Recognizing rule groups provided by other services
If you or an administrator in your organization uses AWS Firewall Manager or AWS Shield Advanced to manage resource protections using AWS WAF, you might see rule group reference statements added to web ACLs in your account.
The names of these rule groups begin with the following strings:
-
ShieldMitigationRuleGroupWhen you enable automatic application layer DDoS mitigation for a protected resource, Shield Advanced adds one of these rule groups to the web ACL that you have associated with the resource. Shield Advanced assigns the rule group reference statement a priority setting of 10,000,000, so that it runs after the rules that you have configured in the web ACL. For more information about these rule groups, see Automating application layer DDoS mitigation with Shield Advanced .
Warning
Don't try to manually manage this rule group in your web ACL. In particular, don't manually delete the
ShieldMitigationRuleGrouprule group reference statement from your web ACL. Doing this could have unintended consequences for all resources that are associated with the web ACL. Instead, use Shield Advanced to disable automatic mitigation for the resources that are associated with the web ACL. Shield Advanced will remove the rule group for you when it's not needed for automatic mitigation. -
PREFMManagedandPOSTFMManaged– These rule groups are managed by AWS Firewall Manager based on Firewall Manager AWS WAF policy configurations. Firewall Manager provides these rule groups inside web ACLs that Firewall Manager manages.Firewall Manager creates web ACLs for you with names that begin with
FMManagedWebACLV2. You can configure Firewall Manager to retrofit your existing web ACLs as well. For these, the web ACL name is the one that you specified when you created it. In either case, Firewall Manager will add these rule groups to the web ACL. For more information, see Using AWS WAF policies with Firewall Manager.
