How do I resolve issues with my web ACL in a Firewall Manager AWS WAF policy?

Resolution

The web ACL association behavior for the AWS WAF policy in Firewall Manager depends on the following settings:

• How you configure auto remediation
• If a web ACL is already associated with your in-scope resource

Check your configuration settings

To associate the web ACL with your in-scope resources, turn on both of the following settings:

• Auto remediate any non-compliant resources
• Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy

Validate the expected web ACL behavior

When you turn off Auto remediate any non-compliant resources, the web ACL doesn't associate with in-scope resources.

When you turn on only Auto remediate any non-compliant resources, Firewall Manager takes the following actions:

• Creates a web ACL for noncompliant AWS accounts that are within the policy scope. The web ACL name begins with FMManagedWebACLV2 and contains the rule groups that are defined in the policy.
• Associates the web ACL with all noncompliant resources in the accounts that aren't already associated with a web ACL.

When you turn on both Auto remediate and Replace web ACLs, Firewall Manager associates with web ACLs in the following ways:

• If a resource has a custom AWS WAF Classic web ACL, then the Firewall Manager web ACL replaces the existing web ACL.
• For a resource with a custom AWS WAF web ACL: if the resource is in an AWS WAF Classic policy, then the Firewall Manager web ACL doesn't replace the existing web ACL. If the resource is in an AWS WAF policy, then the Firewall Manager web ACL replaces the existing web ACL.
• Firewall Manager web ACLs replace web ACLs that an AWS Shield Advanced policy creates.
• Firewall Manager web ACLs don't replace existing Firewall Manager AWS WAF Classic policy web ACLs.
• Firewall Manager web ACLs don't replace existing Firewall Manager AWS WAF policy web ACLs.

To change the policy of a resource, check if the Firewall Manager web ACL replaces existing web ACLs. If it doesn't replace existing web ACLs, then you must first update the existing policy to exclude the resource.

Example 1

You have Policy A and Policy B for AWS WAF Classic. Both policies have resources. You have a resource that's in scope for Policy A. You want to replace the association with a web ACL that Policy B created. To replace the association, edit the policy scope of Policy A to exclude that specific resource. After the resource is excluded, Policy A removes the web ACL association. If the resource is now in scope for Policy B, then Policy B associates the resource with its web ACL.

Example 2

You have Policy A and Policy B for AWS WAF. Both policies have in-scope resources. For resource cleanup, Automatically remove protections from resources that leave the policy scope is turned off.

The following behaviors happens:

• If a resource leaves the policy scope, then the web ACL that Policy A creates isn't automatically disassociated from the resource.
• You create a new AWS WAF policy, Policy B, with an in-scope resource. The new policy replaces the previous AWS WAF policy web ACL.
• You create a new AWS WAF Classic policy, Policy B, with an in-scope resource. The new policy doesn't replace the previous AWS WAF policy web ACL.

For more information on policy scope options, see AWS Firewall Manager policy scope.

Related information

Creating an AWS Firewall Manager policy for AWS WAF Classic

Creating an AWS Firewall Manager policy for AWS WAF