How to customize behavior of AWS Managed Rules for AWS WAF
AWS Managed Rules for AWS WAF provides a group of rules created by AWS that can be used help protect you against common application vulnerabilities and other unwanted access to your systems without having to write your own rules. AWS Threat Research Team updates AWS Managed Rules to respond to an ever-changing threat landscape in order to protect your applications.
Recently, AWS WAF launched four new features that are centered on rule customization:
- Labels – Metadata that can be added to web requests when a rule is matched. Labels can be used to alter the behavior or default action of managed rules.
- Version management – You can select a specific version of a managed rule group. Versioning can be used to return to previously tested versions.
- Scope-down statements – Use to narrow the scope of the requests that a rule group evaluates.
- Custom responses – Send a custom HTTP response back to the client from AWS WAF when a rule blocks a connection request.
In this blog, we go through four use cases to demonstrate how you can use these features to improve your security posture by customizing managed rules.
Case 1: Control automatic updates for a managed rule group by selecting a specific version
By default, managed rule groups are updated automatically as updates become available. This ensures you have the latest protection as soon as it’s available. With the version management feature, you can choose to stay on a specific version, meaning that it won’t update until you explicitly move to a newer version. This allows you to test a new version and promote it to your web ACL when you’re ready, and to return to a previously tested version if necessary.
Note: It’s recommended that you use a version as close as possible to the latest.
To select a managed rule group version
- In your AWS WAF console, navigate to the web ACL where you’ve added a managed rule group.
- Select the managed rule group whose version you want to set, and choose Edit.
- In the Version selection drop down, select the version you want to use. You’ll remain on this version until the version expires or you select another version—you’ll learn how to manage version expiration later in this post.
Note: If you want to receive updates automatically, select Default as the version.
- Choose Save Rule to save the configuration.
Figure 1: Console screenshot showing the AWS Managed Rules version drop down
Set up notifications
You can use Amazon Simple Notification Service (Amazon SNS) to get notifications of updates to a managed rule group. You can subscribe to the SNS topic using the ARN of the managed rule group. Every SNS notification for AWS Managed Rules updates uses the same message format, which enables you to consume these updates programmatically. For more details on the SNS notification message format, see Getting notified of new versions and updates to a managed rule group.
To set up email notifications on new rule updates through Amazon SNS
- In your AWS WAF console, navigate to the web ACL where you added the managed rule group.
- Select the managed rule group that you want to receive notifications for, and choose Edit.
- On the Core rule set page, look for the Amazon SNS topic ARN. Select the link to go to the Amazon SNS console. Make a note of the topic ARN to use in step 4.
Figure 2: Console screenshot highlighting the SNS topic ARN
- On the Create subscription page, enter the following information:
Topic ARN: Enter the SNS topic ARN from step 3.
Protocol: Select Email.
Endpoint: Enter the email address where you want notifications sent.
Figure 3: SNS Create subscription console screenshot
- Choose Create subscription.
- Watch for a confirmation email from Amazon SNS. Choose the confirm subscription link in the email to complete the subscription.
Set up a version expiration alert using a CloudWatch alarm
When you stay on a specific version of managed rule group for a long time, there is a risk that you may miss important updates. To ensure you do not stay on a stale version for long time, you should set up an alarm to alert you when a version is close to expiring. When a version expires, the managed rule group automatically switches to the default version. To be notified when a version is about to expire, set up an alert using an Amazon CloudWatch alarm based on DaysToExpiry. You can use the following procedure to set up a notification 60 days before a specific version of the rule set you’re using expires.
To set up a CloudWatch alarm
This will notify you 60 days before a specific version of a rule set expires
- Navigate to the CloudWatch console.
- Select All metrics from the left navigation pane, and then select WAFV2 from the list of namespaces.
- Choose ManagedRuleGroup, Region, Vendor, Version.
- Select the managed rule group whose expiration you want to monitor. This example uses AWSManagedRulesCommonRuleSet and Version_1.0.
- Select Graphed metric and select the bell alarm icon on the lower right, under Actions. Selecting this icon will take you to the CloudWatch alarms console.
Figure 4: CloudWatch Graphed metrics tab
- Configure the CloudWatch alarm with the following details, and then choose Next:
Statistic: Select Minimum
Period: Select 5 minutes
Threshold Type: Select Static
Operator: Select Lower/Equal (<=threshold)
Threshold: Enter the value as 60
Datapoints to alarm: Enter the lower value as 1 and higher value as 1
Missing data treatment: Select Treat missing data as good (not breaching threshold)
- Select the SNS topic that you want to be launched when the configured alarm goes to ALARM state and choose Next.
- Enter a name and description for the Alarm. Choose Next to preview the configuration and choose Create Alarm to complete the CloudWatch alarm creation process.
- If the version of a managed rule group that you’re using has expired, AWS WAF will prevent any configuration change to the web ACL until you select a valid version. You should move onto the newest version as soon as possible so you are covered against the latest threats.
- You will only receive the DaysToExpiry metric when there is traffic flowing through your web ACL.
- You can use two different versions of a managed rule group in a web ACL. This can be useful if you want to test two different versions simultaneously to see how they will affect your traffic once deployed—for example, have one version in count mode and the other in block mode.
Note: This workflow is supported through the JSON rule editor and API, but not through the console.
Case 2: Use labels to mitigate false positives caused by a rule in a managed rule group
A label is metadata that a rule can add to matching web requests, regardless of the action associated with the rule. The latest version of AWS Managed Rules supports labels. By creating custom rules that match requests that have labels, you can change the behavior or default action of rules inside a managed rule group.
For example, if you have a rule that’s causing a false positive in a managed rule group, you can mitigate it by overriding the managed rule to Count and writing a custom rule with logic similar to the following:
IF (Statement 1) AND NOT (Statement 2) THEN Block
Statement 1 matches on the label generated from the rule causing a false positive.
Statement 2 contains exception conditions for when you don’t want the rule to evaluate because it’s causing false positives.
Consider a scenario where redirection requests to your application are blocked due to the rule GenericRFI_QUERYARGUMENTS in the managed rule group you’re using. This rule inspects the value of all query parameters and blocks requests that attempt to exploit remote file inclusion (RFI) in web applications, such as :// embedded midway through a URL. An example of a legitimate redirection request that could be blocked due to the characters :// present in the query argument scope could be as follows:
https://ourdomain.com/sso/complete?scope=email profile https://www.redirect-domain.com/auth/email https://www.redirect-domain.com/auth/profile
To prevent similar legitimate requests from being blocked, you can write a custom rule to match based on the label.
Step 1: Set the specific managed rule group to count mode
The first step is to set the specific managed rule to count mode, so that labels are added to the matching requests. Next, the priority of the managed rule must be set higher than the priority of the custom rule.
To set the specific managed rule group to count mode
- In your AWS WAF console, navigate to your web ACL and select the Rules tab. Choose Add Rule, and then select Add managed rule groups.
- Select AWS managed rule groups.
- Under Free rule groups, look for Core rule set and add it to your web ACL by selecting the toggle Add to web ACL.
- Choose Edit.
- From the list of rules, set the rule generating false positives to the Count action, by selecting the Count toggle beside the rule. This example changes the action for the rule GenericRFI_QUERYARGUMENTS to Count. This ensures that all the matching requests are sent to the subsequent WAF rules in order of priority and adds the label awswaf:managed:aws:commonruleset:GenericRFI_QueryArguments whenever there’s a matching request.
- Choose on Save rule.
- Choose Add rules again to go to the next window where you can set the rule priority. The managed rule must have a higher priority than the custom rule that you will create in the next steps.
- Choose Save to save the configuration.
Step 2: Add a custom rule to the web ACL with lower priority than the managed rule
Create a custom rule in the web ACL that blocks requests if it has the label that you are looking for and doesn’t have the exception condition that caused the false positive. The priority of this custom rule should be set lower than the managed rule.
To add a custom rule with lower priority than the managed rule
- In your AWS WAF console, navigate to your web ACL Rules tab and choose Add Rule and select Add my own rules and rule groups.
- Select Rule Builder for the rule type.
- Enter a Rule Name and select Regular Rule as the Type.
- Use the If a request drop down to select matches all the statements (AND).
- Statement 1 checks if the request has the label that you’re looking for. In this example it is configured with the following details:
Inspect: Select Has a label
Labels: Select Label
Match key: Select awswaf:managed:aws:commonruleset:GenericRFI_QueryArguments
- All subsequent statements must be negated so that the requests don’t match the statement criteria and will be treated as legitimate requests. In this example, we set NOT Statement 2, that checks if the request contains https://www.redirect-domain.com/ in its query string:
Enable: Select Negate statement results
Inspect: Select All query parameters
Match type: Select Contains string
String to Match: Enter https://www.redirect-domain.com/
Text transformation: Select None
- Under Action, select Block and choose Add rule.
- In the Set rule Priority window, set the rule priority of your custom rule to lower than the AWS Managed Rules rule.
- Choose Save.
Case 3: Use a scope-down statement to narrow the scope of traffic matching a managed rule group
A scope-down statement can be added to any rule group to narrow the scope of the requests that a rule group evaluates. This allows you to either filter in the requests that you want the rule group to inspect or filter out any requests that doesn’t meet the criteria.
Consider a case where you have a list of trusted IP address that you don’t want to be evaluated against AmazonIPReputationList. You can avoid blocking these trusted IP addresses by using a scope-down statement to exclude the traffic from evaluation.
Step 1: Create the IP set for allowed list of IPs
The first step is to create an IP set that contains the allowed list of IPs. The IP set can be created for a particular AWS Region, or can be global if the web ACL is associated with an Amazon CloudFront distribution.
- Choose IP sets in the AWS WAF console and then choose Create IP set.
- In IP set name enter Allowed IPs. Enter the IPs that you want to allow in IP addresses. Choose Create IP set when done.
Figure 5: Console screenshot creating an IP set
Step 2: Add a scope-down statement to the managed rule group
Once you have created the IP set, you can add a scope down statement in your managed rule group so that traffic originating from the IPs in the IP set aren’t evaluated against the rules in the managed rule group.
To add a scope-down statement
- On the Rules tab of you your web ACL, choose Add Rule and select Add managed rule groups.
- Select AWS managed rule groups.
- Under Free rule groups, turn on Amazon IP reputation list to add it to the web ACL and choose Edit.
- Select Enable scope-down statement.
Figure 6: Console screenshot showing enabling the scope-down statement
- Add the condition so that only the requests that don’t originate from the allowed IPs list created earlier are evaluated for this rule group. Use the If a request drop down to select doesn’t match the statements (NOT).
Inspect: Select Originates from an IP address in
IP set: Select Allowed-IPs
IP address to use as the originating address: Select Source IP address
Figure 7: Scope down statement configuration console screenshot
- Choose Save rule to add this rule to your web ACL.
Case 4: Use custom responses to change the default block action for a managed rule group
AWS WAF sends back response code 403 (forbidden) when it blocks an incoming request. You can use the custom response feature to instead send a custom HTTP response back to the client when the rule blocks access. Using the custom response, you can customize the status code, response headers, and response body.
Let’s say you want to respond back to a client who might be connecting to your application over VPN. You want to use a custom response to inform the user that this behavior is discouraged, by sending error code 400 (Bad Request) and a static body message (“Please don’t try to connect over a VPN”). To do this, you can use the AWS Managed Rule group AWSManagedRulesAnonymousIpList and then set up custom rules using the label awswaf:managed:aws:anonymous-ip-list:AnonymousIPList.
Step 1: Create a custom response body
The first step in creating a custom response is to create a custom response body. This is the message that will be shown when the custom response is sent.
To create a custom response body
- In the AWS WAF console, open your web ACL and select the Custom response bodies tab.
- Choose Create custom response body.
- In Response body object name, enter a name for this response—for example, Custom-body-IP-list.
- Choose a Content type for the response body.
- In Response body, enter the response that you want to send back to the client.
- Choose Save.
Figure 8: Custom response body creation on the AWS WAF console
Step 2: Override the actions of the managed rule group
The rule you use to send your custom response should be in count mode. This will ensure that all the matching requests are sent to the subsequent WAF rules in priority order. In the following example, the rule AnonymousIPList in the managed rule group AWSManagedRulesAnonymousIpList is set to count mode. For more details on how to override the action of a managed rule group, see Overriding the actions of a rule group or its rules.
Figure 9: console screenshot overriding an AWS Managed Rules rule
Step 3: Create a rule to block the request and send a custom response back to the client
You’ll use the AWS WAF labels feature for this step. As explained in Case 2 above, you need to create a custom rule that matches the label generated by the managed rule. In this case the, custom rule should be configured to send your custom response.
To create a custom rule
- Expand the Custom response section and select Enable.
- Under Response code, enter the custom HTTP status code you want to send back to the client.
- (Optional) Use the Response headers section if you wish to add a custom response header
- Under Choose how you would like to specify the response body, select the custom response body you created in Step 1.
- (Optional) If you wish to generate additional labels to track activity in logs, you can use Add label.
- Choose Add rule.
- Set the rule priority of your custom rule to lower than the AWS Managed Rules rule.
- Choose Save.
Figure 10: Console screenshot configuring a custom response body for a rule
In this post, we demonstrated how the new AWS WAF features such as labels, version management, scope-down statements, and custom responses can help you customize the behavior of AWS Managed Rules to protect your web applications and minimize risk. You can use these features in various ways, such as customizing AWS Managed Rules by combining labels and request properties to allow or block requests, and using labels to help filter logs.
You can learn more about AWS WAF in other AWS WAF–related Security Blog posts.
If you have feedback about this post, submit comments in the Comments section below.
Want more AWS Security news? Follow us on Twitter.