WAF Managed Group Rules (notifications, etc)

  1. Is there any release cadence for changes to an aws managed rule?
  2. Is there any notification that an ACL is being changed/updated?
  3. How can you get information on what particular part of a request is specifically triggering the count/block?
  4. Can we add a custom 403 page on our WAF?
asked 3 years ago110 views
1 Answer
Accepted Answer
  1. There is no release cadence for changes to AWS (Marketplace) Managed rules, they are automatically updated by AWS (or the marketplace seller) when new vulnerabilities and threats emerge.

  2. No notification is sent when an AWS (or marketplace) managed rule is updated. Every time an AWS (or marketplace) managed web ACL is updated, you have a CloudTrail UpdateWebACL API call in your account, you can setup an event to trigger off of CloudTrail when the UpdateWebACL API is called. The easiest way to do this would be to subscribe to an SNS topic and then Create a CloudWatch Event rule to trigger this. Keep in mind that the RuleGroup within the WebACL is owned and managed by the vendor, you will not be able to see/know what changes were made. "Each AWS Marketplace rule group provides a comprehensive description of the types of attacks and vulnerabilities that it's designed to protect against. To protect the intellectual property of the rule group providers, you can't view the individual rules within a rule group. This restriction also helps to keep malicious users from designing threats that specifically circumvent published rules." - https://docs.aws.amazon.com/waf/latest/developerguide/waf-managed-rule-groups.html

  3. You can have more information from WAF logs (https://docs.aws.amazon.com/waf/latest/developerguide/logging.html)

  4. Currently AWS does not provide a way to add a custom error page to WAF. If they're using WAF with CloudFront, they can use Lambda@Edge to differentiate 403s generated by WAF to those generated by the origin of the distribution, I wrote a blog post on this a few months ago: https://aws.amazon.com/blogs/networking-and-content-delivery/generating-dynamic-error-responses-in-amazon-cloudfront-with-lambdaedge/

answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions