Why isn't automatic remediation working for my Firewall Manager AWS WAF policy?

3 minute read

Automatic remediation isn't working for my AWS Firewall Manager WAF policy.

Short description

Firewall Manager AWS WAF polices use an auto remediation feature that associates the web ACL to your resources that you want to protect.

Resolution

Follow these best practices for creating an AWS Firewall Manager policy for AWS WAF.

Before you begin, be sure that you completed the AWS Firewall Manager prerequisites. For more information, see How do I set up AWS Firewall Manager for my AWS account?

Make sure that the AWS WAF policy scope includes the following:

The AWS accounts in the AWS Organization or specific organizational units (OUs).
If you are protecting Amazon CloudFront distributions, make sure that the AWS Region is set to Global.
If you are using managed rule groups, make sure that you are subscribed to the service in the AWS Marketplace first. For more information, see Rule groups.
For resource type, make sure that you include the types of resources that you want to protect. Note: The option to choose CloudFront distributions as a resource type is available only if you choose Global.
If you are using rule groups from AWS Marketplace sellers, make sure that your AWS accounts have active subscriptions. Otherwise, AWS WAF can't associate the web ACL to your in-scope resources.
After you review the effects of your policy, make sure that you activate automatic remediation.

For AWS WAF Classic, see Working with AWS WAF Classic rule groups for use with AWS Firewall Manager.

Firewall Manger policy precedence with Application Load Balancers

Scenario 1

If you have a policy for AWS Shield Advanced and another for Firewall Manager with an Application Load Balancer, the Firewall Manager policy takes precedence. This means that the Firewall Manager policy is associated with the Application Load Balancer because it overrides the Shield Advanced policy's web ACL.

Note: The Shield policy's blank web ACL is only in place to capture data that's coming into the resource. This data can be helpful for analyzing DDoS attacks.

Scenario 2

If you have two AWS WAF policies (P1 AND P2) for an Application Load Balancer in scope, then the policy that reaches the association first gets applied (P1). The second policy (P2) checks if the Application Load Balancer already has a web ACL associated with it.

Related information

AWS Firewall Manager FAQs

How can I use custom policy rules with my Firewall Manager content audit security group policy?

Topics

Security, Identity, & Compliance

Relevant content

AWS Managed WAF Ruleset-Size Restrictions_Body Issue
Sena S
asked 5 days ago
WCU Limit for Policies in Firewall Manager
ABCKaNi
asked a year ago
Centralized Management of WAF deployed across various AWS accounts
Accepted Answer
Gowtham
asked 8 months ago
Test all AWS WAF managed rules
Steven
asked a year ago
Remove WAF WebAcl created by Firewall Manager
awsbrz
asked a year ago
What is the web ACL association behavior for AWS Firewall Manager AWS WAF and AWS WAF classic policies?
AWS OFFICIALUpdated 2 years ago
How can I configure a custom response for AWS WAF managed rules?
AWS OFFICIALUpdated 9 months ago
Why is my AWS WAF custom rule not working?
AWS OFFICIALUpdated 2 years ago
How can I use custom policy rules with my Firewall Manager content audit security group policy?
AWS OFFICIALUpdated a year ago
AWS WAF & ALB One-Click Integration
EXPERT
Aanchal Agrawal
published 3 months ago