**Introducing a new console experience for AWS WAF**
You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
# Working with managed rule groups
This section provides guidance for accessing and managing your managed rule groups.
When you add a managed rule group to your protection pack (web ACL), you can choose the same configuration options as you can your own rule groups, plus additional settings.
Through the console, you access managed rule group information during the process of adding and editing the rules in your protection packs (web ACLs). Through the APIs and the command line interface (CLI), you can directly request managed rule group information.
When you use a managed rule group in your protection pack (web ACL), you can edit the following settings:
+ **Version** – This is available only if the rule group is versioned. For more information, see [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md).
+ **Override rule actions** – You can override the actions for rules in the rule group to any action. Setting them to Count is useful for testing a rule group before using it to manage your web requests. For more information, see [Rule group rule action overrides](web-acl-rule-group-override-options.md#web-acl-rule-group-override-options-rules).
+ **Scope-down statement** – You can add a scope-down statement, to filter out web requests that you don't want to evaluate with the rule group. For more information, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md).
+ **Override rule group action** – You can override the action that results from the rule group evaluation, and set it to Count only. This option isn't commonly used. It doesn't alter how AWS WAF evaluates the rules in the rule group. For more information, see [Rule group return action override to Count](web-acl-rule-group-override-options.md#web-acl-rule-group-override-options-rule-group).
**To edit the managed rule group settings in your protection pack (web ACL)**
+ **Console**
+ (Option) When you add the managed rules group to your protection pack (web ACL), you can choose **Edit** to view and edit the settings.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), from the **protection packs (web ACLs)** page, choose the protection pack (web ACL) you just created. This takes you to the protection pack (web ACL) edit page.
+ Choose **Rules**.
+ Select the rule group, then choose **Edit** to view and edit the settings.
+ **APIs and CLI** – Outside of the console, you can manage the managed rule group settings when you create and update the protection pack (web ACL).
# Retrieving the list of managed rule groups
You can retrieve the list of managed rule groups that are available for you to use in your protection packs (web ACLs). The list includes the following:
+ All AWS Managed Rules rule groups.
+ The AWS Marketplace rule groups that you have subscribed to.
**Note**
For information about subscribing to AWS Marketplace rule groups, see [AWS Marketplace rule groups](marketplace-rule-groups.md).
When you retrieve the list of managed rule groups, the list you get back depends on the interface that you're using:
+ **Console** – Through the console, you can see all managed rule groups, including the AWS Marketplace rule groups that you haven't subscribed to yet. For the ones that you haven't subscribed to yet, the interface provides links that you can follow to subscribe.
+ **APIs and CLI** – Outside of the console, your request returns only the rule groups that are available for you to use.
**To retrieve the list of managed rule groups**
+ **Console** – During the process of creating a web ACL, on the **Add rules and rule groups** page, choose **Add managed rule groups**. At the top level, the provider names are listed. Expand each provider listing to see the list of managed rule groups. For versioned rule groups, the information shown at this level is for the default version. When you add a managed rule group to your protection pack (web ACL), the console lists it based on the naming scheme `-`.
+ **API** –
+ `ListAvailableManagedRuleGroups`
+ **CLI** –
+ `aws wafv2 list-available-managed-rule-groups --scope=`
# Retrieving the rules in a managed rule group
You can retrieve a list of the rules in a managed rule group. The API and CLI calls return the rules specifications that you can reference in the JSON model or through AWS CloudFormation.
**To retrieve the list of rules in a managed rule group**
+ **Console**
+ (Option) When you add the managed rules group to your protection pack (web ACL), you can choose **Edit** to view the rules.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), from the **protection packs (web ACLs)** page, choose the protection pack (web ACL) you just created. This takes you to the protection pack (web ACL) edit page.
+ Choose **Rules**.
+ Select the rule group you want to see a rules list for, then choose **Edit**. AWS WAF shows the list of rules in the rule group.
+ **API** – `DescribeManagedRuleGroup`
+ **CLI** – `aws wafv2 describe-managed-rule-group --scope= --vendor-name --name `
# Retrieving the available versions for a managed rule group
The available versions of a managed rule group are versions that haven't yet been scheduled to expire. The list indicates which version is the current default version for the rule group.
**To retrieve a list of the available versions of a managed rule group**
+ **Console**
+ (Option) When you add the managed rule group to your protection pack (web ACL), choose **Edit** to see the rule group's information. Expand the **Version** dropdown to see the list of available versions.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), choose **Edit** on the protection pack (web ACL), and then select and edit the rule group rule. Expand the **Version** dropdown to see the list of available versions.
+ **API** –
+ `ListAvailableManagedRuleGroupVersions`
+ **CLI** –
+ `aws wafv2 list-available-managed-rule-group-versions --scope= --vendor-name --name `
# Adding a managed rule group to a protection pack (web ACL) through the console
This section explains how to add a managed rule group to a protection pack (web ACL) through the console. This guidance applies to all AWS Managed Rules rule groups and to the AWS Marketplace rule groups that you're subscribed to.
**Production traffic risk**
Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
**Note**
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
**To add a managed rule group to a protection pack (web ACL) through the console**
**To add a managed rule group to a web ACL through the console**
1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2).
1. Choose **protection packs (web ACLs)** in the navigation pane.
1. In the **protection packs (web ACLs)** page, from the list of protection packs (web ACLs), select the one that you want to add the rule group to. This takes you to the page for the single protection pack (web ACL).
1. In your protection pack (web ACL)'s page, choose the **Rules** tab.
1. In the **Rules** pane, choose **Add rules**, then choose **Add managed rule groups**.
1. In the **Add managed rule groups** page, expand the selection for your rule group vendor, to see the list of available rule groups.
1. For each rule group that you want to add, choose **Add to protection pack (web ACL)**. If you want to change the protection pack (web ACL)'s configuration for the rule group, choose **Edit**, make your changes, and then choose **Save rule**. For information about the options, see the versioning guidance at [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md) and the guidance for using a managed rule group in a protection pack (web ACL) at [Using managed rule group statements in AWS WAF](waf-rule-statement-type-managed-rule-group.md).
1. At the bottom of the **Add managed rule groups** page, choose **Add rules**.
1. In the **Set rule priority** page, adjust the order that the rules run as needed, then choose **Save**. For more information, see [Setting rule priority](web-acl-processing-order.md).
In your protection pack (web ACL)'s page, the managed rule groups that you've added are listed under the **Rules** tab.
Test and tune any changes to your AWS WAF protections before you use them for production traffic. For information, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).
**Temporary inconsistencies during updates**
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.
The following are examples of the temporary inconsistencies that you might notice during change propagation:
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable.
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others.
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.
# Getting notified of new versions and updates to a managed rule group
This section explains how to receive Amazon SNS notifications of new versions and updates.
A managed rule group provider uses SNS notifications to announce rule group changes, like upcoming new versions and urgent security updates.
**How to subscribe to SNS notifications**
To subscribe to notifications for a rule group, you create an Amazon SNS subscription for the rule group's Amazon SNS topic ARN in the US East (N. Virginia) Region us-east-1.
For information about how to subscribe, see the [Amazon Simple Notification Service Developer Guide](https://docs.aws.amazon.com/sns/latest/dg/).
**Note**
Create your subscription for the SNS topic only in the us-east-1 Region.
The versioned AWS Managed Rules rule groups all use the same SNS topic Amazon Resource Name (ARN). For more information about AWS Managed Rules rule group notifications, see [Deployment notifications](waf-managed-rule-groups-deployments-notifications.md).
**Where to find the Amazon SNS topic ARN for a managed rule group**
AWS Managed Rules rule groups use a single SNS topic ARN, so you can retrieve the topic ARN from one of the rule groups and subscribe to it to get notifications for all of the AWS Managed Rules rule groups that provide SNS notifications.
+ **Console**
+ (Option) When you add the managed rule group to your protection pack (web ACL), choose **Edit** to see the rule group's information, which includes the rule group's Amazon SNS topic ARN.
+ (Option) After you've added the managed rule group into your protection pack (web ACL), choose **Edit** on the protection pack (web ACL), and then select and edit the rule group rule to see the rule group's Amazon SNS topic ARN.
+ **API** – `DescribeManagedRuleGroup`
+ **CLI** – `aws wafv2 describe-managed-rule-group --scope= --vendor-name --name `
For general information about Amazon SNS notification formats and how to filter the notifications that you receive, see [Parsing message formats](https://docs.aws.amazon.com/sns/latest/dg/sns-message-and-json-formats.html) and [Amazon SNS subscription filter policies](https://docs.aws.amazon.com/sns/latest/dg/sns-subscription-filter-policies.html) in the Amazon Simple Notification Service Developer Guide.
# Tracking a rule group's version expiration
This section explains how to monitor expiration scheduling for a managed rule group through Amazon CloudWatch.
If you use a specific version of a rule group, make sure that you don't keep using a version past its expiration date.
**Tip**
Sign up for Amazon SNS notifications for managed rule groups, and keep current with managed rule group versions. You'll benefit from the most up-to-date protections from the rule group and stay ahead of expiration. For information, see [Getting notified of new versions and updates](waf-using-managed-rule-groups-sns-topic.md).
**To monitor expiration scheduling for a managed rule group through Amazon CloudWatch**
1. In CloudWatch, locate the expiry metrics from AWS WAF for your managed rule group. The metrics have the following metric names and dimensions:
+ Metric name: DaysToExpiry
+ Metric dimensions: Region, ManagedRuleGroup, Vendor, and Version
If you have a managed rule group in your protection pack (web ACL) that's evaluating traffic, you will get a metric for it. The metric isn't available for rule groups that you don't use.
1. Set an alarm on the metrics that you're interested in, so that you're notified in time to switch to a newer version of the rule group.
For information about using Amazon CloudWatch metrics and configuring alarms, see the [Amazon CloudWatch User Guide](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/).
# Example managed rule group configurations in JSON and YAML
This section provides example managed rule group configurations.
The API and CLI calls return a list of all rules in the managed rule group that you can reference in the JSON model or through AWS CloudFormation.
**JSON**
You can reference and modify managed rule groups within a rule statement using JSON. The following listing shows the AWS Managed Rules rule group, `AWSManagedRulesCommonRuleSet`, in JSON format. The RuleActionOverrides specification lists a rule whose action has been overridden to Count.
```
{
"Name": "AWS-AWSManagedRulesCommonRuleSet",
"Priority": 0,
"Statement": {
"ManagedRuleGroupStatement": {
"VendorName": "AWS",
"Name": "AWSManagedRulesCommonRuleSet",
"RuleActionOverrides": [
{
"ActionToUse": {
"Count": {}
},
"Name": "NoUserAgent_HEADER"
}
],
"ExcludedRules": []
}
},
"OverrideAction": {
"None": {}
},
"VisibilityConfig": {
"SampledRequestsEnabled": true,
"CloudWatchMetricsEnabled": true,
"MetricName": "AWS-AWSManagedRulesCommonRuleSet"
}
}
```
**YAML**
You can reference and modify managed rule groups within a rule statement using the CloudFormation YAML template. The following listing shows the AWS Managed Rules rule group, `AWSManagedRulesCommonRuleSet`, in CloudFormation template. The RuleActionOverrides specification lists a rule whose action has been overridden to Count.
```
Name: AWS-AWSManagedRulesCommonRuleSet
Priority: 0
Statement:
ManagedRuleGroupStatement:
VendorName: AWS
Name: AWSManagedRulesCommonRuleSet
RuleActionOverrides:
- ActionToUse:
Count: {}
Name: NoUserAgent_HEADER
ExcludedRules: []
OverrideAction:
None: {}
VisibilityConfig:
SampledRequestsEnabled: true
CloudWatchMetricsEnabled: true
MetricName: AWS-AWSManagedRulesCommonRuleSet
```