WAF "AWS Managed Rules" for "Windows Operating System" block SNS requests sent by AWS Textract

I've noticed that if you enable the "Windows Operating System" rule group from the "AWS Managed Rules" rule group against your Web ACL in WAF that SNS notifications generated by AWS Textract are blocked due to matching the rule:

AWS#AWSManagedRulesWindowsRuleSet#WindowsShellCommands_BODY

Whilst that rule can be edited and "count" switched on instead to mitigate the issue the problem then is that you loose that rules protection against legitimate attacks. My questions therefore is how can do we add the AWS services to an allow list so that they do not trigger the block themselves whilst leaving the rule in place for all other requests? Do we have to allow all AWS IPs by creating a IP set covering the all IP ranges within expected regions or is there another way to simply say "allow AWS based services"?

Topics

Security, Identity, & Compliance Application Integration

Relevant content

AWS Managed Rules rule groups
JF
asked 9 months ago
WAF managed rules blocking SES incoming email notifications
Chris-D
asked 2 years ago
[AWS WAF] Can't hit the rule with managed rules included in custom rules
Nam Tran
asked 2 years ago
WAF Managed Group Rules (notifications, etc)
Accepted Answer
MODERATOR
AWS-User-3650908
asked 4 years ago
How do I explicitly allow file uploads that an AWS WAF rule blocks without excluding the rule?
AWS OFFICIALUpdated a year ago
How does WorkSpaces manage operating system updates for Windows?
AWS OFFICIALUpdated 8 months ago
How do I allow requests from a bot blocked by AWS WAF Bot Control managed rule group?
AWS OFFICIALUpdated 2 years ago
How can I configure a custom response for AWS WAF managed rules?
AWS OFFICIALUpdated 9 months ago
AWS Service Management Connector introduces AWS Health and AWS Systems Manager OpsCenter integrations in Jira Cloud
EXPERT
SMC_user
published 6 months ago
Configuring AWS Systems Manager for use with VMware Cloud on AWS
EXPERT
Jonas Werner
published 9 months ago