:bot-control:signal:non_browser_user_agent` and `awswaf:managed:aws:bot-control:SignalNonBrowserUserAgent` For verified bots, the rule group does not match this rule and does not apply any signal or rule labels. |
| TGT\$1VolumetricIpTokenAbsent | Inspects requests that are not from verified bots with 5 or more requests from a single client in the last 5 minutes that don't include a valid challenge token. For information about tokens, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). It's possible for this rule to match on a request that has a token if requests from the same client have recently been missing tokens. The threshold that this rule applies can vary slightly due to latency. This rule handles missing tokens differently from the token labeling: `awswaf:managed:token:absent`. The token labeling labels individual requests that don't have a token. This rule maintains a count of requests that are missing their token for each client IP, and it matches against clients that go over the limit. Rule action: Challenge Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:ip:token_absent` and `awswaf:managed:aws:bot-control:TGT_VolumetricIpTokenAbsent` |
| TGT\$1TokenAbsent | Inspects requests that are not from verified bots that don't include a valid challenge token. For information about tokens, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: Count Labels: `awswaf:managed:aws:bot-control:TGT_TokenAbsent` |
| TGT\$1VolumetricSession | Inspects for an abnormally high number of requests that are not from verified bots that come from a single client session in a 5 minute window. The evaluation is based on a comparison to standard volumetric baselines that AWS WAF maintains using historic traffic patterns. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). This rule can take 5 minutes to go into effect after you enable it. Bot Control identifies anomalous behavior in your web traffic by comparing the current traffic to traffic baselines that AWS WAF computes. Rule action: CAPTCHA Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:high` and `awswaf:managed:aws:bot-control:TGT_VolumetricSession` The rule group applies the following labels to medium volume and lower volume requests that are above a minimum threshold. For these levels, the rule takes no action, regardless of whether the client is verified: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:medium` and `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:low`. |
| TGT\$1VolumetricSessionMaximum | Inspects for an abnormally high number of requests that are not from verified bots that come from a single client session in a 5 minute window. The evaluation is based on a comparison to standard volumetric baselines that AWS WAF maintains using historic traffic patterns. This rule indicates the maximum confidence in the assessment. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). This rule can take 5 minutes to go into effect after you enable it. Bot Control identifies anomalous behavior in your web traffic by comparing the current traffic to traffic baselines that AWS WAF computes. Rule action: Block Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:maximum` and `awswaf:managed:aws:bot-control:TGT_VolumetricSessionMaximum` |
| TGT\$1SignalAutomatedBrowser | Inspects the tokens of requests that are not from verified bots for indicators that the client browser might be automated. For more information, see [AWS WAF token characteristics](waf-tokens-details.md). This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: CAPTCHA Labels: `awswaf:managed:aws:bot-control:targeted:signal:automated_browser` and `awswaf:managed:aws:bot-control:TGT_SignalAutomatedBrowser` |
| TGT\$1SignalBrowserAutomationExtension | Inspects requests that are not from verified bots that indicate the presence of a browser extension that assists in automation, such as Selenium IDE. This rule matches whenever a user has this type of extension installed, even if they're not actively using it. This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: CAPTCHA Labels: `awswaf:managed:aws:bot-control:targeted:signal:browser_automation_extension` and `awswaf:managed:aws:bot-control:TGT_SignalBrowserAutomationExtension` |
| TGT\$1SignalBrowserInconsistency | Inspects requests that are not from verified bots for inconsistent browser interrogation data. For more information, see [AWS WAF token characteristics](waf-tokens-details.md). This inspection only applies when the web request has a token. Tokens are added to requests by the application integration SDKs and by the rule actions CAPTCHA and Challenge. For more information, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md). Rule action: CAPTCHA Labels: `awswaf:managed:aws:bot-control:targeted:signal:browser_inconsistency` and `awswaf:managed:aws:bot-control:TGT_SignalBrowserInconsistency` |
| TGT\$1ML\$1CoordinatedActivityLow, TGT\$1ML\$1CoordinatedActivityMedium, TGT\$1ML\$1CoordinatedActivityHigh | Inspects requests that are not from verified bots for anomalous behavior that’s consistent with distributed, coordinated bot activity. The rule levels indicate the level of confidence that a group of requests are participants in a coordinated attack. These rules only run if the rule group is configured to use machine learning (ML). For information about configuring this choice, see [Adding the AWS WAF Bot Control managed rule group to your web ACL](waf-bot-control-rg-using.md). The thresholds that these rules apply can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. AWS WAF performs this inspection through machine learning analysis of website traffic statistics. AWS WAF analyzes web traffic every few minutes and optimizes the analysis for the detection of low intensity, long-duration bots that are distributed across many IP addresses. These rules might match on a very small number of requests before determining that a coordinated attack is not underway. So if you see just a match or two, the results might be false positives. If you see a lot of matches coming out of these rules however, then you're probably experiencing a coordinated attack. These rules can take up to 24 hours to go into effect after you enable the Bot Control targeted rules with the ML option. Bot Control identifies anomalous behavior in your web traffic by comparing the current traffic to traffic baselines that AWS WAF has computed. AWS WAF only computes the baselines while you're using the Bot Control targeted rules with the ML option, and it can take up to 24 hours to establish meaningful baselines. We periodically update our machine learning models for these rules, to improve bot predictions. If you notice a sudden and substantial change in the bot predictions that these rules make, contact your account manager or open a case at [AWS Support Center](https://console.aws.amazon.com/support/home#/). Rule actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:coordinated_activity:low\|medium\|high` and `awswaf:managed:aws:bot-control:TGT_ML_CoordinatedActivityLow\|Medium\|High` |
| TGT\$1TokenReuseIpLow, TGT\$1TokenReuseIpMedium, TGT\$1TokenReuseIpHigh | Inspects requests that are not from verified bots for the use of a single token among multiple IPs in the last 5 minutes. Each level has a limit on the number of distinct IPs: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) The thresholds that these rules apply can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:token_reuse:ip:low\|medium\|high` and `awswaf:managed:aws:bot-control:TGT_TokenReuseIpLow\|Medium\|High` |
| TGT\$1TokenReuseCountryLow, TGT\$1TokenReuseCountryMedium, TGT\$1TokenReuseCountryHigh | Inspects requests that are not from verified bots for the use of a single token across multiple countries in the last 5 minutes. Each level has a limit on the number of distinct countries: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) The thresholds that these rules apply can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:token_reuse:country:low\|medium\|high` and `awswaf:managed:aws:bot-control:TGT_TokenReuseCountryLow\|Medium\|High` |
| TGT\$1TokenReuseAsnLow, TGT\$1TokenReuseAsnMedium, TGT\$1TokenReuseAsnHigh | Inspects requests that are not from verified bots for the use of a single token across multiple networking autonomous system numbers (ASNs) in the last 5 minutes. Each level has a limit on the number of distinct ASNs: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) The thresholds that these rules apply can vary slightly due to latency. A few requests might make it through beyond the limit before the rule action is applied. Rule actions: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html) Labels: `awswaf:managed:aws:bot-control:targeted:aggregate:volumetric:session:token_reuse:asn:low\|medium\|high` and `awswaf:managed:aws:bot-control:TGT_TokenReuseAsnLow\|Medium\|High` |
# AWS WAF Distributed Denial of Service (DDoS) prevention rule group
This section describes the AWS WAF managed rule group for the protection against Distributed Denial of Service (DDoS) attacks.
VendorName: `AWS`, Name: `AWSManagedRulesAntiDDoSRuleSet`, WCU: 50
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
The Anti-DDoS managed rule group provides rules that detect and manage requests that are participating or likely to be participating in DDoS attacks. Additionally, the rule group labels all requests that it evaluates during a probable event.
## Considerations for using this rule group
This rule group provides soft and hard mitigations for web requests coming to resources that are under DDoS attack. To detect different threat levels, you can tune the sensitivity of both mitigation types to high, medium, or low suspicion levels.
+ **Soft mitigation** – The rule group can send silent browser challenges in response to requests that can handle the challenge interstitial. For information about the requirements for running the challenge, see [CAPTCHA and Challenge action behavior](waf-captcha-and-challenge-actions.md).
+ **Hard mitigation** – The rule group can block requests altogether.
For more information about how the rule group works and how to configure it, see [Advanced Anti-DDoS protection using the AWS WAF Anti-DDoS managed rule group](waf-anti-ddos-advanced.md).
**Note**
You are charged additional fees when you use this managed rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
This rule group is part of the intelligent threat mitigation protections in AWS WAF. For information, see [Intelligent threat mitigation in AWS WAF](waf-managed-protections.md).
To minimize costs and optimize traffic management, use this rule group in accordance with best practice guidelines. See, [Best practices for intelligent threat mitigation in AWS WAF](waf-managed-protections-best-practices.md).
## Labels added by this rule group
This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](waf-labels.md) and [Label metrics and dimensions](waf-metrics.md#waf-metrics-label).
### Token labels
This rule group uses AWS WAF token management to inspect and label web requests according to the status of their AWS WAF tokens. AWS WAF uses tokens for client session tracking and verification.
For information about tokens and token management, see [Token use in AWS WAF intelligent threat mitigation](waf-tokens.md).
For information about the label components described here, see [Label syntax and naming requirements in AWS WAF](waf-rule-label-requirements.md).
**Client session label**
The label `awswaf:managed:token:id:identifier` contains a unique identifier that AWS WAF token management uses to identify the client session. The identifier can change if the client acquires a new token, for example after discarding the token it was using.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Browser fingerprint label**
The label `awswaf:managed:token:fingerprint:fingerprint-identifier` contains a robust browser fingerprint identifier that AWS WAF token management computes from various client browser signals. This identifier stays the same across multiple token acquisition attempts. The fingerprint identifier is not unique to a single client.
**Note**
AWS WAF doesn't report Amazon CloudWatch metrics for this label.
**Token status labels: Label namespace prefixes**
Token status labels report on the status of the token and of the challenge and CAPTCHA information that it contains.
Each token status label begins with one of the following namespace prefixes:
+ `awswaf:managed:token:` – Used to report the general status of the token and to report on the status of the token's challenge information.
+ `awswaf:managed:captcha:` – Used to report on the status of the token's CAPTCHA information.
**Token status labels: Label names**
Following the prefix, the rest of the label provides detailed token status information:
+ `accepted` – The request token is present and contains the following:
+ A valid challenge or CAPTCHA solution.
+ An unexpired challenge or CAPTCHA timestamp.
+ A domain specification that's valid for the protection pack (web ACL).
Example: The label `awswaf:managed:token:accepted` indicates that the web requests's token has a valid challenge solution, an unexpired challenge timestamp, and a valid domain.
+ `rejected` – The request token is present but doesn't meet the acceptance criteria.
Along with the rejected label, token management adds a custom label namespace and name to indicate the reason.
+ `rejected:not_solved` – The token is missing the challenge or CAPTCHA solution.
+ `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack (web ACL)'s configured token immunity times.
+ `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack (web ACL)'s token domain configuration.
+ `rejected:invalid` – AWS WAF couldn't read the indicated token.
Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack (web ACL).
+ `absent` – The request doesn't have the token or the token manager couldn't read it.
Example: The label `awswaf:managed:captcha:absent` indicates that the request doesn't have the token.
### Anti-DDoS labels
The Anti-DDoS managed rule group generates labels with the namespace prefix `awswaf:managed:aws:anti-ddos:` followed by any custom namespace and the label name. Each label reflects some aspect of the Anti-DDoS findings.
The rule group might add more than one of the following labels to a request, in addition to the labels that are added by individual rules.
+ `awswaf:managed:aws:anti-ddos:event-detected` – Indicates that the request is going to a protected resource for which the managed rule group detects a DDoS event. The managed rule group detects events when the traffic to the resource has a significant deviation from the resource's traffic baseline.
The rule group adds this label to every request that goes to the resource while it's in this state, so legitimate traffic and attack traffic get this label.
+ `awswaf:managed:aws:anti-ddos:ddos-request` – Indicates that the request is coming from a source suspected of participating in an event.
In addition to the general label, the rule group adds the following labels that indicate the level of confidence.
`awswaf:managed:aws:anti-ddos:low-suspicion-ddos-request` – Indicates a probable DDoS attack request.
`awswaf:managed:aws:anti-ddos:medium-suspicion-ddos-request` – Indicates a very likely DDoS attack request.
`awswaf:managed:aws:anti-ddos:high-suspicion-ddos-request` – Indicates a highly likely DDoS attack request.
+ `awswaf:managed:aws:anti-ddos:challengeable-request` – Indicates that the request URI is capable of handling the Challenge action. The managed rule group applies this to any request whose URI isn't exempted. URIs are exempted if they match the rule group's exempt URI regular expressions.
For information about the requirements for requests that can take a silent browser challenge, see [CAPTCHA and Challenge action behavior](waf-captcha-and-challenge-actions.md).
You can retrieve all labels for a rule group through the API by calling `DescribeManagedRuleGroup`. The labels are listed in the `AvailableLabels` property in the response.
The Anti-DDoS managed rule group applies labels to requests, but doesn't always act on them. The request management depends on the confidence with which the rule group determines participation in an attack. If you want, you can manage requests that the rule group labels by adding a label matching rule that runs after the rule group. For more information about this and examples, see [AWS WAF Distributed Denial of Service (DDoS) prevention](waf-anti-ddos.md).
## Anti-DDoS rules listing
This section lists the Anti-DDoS rules.
**Note**
This documentation covers the most recent static version release of this managed rule group. We report version changes in the changelog log at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md). For information about other versions, use the API command [DescribeManagedRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_DescribeManagedRuleGroup.html).
The information that we publish for the rules in the AWS Managed Rules rule groups is intended to provide you with what you need to use the rules without giving bad actors what they need to circumvent the rules.
If you need more information than you find here, contact the [AWS Support Center](https://console.aws.amazon.com/support/home#/).
| Rule name | Description |
| --- | --- |
| ChallengeAllDuringEvent | Matches requests that have the label `awswaf:managed:aws:anti-ddos:challengeable-request` for any protected resource that is currently under attack. Rule action: Challenge You can only override this rule action to Allow or Count. The use of Allow is not recommended. For any rule action setting, the rule only matches requests that have the `challengeable-request` label. The configuration of this rule affects the evaluation of the next rule, `ChallengeDDoSRequests`. AWS WAF only evaluates that rule when the action for this rule has override set to Count, in the web ACL's configuration of the managed rule group. If your workload is vulnerable to unexpected request volume changes, we recommend challenging all challengable requests, by keeping the default action setting of Challenge. For less sensitive applications, you can set the action for this rule to Count and then tune the sensitivity of your Challenge responses with the rule `ChallengeDDoSRequests`. Labels: `awswaf:managed:aws:anti-ddos:ChallengeAllDuringEvent` |
| ChallengeDDoSRequests | Matches requests for a protected resource that meet or exceed the rule group's configured challenge sensitivity setting, during times that the resource is under attack. Rule action: Challenge You can only override this rule action to Allow or Count. The use of Allow is not recommended. In any case, the rule only matches requests that have the `challengeable-request` label. AWS WAF only evaluates this rule if you override the action to Count in the prior rule, `ChallengeAllDuringEvent`. Labels: `awswaf:managed:aws:anti-ddos:ChallengeDDoSRequests` |
| DDoSRequests | Matches requests for a protected resource that meet or exceed the rule group's configured block sensitivity setting, during times that the resource is under attack. Rule action: Block Labels: `awswaf:managed:aws:anti-ddos:DDoSRequests` |
# Deployments for versioned AWS Managed Rules rule groups
This section introduces how AWS deploys updates to AWS Managed Rules rule groups.
AWS deploys changes to its versioned AWS Managed Rules rule groups in three standard deployments: release candidate, static version, and default version. Additionally, AWS might sometimes need to release an exception deployment or roll back a default version deployment.
**Note**
This section applies only to AWS Managed Rules rule groups that are versioned. The only rule groups that aren't versioned are the IP reputation rule groups.
**Topics**
+ [
# Notifications for AWS Managed Rules rule groups deployments
](waf-managed-rule-groups-deployments-notifications.md)
+ [
# Overview of the standard deployments for AWS Managed Rules
](waf-managed-rule-groups-deployments-standard.md)
+ [
# Typical version states for AWS Managed Rules
](waf-managed-rule-groups-typical-version-states.md)
+ [
# Release candidate deployments for AWS Managed Rules
](waf-managed-rule-groups-deployments-release-candidate.md)
+ [
# Static version deployments for AWS Managed Rules
](waf-managed-rule-groups-deployments-static-version.md)
+ [
# Default version deployments for AWS Managed Rules
](waf-managed-rule-groups-deployments-default-version.md)
+ [
# Exception deployments for AWS Managed Rules
](waf-managed-rule-groups-deployments-exceptions.md)
+ [
# Default deployment rollbacks for AWS Managed Rules
](waf-managed-rule-groups-deployments-default-rollbacks.md)
# Notifications for AWS Managed Rules rule groups deployments
This section explains how Amazon SNS notifications work with AWS Managed Rules rule groups.
The versioned AWS Managed Rules rule groups all provide SNS update notifications for deployments and they all use the same SNS topic Amazon Resource Name (ARN). The only rule groups that aren't versioned are the IP reputation rule groups.
For deployments that affect your protections, such as changes to the default version, AWS provides SNS notifications to inform you of planned deployments and to let you know when a deployment is starting. For deployments that don't affect your protections, such as release candidate and static version deployments, AWS might notify you after the deployment has started or even after it's completed. At the completion of the deployment of a new static version, AWS updates this guide, in the changelog at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md) and in the document history page at [Document history](doc-history.md).
To receive all updates that AWS provides for the AWS Managed Rules rule groups, subscribe to the RSS feed from any HTML page of this guide, and subscribe to the SNS topic for the AWS Managed Rules rule groups. For information about subscribing to the SNS notifications, see [Getting notified of new versions and updates to a managed rule group](waf-using-managed-rule-groups-sns-topic.md).
**Contents of the SNS notifications**
The fields in the Amazon SNS notifications always include the Subject, Message, and MessageAttributes. Additional fields depend on the type of message and which managed rule group the notification is for. The following shows an example notification listing for `AWSManagedRulesCommonRuleSet`.
```
{
"Type": "Notification",
"MessageId": "4286b830-a463-5e61-bd15-e1ae72303868",
"TopicArn": "arn:aws:sns:us-west-2:123456789012:MyTopic",
"Subject": "New version available for rule group AWSManagedRulesCommonRuleSet",
"Message": "Welcome to AWSManagedRulesCommonRuleSet version 1.5! We've updated the regex specification in this version to improve protection coverage, adding protections against insecure deserialization. For details about this change, see http://updatedPublicDocs.html. Look for more exciting updates in the future! ",
"Timestamp": "2021-08-24T11:12:19.810Z",
"SignatureVersion": "1",
"Signature": "EXAMPLEHXgJm...",
"SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
"SubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-west-2:123456789012:MyTopic&Token=2336412f37...",
"MessageAttributes": {
"major_version": {
"Type": "String",
"Value": "v1"
},
"managed_rule_group": {
"Type": "String",
"Value": "AWSManagedRulesCommonRuleSet"
}
}
}
```
# Overview of the standard deployments for AWS Managed Rules
AWS rolls out new AWS Managed Rules functionality using three standard deployment stages: release candidate, static version, and default version.
The following diagram depicts these standard deployments. Each is described in more detail in the sections that follow.
![\[Four vertical swimlanes show different standard deployment stages. The leftmost swimlane shows the default version set to the recommended static version 1.4. The second swimlane shows the default set to a release candidate (RC) version for testing and tuning. The RC version contains 1.4 rules and RC rules. A note indicates that after testing, the default is returned to the recommended static version. The third swimlane shows the creation of a static version 1.5 from the rules in the release candidate version. The fourth swimlane shows the default version set to the new recommended static version 1.5.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-flowchart-diagram.png)
# Typical version states for AWS Managed Rules
Normally, a versioned managed rule group has a number of unexpired static versions, and the default version points to the static version that AWS recommends. The following figure shows an example of the typical set of static versions and default version setting.
![\[Three static versions Version_1.2, Version_1.3, and Version_1.4 are stacked, with Version_1.4 on the top. Version_1.4 has two rules, RuleA and RuleB, both with production action. A default version indicator points to Version_1.4.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-diagram.png)
The production action for most rules in a static version is Block, but it might be set to something different. For detailed information about rule action settings, see the rule listings for each rule group at [AWS Managed Rules rule groups list](aws-managed-rule-groups-list.md).
# Release candidate deployments for AWS Managed Rules
This section explains how a temporary release candidate deployment works.
When AWS has a candidate set of rule changes for a managed rule group, it tests them in a temporary release candidate deployment. AWS evaluates the candidate rules in count mode against production traffic, and performs final tuning activities, including mitigating false positives. AWS tests release candidate rules in this way for all customers who use the default version of the rule group. Release candidate deployments don't apply to customers who use a static version of the rule group.
If you use the default version, a release candidate deployment won't alter how your web traffic is managed by the rule group. You might notice the following while the candidate rules are being tested:
+ Default version name change from `Default (using Version_X.Y)` to `Default (using Version_X.Y_PLUS_RC_COUNT)`.
+ Additional count metrics in Amazon CloudWatch with `RC_COUNT` in their names. These are generated by the release candidate rules.
AWS tests a release candidate for about a week, then removes it and resets the default version to the current recommended static version.
AWS performs the following steps for a release candidate deployment:
1. **Create the release candidate** – AWS adds a release candidate based on the current recommended static version, which is the version that the default is pointing to.
The name of the release candidate is the static version name appended with `_PLUS_RC_COUNT`. For example, if the current recommended static version is `Version_2.1`, then the release candidate would be named `Version_2.1_PLUS_RC_COUNT`.
The release candidate contains the following rules:
+ Rules copied exactly from the current recommended static version, with no changes to rule configurations.
+ Candidate new rules with rule action set to Count and with names that end with `_RC_COUNT`.
Most candidate rules provide proposed improvements to rules that exist already in the rule group. The name for each of these rules is the existing rule's name appended with `_RC_COUNT`.
1. **Set the default version to the release candidate and test** – AWS sets the default version to point to the new release candidate, to perform testing against your production traffic. Testing usually takes about a week.
You'll see the default version's name change from the one that indicates only the static version, such as `Default (using Version_1.4)`, to one that indicates the static version plus the release candidate rules, such as `Default (using Version_1.4_PLUS_RC_COUNT)`. This naming scheme lets you identify which static version you're using to manage your web traffic.
The following diagram shows the state of the example rule group versions at this point.
![\[At the top of the figure are three stacked static versions, with Version_1.4 on the top. Separate from the static versions stack is the version Version_1.4_PLUS_RC_COUNT. This version contains the rules from Version_1.4 and it also contains two release candidate rules, RuleB_RC_COUNT and RuleZ_RC_COUNT, both with count action. The default version indicator points to Version_1.4_PLUS_RC_COUNT.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-rc-diagram.png)
The release candidate rules are always configured with Count action, so they don't alter how the rule group manages web traffic.
The release candidate rules generate Amazon CloudWatch count metrics that AWS uses to verify behavior and to identify false positives. AWS makes adjustments as needed, to tune the behavior of the release candidate count rules.
The release candidate version isn't a static version, and it's not available for you to choose from the list of static rule group versions. You can only see the name of the release candidate version in the default version specification.
1. **Return the default version to the recommended static version** – After testing the release candidate rules, AWS sets the default version back to the current recommended static version. The default version name setting drops the `_PLUS_RC_COUNT` ending, and the rule group stops generating CloudWatch count metrics for the release candidate rules. This is a silent change, and is not the same as a deployment of a default version rollback.
The following diagram shows the state of the example rule group versions after the testing of the release candidate is complete.
![\[This is the typical version states figure again. Three static versions Version_1.2, Version_1.3, and Version_1.4 are stacked with Version_1.4 on the top. Version_1.4 has two rules, RuleA and RuleB, both with production action. A default version indicator points to Version_1.4.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-rc-complete-diagram.png)
**Timing and notifications**
AWS deploys release candidate versions on an as-needed basis, to test improvements to a rule group.
+ **SNS** – AWS sends an SNS notification at the start of the deployment. The notification indicates the estimated time that the release candidate will be tested. When testing is complete, AWS silently returns the default to the static version setting, without a second notification.
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.
# Static version deployments for AWS Managed Rules
When AWS determines that a release candidate provides valuable changes to the rule group, AWS deploys a new static version for the rule group based on the release candidate. This deployment doesn't change the default version of the rule group.
The new static version contains the following rules from the release candidate:
+ Rules from the prior static version that don't have a replacement candidate among the release candidate rules.
+ Release candidate rules, with the following changes:
+ AWS changes the rule name by removing the release candidate suffix `_RC_COUNT`.
+ AWS changes the rule actions from Count to their production rule actions.
For release candidate rules that are replacements of prior existing rules, this replaces the functionality of the prior rules in the new static version.
The following diagram depicts the creation of the new static version from the release candidate.
![\[At the top of the figure is the release candidate version Version_1.4_PLUS_RC_COUNT, with the same rules as in the prior release candidate deployment figure. The version contains the rules from Version_1.4 and it also contains release candidate rules RuleB_RC_COUNT and RuleZ_RC_COUNT, both with count action. Below this, at the bottom of the figure is a static version Version_1.5, which contains rules RuleA, RuleB, and RuleZ, all with production action. Arrows point from the RC version to Version_1.5 to indicate that RuleA is copied from the Version_1.4 rules and RuleB and RuleZ are copied from the release candidate rules. All rules in Version_1.5 have production actions.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-create-static-diagram.png)
After deployment, the new static version is available for you to test and to use in your protections if you want to. You can review new and updated rule actions and descriptions in the rule group's rule listings at [AWS Managed Rules rule groups list](aws-managed-rule-groups-list.md).
A static version is immutable after deployment, and only changes when AWS expires it. For information about version life cycles, see [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md).
**Timing and notifications**
AWS deploys a new static version as needed, in order to deploy improvements to rule group functionality. The deployment of a static version doesn't impact the default version setting.
+ **SNS** – AWS sends an SNS notification when the deployment completes.
+ **Change log** – After the deployment is complete everywhere that AWS WAF is available, AWS updates the rule group definition in this guide as needed, and then announces the release in the AWS Managed Rules rule group change log and in the documentation history page.
# Default version deployments for AWS Managed Rules
When AWS determines that a new static version provides improved protections for the rule group compared to the current default, AWS updates the default version to the new static version. AWS might release multiple static versions before promoting one to the rule group's default version.
The following diagram shows the state of the example rule group versions after AWS moves the default version setting to the new static version.
![\[This is similar to the typical version states figure, but with Version_1.5 on the top of the stack and the default indicator pointing to it.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-new-default-diagram.png)
Before deploying this change to the default version, AWS provides notifications so that you can test and prepare for the upcoming changes. If you use the default version, you can take no action and remain on it through the update. If instead you want to delay switching to the new version, before the planned start of the default version deployment, you can explicitly configure your rule group to use the static version that the default is set to.
**Timing and notifications**
AWS updates the default version when it recommends a different static version for the rule group than the one that's currently in use.
+ **SNS** – AWS sends an SNS notification at least one week prior to the targeted deployment day and then another on the deployment day, at the start of the deployment. Each notification includes the rule group name, the static version that the default version is being updated to, the deployment date, and the scheduled timing of the deployment for each AWS Region where the update is being performed.
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.
# Exception deployments for AWS Managed Rules
AWS might bypass the standard deployment stages in order to quickly deploy updates that address critical security risks. An exception deployment might involve any of the standard deployment types, and it might be rolled out quickly across the AWS Regions.
AWS provides as much advance notification as possible for exception deployments.
**Timing and notifications**
AWS performs exception deployments only when required.
+ **SNS** – AWS sends an SNS notification as far ahead of the targeted deployment day as possible and then another one at the start of the deployment. Each notification includes the rule group name, the change that's being made, and the deployment date.
+ **Change log** – If the deployment is for a static version, after the deployment is complete everywhere that AWS WAF is available, AWS updates the rule group definition in this guide as needed, and then announces the release in the AWS Managed Rules rule group change log and in the documentation history page.
# Default deployment rollbacks for AWS Managed Rules
Under certain conditions, AWS might roll back the default version to its prior setting. A rollback usually takes less than ten minutes for all AWS Regions.
AWS performs a rollback only to mitigate a significant issue in a static version, such as an unacceptably high level of false positives.
After the rollback of the default version setting, AWS expedites both the expiration of the static version that has the issue and the release of a new static version to address the issue.
**Timing and notifications**
AWS performs default version rollbacks only when required.
+ **SNS** – AWS sends a single SNS notification at the time of the rollback. The notification includes the rule group name, the version that the default version is being set to, and the deployment date. This deployment type is very quick, so the notification doesn't provide timing information for Regions.
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.
# AWS Managed Rules changelog
This section lists changes to the AWS Managed Rules for AWS WAF since their release in November, 2019.
**Note**
This changelog reports changes to the rules and rule groups in AWS Managed Rules for AWS WAF.
For the [IP reputation rule groups](aws-managed-rule-groups-ip-rep.md), this changelog reports changes to the rules and rule group, and it reports significant changes to the sources of the IP address lists that the rules use. It does not report changes to the IP address lists themselves, due to the dynamic nature of those lists. If you have questions about the IP address lists, contact your account manager or open a case at [AWS Support Center](https://console.aws.amazon.com/support/home#/).
| Rule group and rules | Description | Date |
| --- | --- | --- |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.21 of this rule group. Improved detection signatures for these rules. | 2026-04-06 |
| [PHP application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-php-app) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.2 of this rule group. Improved detections and added `PHPHighRiskMethodsVariables_URIPATH` rule. | 2026-03-24 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New rules: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 5.0 of this rule group. Added 400\$1 new bots across multiple categories, including two new bot categories with their respective rules: Page Preview and Webhooks. **Key Improvements** Improved accuracy of bot detection signals and generic bot pattern matching, resulting in more precise traffic classification. This update changes how the managed rule group prioritizes bot detection. Specific unverified bot patterns are now evaluated before generic patterns and detection signals. This means that requests are more likely to be classified based on their most specific characteristics rather than generic indicators. **What this means for your traffic:** Generic bot pattern will now match less frequently. These patterns only apply when no more specific bot rule has already identified the traffic. This reduces over-classification and ensures that requests are labeled with the most accurate bot identification available. Detection signals such as indicators that a request originates from a cloud service provider, known bot data center, or uses a non-browser user agent, are now applied after bot identification rules. This ensures that specific bot classifications take precedence over generic traffic signals. **Impact:** You may see fewer labels for generic bot patterns in your traffic logs, as requests are now more accurately classified by specific bot rules. This provides clearer insight into the actual nature of your automated traffic and reduces noise from overly broad pattern matching. Unverified bot classifications will be more prominent and accurate, helping you better understand and manage automated requests to your applications. **Note:** This version includes the `awswaf:managed:aws:bot-control:bot:web_bot_auth` labels and rules updates from Version\$14.0, but the `Web Bot Auth` functionality is still only available in CloudFront. | 2026-02-25 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) | Released static version 3.2 of this rule group. Improved detection signatures for all the rules. | 2026-01-15 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.25 of this rule group. Updated the `ReactJSRCE_BODY` to improve detection. | 2025-12-08 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) | Released static version 3.1 of this rule group. Improved detection signatures for all the rules. | 2025-12-08 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.24 of this rule group. Updated the `ReactJSRCE_BODY` to improve detection. | 2025-12-04 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New labels:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Scope: CloudFront | Deployed new static version `AWSManagedRulesBotControlRuleSet` Version\$14.0 with Web Bot Authentication (WBA) support for cryptographic bot verification. This version must be explicitly selected and does not automatically update existing deployments using the default version. New capabilities: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Rule updates: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Version\$14.0 is a static version only – it does not change the default version behavior. To use WBA features, explicitly select Version \$14.0 when configuring your web ACL. | 2025-11-20 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New verified bot labels:Advertising:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html)AI:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html)Content Fetcher:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html)Social Media:[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Key improvements: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Bot category rules in Bot Control trigger only on unverified bots, except for CategoryAI which also triggers on verified bots. Version\$13.3 is a static version only – it doesn't change the default version behavior. | 2025-11-17 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.20 of this rule group. Improved detection signatures for the Server Side Request Forgery (SSRF) rules. | 2025-10-02 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.19 of this rule group. Improved detection signatures for the cross site scripting rules. | 2025-08-14 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.18 of this rule group. Improved detection signatures for the cross site scripting rules. | 2025-06-18 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New labels: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 3.2 of this rule group. Added the listed new labels. | 2025-05-29 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.17 of this rule group. Improved detection signatures for the cross site scripting rules. | 2025-03-03 |
| [SQL database managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-sql-db) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.3 of this rule group. Added double `URL_DECODE_UNI` text transformation to the listed rules. | 2025-01-24 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.6 of this rule group. Added signatures to improve detection. | 2025-01-24 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New bot name label in the Bot Control labels: `awswaf:managed:aws:bot-control:bot::name:nytimes` | Released static version 3.1 of this rule group. Added the New York Times label to the list of bot name labels. | 2024-11-07 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.16 of this rule group. Improved detection signatures for the cross site scripting rules. | 2024-10-16 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) New rules: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Deleted rules: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) New labels: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) Additional labeling in existing rules. | Released static versions 2.0 and 3.0 of this rule group. Version 2.0 is the same as version 3.0, but with rule actions for all new rules set to Count. This guide documents the latest version of each rule group. Added the listed new rules. Updated labeling so that all rules apply a label with the pattern `awswaf:managed:aws:bot-control:`. Added cloud service provider labels to the Bot Control signal labels. Added new bot name labels that are inspected for by bot category rules. | 2024-09-13 |
| [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md) All rules | Released static version 1.1 of this rule group. Updated labeling so that all rules apply a label with the pattern `awswaf:managed:aws:atp:`. | 2024-09-13 |
| [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](aws-managed-rule-groups-acfp.md) All rules | Released static version 1.1 of this rule group. Updated labeling so that all rules apply a label with the pattern `awswaf:managed:aws:acfp:`. | 2024-09-13 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) All rules | Released static version 2.5 of this rule group. Added signatures to improve detection. | 2024-09-02 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.15 of this rule group. Improved detection signatures for the generic LFI rules. | 2024-08-30 |
| [Windows operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-windows-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.3 of this rule group. Adjusted detection signatures in the listed rules to reduce false positives. | 2024-08-28 |
| [WordPress application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-wordpress-app) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.3 of this rule group. Added the JS\$1DECODE text transformation to the listed rule. | 2024-07-15 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.4 of this rule group. Added the JS\$1DECODE text transformation to the listed rule. | 2024-07-12 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.14 of this rule group. Added the JS\$1DECODE text transformation to the listed rules. | 2024-07-09 |
| [PHP application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-php-app) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.1 of this rule group. Added the JS\$1DECODE text transformation to the listed rules. | 2024-07-03 |
| [Windows operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-windows-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.2 of this rule group. Added the JS\$1DECODE text transformation to the listed rules. | 2024-07-03 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) All rules | Released static version 2.3 of this rule group. Added signatures to improve detection. | 2024-06-06 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md) [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](aws-managed-rule-groups-acfp.md) | The bot and fraud rule groups are now versioned. If you're using any of these rule groups, this update doesn't change how they handle your web traffic. This update sets the current rule group version to static version 1.0 and sets the default version to point to it. For more information about versioned managed rules, see the following: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | 2024-05-29 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 3.0 of this rule group. Removed `UNIXShellCommandsVariables_QUERYARGUMENTS` and replaced it with `UNIXShellCommandsVariables_QUERYSTRING`. If you have rules that match on the label for `UNIXShellCommandsVariables_QUERYARGUMENTS`, when you use this version, switch them to match on the label for `UNIXShellCommandsVariables_QUERYSTRING`. The new label is `awswaf:managed:aws:posix-os:UNIXShellCommandsVariables_QueryString`. Added the rule `UNIXShellCommandsVariables_HEADER`, which matches on all headers. Updated all the rules in the managed rule group with improved detection logic. Corrected the documented capitalization of the label for `UNIXShellCommandsVariables_BODY`. | 2024-05-28 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.12 of this rule group. Added signatures to all of the cross site scripting rules to improve detection and reduce false positives. | 2024-05-21 |
| [SQL database managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-sql-db) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.2 of this rule group. Added the `JS_DECODE` text transformation to the listed rules. | 2024-05-14 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.22 of this rule group. Added the `JS_DECODE` text transformation to the listed rules. | 2024-05-08 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) | Released static version 2.2 of this rule group. Added the `JS_DECODE` text transformation to both rules. | 2024-05-08 |
| [Windows operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-windows-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.1 of this rule group. Added signatures to `PowerShellCommands_BODY` to improve detection. | 2024-05-03 |
| [Amazon IP reputation list managed rule group](aws-managed-rule-groups-ip-rep.md#aws-managed-rule-groups-ip-rep-amazon) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Updated the sources of the IP reputation list, to improve identification of addresses that are actively engaging in malicious activities and to reduce false positives. This update doesn't involve a new version because this rule group isn't versioned. | 2024-03-13 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) | Released static version 1.21 of this rule group. Added signatures to improve detection and reduce false positives. | 2023-12-16 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.20 of this rule group. Updated the `ExploitablePaths_URIPATH` rule to add detection for requests that match the Atlassian Confluence CVE-2023-22518 Improper Authorization vulnerability. This vulnerability affects all versions of Confluence Data Center and Server. For more information, see [NIST: National Vulnerability Database: CVE-2023-22518 Detail](https://nvd.nist.gov/vuln/detail/CVE-2023-22518). | 2023-12-14 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.11 of this rule group. Added signatures to all of the cross site scripting rules to improve detection and reduce false positives. | 2023-12-06 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added the coordinated activity low label to the rule group's targeted protection level labels. This label isn't associated with any rule. This labeling is in addition to the medium and high level rules and labels. | 2023-12-05 |
| [Bot Control labels](aws-managed-rule-groups-bot.md#aws-managed-rule-groups-bot-labels-rg) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added a signal label to the rule group that indicates the detection of a browser extension that assists in automation. This label isn't specific to an individual rule. | 2023-11-14 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.10 of this rule group. Updated one rule to improve detection and reduce false positives. | 2023-11-02 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.9 of this rule group. Updated rules to improve detection and reduce false positives. | 2023-10-30 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.1 of this rule group. Updated the query arguments rule to improve detection. | 2023-10-12 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.8 of this rule group. Updated rules to improve detection. | 2023-10-11 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Exception deployment: released static version 1.19 of this rule group. Updated the default version to use version 1.19. Updated the `ExploitablePaths_URIPATH` rule to add detection for requests matching the Atlassian Confluence CVE-2023-22515 Privilege Escalation Vulnerability. This vulnerability affects some versions of Atlassian Confluence. For more information, see [NIST: National Vulnerability Database: CVE-2023-22515 Detail](https://nvd.nist.gov/vuln/detail/CVE-2023-22515) and [Atlassian Support: FAQ for CVE-2023-22515](https://confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html). For information about this deployment type, see [Exception deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-exceptions.md). | 2023-10-04 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Exception deployment: released static version 1.18 of this rule group. This is a quick rollout of this static version to accommodate the creation and rollout of version 1.19. Updated the `Host_localhost_HEADER` rule and all Log4J and Java deserialization rules for improved detection. For information about this deployment type, see [Exception deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-exceptions.md). | 2023-10-04 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added rules to the rule group with Count action. The token reuse IP rule detects and counts token sharing across IP addresses. The coordinated activity rules use automated, machine-learning (ML) analysis of website traffic to detect bot-related activity. In your rule group configuration, you can opt out of the use of ML. With this release, customers who are currently using the targeted protection level are opted in to the use of ML. Opting out disables the coordinated activity rules. | 2023-09-06 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added the rule `CategoryAI` to the rule group. | 2023-08-30 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.7 of this rule group. Updated restricted extensions and EC2 metadata SSRF rules to improve detection and reduce false positives. | 2023-07-26 |
| [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](aws-managed-rule-groups-acfp.md) All rules in new rule group | Added the rule group AWSManagedRulesACFPRuleSet. | 2023-06-13 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.2 of this rule group. Added signatures to improve detection. | 2023-05-22 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.6 of this rule group. Updated cross-site scripting (XSS) and restricted extension rules to improve detection and reduce false positives. | 2023-04-28 |
| [PHP application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-php-app) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.0 of this rule group. Added signatures to improve detection in all rules. Replaced the rule `PHPHighRiskMethodsVariables_QUERYARGUMENTS` with `PHPHighRiskMethodsVariables_QUERYSTRING`, which inspects the entire query string instead of just the query arguments. Added the rule `PHPHighRiskMethodsVariables_HEADER`, to expand coverage to include all headers. Updated the following labels to align with standard AWS Managed Rules labeling: [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | 2023-02-27 |
| [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added login response inspection rules for use with protected Amazon CloudFront distributions. These rules can block new login attempts from IP addresses and client sessions that have recently been the source of too many failed login attempts. | 2023-02-15 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.5 of this rule group. Updated Cross Site Scripting (XSS) filters to improve detection. | 2023-01-25 |
| [Linux operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-linux-os) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 2.1 of this rule group. Removed the rule `LFI_COOKIE` and its label `awswaf:managed:aws:linux-os:LFI_Cookie`, and replaced them with the new rule `LFI_HEADER` and its label `awswaf:managed:aws:linux-os:LFI_Header`. This change expands inspection to multiple headers. Added text transformations and signatures to all rules to improve detection. | 2022-12-15 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.4 of this rule group. Added a text transformation to `NoUserAgent_HEADER` to remove all null bytes. Updated the filters in the cross-site scripting rules to improve detection. | 2022-12-05 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.17 of this rule group. Updated the Java deserialization rules to add detection for requests matching Apache CVE-2022-42889, a remote code execution (RCE) vulnerability in Apache Commons Text versions prior to 1.10.0. For more information, see [NIST: National Vulnerability Database: CVE-2022-42889 Detail](https://nvd.nist.gov/vuln/detail/CVE-2022-42889) and [CVE-2022-42889: Apache Commons Text prior to 1.10.0 allows RCE when applied to untrusted input due to insecure interpolation defaults](https://lists.apache.org/thread/n2bd4vdsgkqh2tm14l1wyc3jyol7s1om). Improved detection in `Host_localhost_HEADER`. | 2022-10-20 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.16 of this rule group. Removed false positives that AWS identified in version 1.15. | 2022-10-05 |
| [POSIX operating system managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-posix-os) [PHP application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-php-app) [WordPress application managed rule group](aws-managed-rule-groups-use-case.md#aws-managed-rule-groups-use-case-wordpress-app) | Corrected the documented label names. | 2022-09-19 |
| [IP reputation rule groups](aws-managed-rule-groups-ip-rep.md) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | This change doesn't alter how the rule group handles web traffic. Added a new rule with Count action to inspect for IP addresses that are actively engaging in DDoS activities, according to Amazon threat intelligence. | 2022-08-30 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released static version 1.15 of this rule group. Removed `Log4JRCE` and replaced it with `Log4JRCE_HEADER`, `Log4JRCE_QUERYSTRING`, `Log4JRCE_URI`, and `Log4JRCE_BODY`, for more granular monitoring and management of false positives. Added signatures for improved detection and blocking to `PROPFIND_METHOD` and to all `JavaDeserializationRCE*` and `Log4JRCE*` rules. Updated labels to correct capitalization in `Host_localhost_HEADER` and in all `JavaDeserializationRCE*` rules. Corrected the description of `JavaDeserializationRCE_HEADER`. | 2022-08-22 |
| [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added a rule to prevent the use of the account takeover prevention managed rule group for Amazon Cognito user pool web traffic. | 2022-08-11 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs) | AWS has scheduled expiration for versions `Version_1.2` and `Version_2.0` of the rule group. The versions will expire on September 9, 2022. For information about version expiration, see [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md). | 2022-06-09 |
| [Core rule set (CRS) managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-crs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.3 of this rule group. This release updates the match signatures in the rules `GenericLFI_URIPATH` and `GenericRFI_URIPATH`, to improve detection. | 2022-05-24 |
| [AWS WAF Bot Control rule group](aws-managed-rule-groups-bot.md)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added the rule `CategoryEmailClient` to the rule group. | 2022-04-06 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.14 of this rule group. The four `JavaDeserializtionRCE` rules are moved to Block mode. | 2022-03-31 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.13 of this rule group. Updated the text transformation for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode. | 2022-03-31 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.12 of this rule group. Added signatures for Spring Core and Cloud Function RCE vulnerabilities. These rules are in count mode to gather metrics and evaluate matched patterns. The label can be used to block requests in a custom rule. A subsequent version will be deployed with these rules in block mode. Removed the rules `Log4JRCE_HEADER`, `Log4JRCE_QUERYSTRING`, `Log4JRCE_URI`, and `Log4JRCE_BODY` and replaced them with the rule `Log4JRCE`. | 2022-03-30 |
| [IP reputation rule groups](aws-managed-rule-groups-ip-rep.md) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Updated the AWSManagedReconnaissanceList rule to change the action from count to block. | 2022-02-15 |
| [AWS WAF Fraud Control account takeover prevention (ATP) rule group](aws-managed-rule-groups-atp.md) All rules in new rule group | Added the rule group AWSManagedRulesATPRuleSet. | 2022-02-11 |
| [Known bad inputs managed rule group](aws-managed-rule-groups-baseline.md#aws-managed-rule-groups-baseline-known-bad-inputs)[\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.9 of this rule group. Removed the rule `Log4JRCE` and replaced it with the rules `Log4JRCE_HEADER`, `Log4JRCE_QUERYSTRING`, `Log4JRCE_URI`, and `Log4JRCE_BODY`, for flexibility in the use of this functionality. Added signatures to improve detection and blocking. | 2022-01-28 |
| Core rule set (CRS) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 2.0 of this rule group. For these rules, tuned detection signatures to reduce false positives. Replaced the `URL_DECODE` text transformation with the double `URL_DECODE_UNI` text transformation. Added the `HTML_ENTITY_DECODE` text transformation. | 2022-01-10 |
| Core rule set (CRS) [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | As part of the release of version 2.0 of this rule group, added the `URL_DECODE_UNI` text transformation. Removed the `URL_DECODE` text transformation from `RestrictedExtensions_URIPATH`. | 2022-01-10 |
| SQL database [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 2.0 of this rule group. Replaced the `URL_DECODE` text transformation with the double `URL_DECODE_UNI` text transformation and added the `COMPRESS_WHITE_SPACE` text transformation. Added more detection signatures to `SQLiExtendedPatterns_QUERYARGUMENTS`. Added JSON inspection to `SQLi_BODY`. Added the rule `SQLiExtendedPatterns_BODY`. Removed the rule `SQLi_URIPATH`. | 2022-01-10 |
| Known bad inputs [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.8 of the rule `Log4JRCE` to improve header inspection and matching criteria. | 2021-12-17 |
| Known bad inputs [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Released version 1.4 of the rule `Log4JRCE` to tune the matching criteria and to inspect additional headers. Released version 1.5 to tune the matching criteria. | 2021-12-11 |
| Known bad inputs [\[See the AWS documentation website for more details\]](http://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-changelog.html) | Added the rule `Log4JRCE` version 1.2 in response to the recently disclosed security issue within Log4j. For information see [CVE-2021-44228](https://www.cve.org/CVERecord?id=CVE-2021-44228). This rule inspects common URI paths, query strings, the first 8KB of the request body, and common headers. The rule uses double `URL_DECODE_UNI` text transformations. Released version 1.3 of `Log4JRCE` to tune the matching criteria and to inspect additional headers. Removed the rule `BadAuthToken_COOKIE_AUTHORIZATION`. | 2021-12-10 |
The following table lists changes prior to December, 2021.
| Rule group and rules | Description | Date |
| --- | --- | --- |
| Amazon IP reputation list | `AWSManagedReconnaissanceList` | Added the AWSManagedReconnaissanceList rule in monitoring/count mode. This rule contains IP addresses that are performing reconnaissance against AWS resources. | 2021-11-23 |
| Windows operating system | `WindowsShellCommands` `PowerShellCommands` | Added three new rules for WindowsShell commands: `WindowsShellCommands_COOKIE`, `WindowsShellCommands_QUERYARGUMENTS`, and `WindowsShellCommands_BODY`. Added a new PowerShell rule: `PowerShellCommands_COOKIE`. Restructured the `PowerShellComands` rules naming by removing the string \$1Set1 and \$1Set2. Added more comprehensive detection signatures to `PowerShellRules`. Added `URL_DECODE_UNI` text transformation to all Windows operating system rules. | 2021-11-23 |
| Linux operating system | `LFI_URIPATH` `LFI_QUERYSTRING` `LFI_BODY` `LFI_COOKIE` | Replaced double `URL_DECODE` text transformation with double `URL_DECODE_UNI`. Added `NORMALIZE_PATH_WIN` as a second text transformation. Replaced the `LFI_BODY` rule with the `LFI_COOKIE` rule. Added more comprehensive detection signatures for all `LFI` rules. | 2021-11-23 |
| Core rule set (CRS) | `SizeRestrictions_BODY` | Reduced the size limit to block web requests with body payloads larger than 8 KB. Previously, the limit was 10 KB. | 2021-10-27 |
| Core rule set (CRS) | `EC2MetaDataSSRF_BODY` `EC2MetaDataSSRF_COOKIE` `EC2MetaDataSSRF_URIPATH` `EC2MetaDataSSRF_QUERYARGUMENTS` | Added more detection signatures. Added double unicode URL decode to improve blocking. | 2021-10-27 |
| Core rule set (CRS) | `GenericLFI_QUERYARGUMENTS` `GenericLFI_URIPATH` `RestrictedExtensions_URIPATH` `RestrictedExtensions_QUERYARGUMENTS` | Added double unicode URL decode to improve blocking. | 2021-10-27 |
| Core rule set (CRS) | `GenericRFI_QUERYARGUMENTS` `GenericRFI_BODY` `GenericRFI_URIPATH` | Updated the rule signatures to reduce false positives, based on customer feedback. Added double unicode URL decode to improve blocking. | 2021-10-27 |
| All | All rules | Added support for AWS WAF labels to all rules that didn't already support labeling. | 2021-10-25 |
| Amazon IP reputation list | `AWSManagedIPReputationList_xxxx` | Restructured the IP reputation list, removed suffixes from rule name, and added support for AWS WAF labels. | 2021-05-04 |
| Anonymous IP list | `AnonymousIPList` `HostingProviderList` | Added support for AWS WAF labels. | 2021-05-04 |
| Bot Control | All | Added the Bot Control rule set. | 2021-04-01 |
| Core rule set (CRS) | `GenericRFI_QUERYARGUMENTS` | Added double URL decode. | 2021-03-03 |
| Core rule set (CRS) | `RestrictedExtensions_URIPATH` | Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
| Admin protection | `AdminProtection_URIPATH` | Added double URL decode. | 2021-03-03 |
| Known bad inputs | `ExploitablePaths_URIPATH` | Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
| Linux operating system | `LFI_QUERYARGUMENTS` | Improved the configuration of the rules and added an extra URL decode. | 2021-03-03 |
| Windows operating system | All | Improved the configuration of the rules. | 2020-09-23 |
| PHP application | `PHPHighRiskMethodsVariables_QUERYARGUMENTS` `PHPHighRiskMethodsVariables_BODY` | Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-09-16 |
| POSIX operating system | `UNIXShellCommandsVariables_QUERYARGUMENTS` `UNIXShellCommandsVariables_BODY` | Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-09-16 |
| Core rule set | `GenericLFI_QUERYARGUMENTS` `GenericLFI_URIPATH` GenericLFI\$1BODY | Changed the text transformation from HTML decode to URL decode, to improve blocking. | 2020-08-07 |
| Linux operating system | `LFI_URIPATH` `LFI_QUERYARGUMENTS` `LFI_BODY` | Changed the text transformation from HTML entity decode to URL decode, to improve detection and blocking. | 2020-05-19 |
| Anonymous IP List | All | New rule group in [IP reputation rule groups](aws-managed-rule-groups-ip-rep.md) to block requests from services that permit the obfuscation of viewer identity, to help mitigate bots and evasion of geographic restrictions. | 2020-03-06 |
| WordPress application | `WordPressExploitableCommands_QUERYSTRING` | New rule that checks for exploitable commands in the query string. | 2020-03-03 |
| Core rule set (CRS) | `SizeRestrictions_QUERYSTRING` `SizeRestrictions_Cookie_HEADER` `SizeRestrictions_BODY` `SizeRestrictions_URIPATH` | Adjusted the size value constraints for improved accuracy. | 2020-03-03 |
| SQL database | `SQLi_URIPATH` | The rules now check the message URI. | 2020-01-23 |
| SQL database | `SQLi_BODY` `SQLi_QUERYARGUMENTS` `SQLi_COOKIE` | Updated text transformations. | 2019-12-20 |
| Core rule set (CRS) | `CrossSiteScripting_URIPATH` `CrossSiteScripting_BODY` `CrossSiteScripting_QUERYARGUMENTS` `CrossSiteScripting_COOKIE` | Updated text transformations. | 2019-12-20 |