Posted On: Dec 21, 2018

AWS WAF now supports rule group exceptions, allowing you to override individual rules within a managed rule group. You can now choose which rules within the rule group should be excluded and set in count-only mode, preventing those rules from blocking a request. This will allow you to modify the behavior of a managed rule group so that it can be adapted to your unique environment.

Traditionally, any customization within the managed rule group required you to reach out to your managed rules provider. Starting today, you can exclude individual rules within a managed rule group and change the action for the rule to COUNT. Therefore, requests that match an excluded rule are counted, but not blocked. This helps you try out new managed rule groups for AWS WAF, react faster to abnormal conditions, and gives you more control over your web ACLs.

Adding a managed rule to the exception list is done in three steps. First, analyze incoming traffic using the full logging feature and look for unexpected behavior within the rule group. Second, identify the unwanted rule from the log. Lastly, exclude the rule either through the AWS WAF console or through the API.

This feature has been enabled for all customers at no additional cost. For more details, please visit AWS WAF Documentation.