How do I resolve issues with my web ACL in a Firewall Manager AWS WAF policy?

4 minute read

I used AWS Firewall Manager to create an AWS WAF policy for my web access control list (web ACL). The web ACL isn't correctly associated to its resources, or the Firewall Manager policy is in a noncompliant status.

Resolution

The web ACL association behavior for the AWS WAF policy in Firewall Manager depends on how you configure auto remediation. It also depends on whether a web ACL is already associated with your in-scope resource.

Check your configuration settings

To associate the web ACL with your in-scope resources, turn on both of the following settings:

Auto remediate any non-compliant resources
Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy

Validate the expected web ACL behavior

If you turn off Auto remediate any non-compliant resources, then the web ACL doesn't associate with in-scope resources.

If you turn on only Auto remediate any non-compliant resources, then Firewall Manager takes the following actions:

Creates a web ACL for noncompliant AWS accounts that are within the policy scope. The web ACL name begins with FMManagedWebACLV2 and contains the rule groups that the policy defines.
Associates the web ACL with all noncompliant resources in the accounts that aren't already associated with a web ACL.

When you turn on both Auto remediate and Replace web ACLs, Firewall Manager associates with web ACLs in the following ways:

If the resource has a custom AWS WAF Classic web ACL, then the Firewall Manager web ACL replaces the existing web ACL.
If the resource has a custom AWS WAF web ACL and is in an AWS WAF Classic policy, then the Firewall Manager web ACL doesn't replace the existing web ACL.
If the resource has a custom AWS WAF web ACL and is in an AWS WAF policy, then the Firewall Manager web ACL replaces the existing web ACL.
Firewall Manager web ACLs replace AWS WAF web ACL associations that exist on resources. This includes those associated as part of an AWS Shield Advanced policy when automatic application layer mitigation is turned off.

If a resource has Shield Advanced automatic application layer mitigation turned on, then Firewall manager can't replace the existing WebACL that contains the Shield managed mitigation rule groups. In this case, Firewall manager marks the resource as non-compliant and doesn't apply the AWS WAF policy until you turn off automatic application layer mitigation.

Firewall Manager web ACLs don't replace existing Firewall Manager AWS WAF Classic policy web ACLs. Firewall Manager web ACLs also don't replace existing Firewall Manager AWS WAF policy web ACLs.

To change the policy of a resource, check if the Firewall Manager web ACL replaces existing web ACLs. If it doesn't replace existing web ACLs, then you must first update the existing policy to exclude the resource.

Web ACL replacement examples

Example 1

You have Policy A and Policy B for AWS WAF Classic. Both policies have resources. You have a resource that's in scope for Policy A. You want to replace the association with a web ACL that Policy B created. To replace the association, edit the policy scope of Policy A to exclude that specific resource. After you exclude the resource, Policy A removes the web ACL association. If the resource is now in scope for Policy B, then Policy B associates the resource with its web ACL.

Example 2

You have Policy A and Policy B for AWS WAF. Both policies have in-scope resources. For resource cleanup, you turned off Automatically remove protections from resources that leave the policy scope.

The following behaviors happen:

When the resource leaves the policy scope, Policy A doesn't automatically disassociate the web ACL it creates from the resource.
You create a new AWS WAF policy, Policy B, with an in-scope resource. The new policy replaces the previous AWS WAF policy web ACL.
You create a new AWS WAF Classic policy, Policy B, with an in-scope resource. The new policy doesn't replace the previous AWS WAF policy web ACL.

For more information on policy scope options, see Using the AWS Firewall Manager policy scope.

Related information

Creating an AWS Firewall Manager policy for AWS WAF Classic

Creating an AWS Firewall Manager policy for AWS WAF

Using Automatic application layer DDoS mitigation with Firewall Manager Shield Advanced policies

Topics: Security, Identity, & Compliance
Tags: AWS WAF
Language: English

AWS OFFICIALUpdated 3 months ago

1 Comment

~~This article is not correct FMS does not replace Shield WebACL if they have enabled automatic application layer protection.~~

This has now been fixed with:

If a resource has Shield Advanced automatic application layer mitigation enabled, Firewall manager can't replace the existing WebACL that contains the Shield-managed mitigation rule groups. In this case, Firewall manager marks the resource as non-compliant and doesn't apply the AWS WAF policy until you disable automatic application layer mitigation.

EXPERT

Joanna K

replied 2 years ago

Relevant content

Do you pay for WAF Web ACL, even if no resource associated?
Accepted Answer
SpaceVerse
asked 2 years ago
How to associate Web ACL rule to EB/ALB on creation?
Jeff
asked 4 years ago
Want to delete Web ACL
User-5706387
asked 2 years ago
Create custom rule for Web ACL
rePost-User-7308437
asked 2 years ago
Clicking Add rule with the rule builder for a Web ACL in AWS WAF does nothing (no errors), the browser console shows WAFLimitsExceededException, we have no other WAFs
williama
asked 4 years ago
How do I change the priority of the rules in my AWS WAF web ACL?
AWS OFFICIALUpdated 10 months ago
How do I turn on AWS WAF on a CloudFront distribution?
AWS OFFICIALUpdated 10 months ago
Why isn't automatic remediation working for my Firewall Manager AWS WAF policy?
AWS OFFICIALUpdated 3 years ago
Why do I get a limit exceeded error when I add rules to AWS WAF?
AWS OFFICIALUpdated 9 months ago
AWS WAF ASN Matching: Professional Guide to Network-Origin Traffic Control
EXPERT
Arun Nagpal
published a year ago