How do I know which managed AWS WAF labels are used by managed rules?

0

I have created a WebACL and added some rule groups in count mode. Before turning rule actions to Block (or Challenge/Captcha) I would like to evaluate potential impact on my web application. With AWS WAF logs I am able to see which labels were applied by rules that were used to evaluate the request, but how do I correlate them with specific rules?

1 Answer
1
Accepted Answer

You can find labels consumed by individual rules of some AWS managed rule groups, like AWS WAF Bot Control and Fraud Control, in the AWS WAF documentation.

While there is currently no API to get 1:1 label to rule mappings in a machine-readable format, you can use the DescribeManagedRuleGroup API to get all Rules of a specific rule set, as well as its all ConsumedLabels. Please note that ConsumedLabels is a different field from AvailableLabels. Available labels describe all labels that may be added to requests processed by the rule group upon a condition match. Unless specified as consumed labels, these labels are not used by the managed rules of the rule set.

You can use the DescribeManagedRuleGroup API like this:

aws wafv2 describe-managed-rule-group --scope=CLOUDFRONT --vendor-name=AWS --name=AWSManagedRulesATPRuleSet > atp.json

Alternatively, you can access the same API with AWS SDK using the programming language of your choice. Here's a short TypeScript snippet to output rules and consumed labels for specific rule groups in Markdown format:

import { WAFV2Client, DescribeManagedRuleGroupCommand } from "@aws-sdk/client-wafv2";
const client = new WAFV2Client();
const describeCommandDefaultInput = { Scope: 'CLOUDFRONT', VendorName: 'AWS' } as const;
const sendDescribeRuleGroupCommand = (Name: string) => client.send(new DescribeManagedRuleGroupCommand({ Name, ...describeCommandDefaultInput }));
const getSortedNames = (arr: { Name?: string }[]) => arr.map(x => x.Name!).sort();

const RULE_GROUP_NAMES = [
  'AWSManagedRulesBotControlRuleSet',
  'AWSManagedRulesACFPRuleSet',
  'AWSManagedRulesATPRuleSet',
];

for (const ruleGroupName of RULE_GROUP_NAMES) {
  const ruleGroup = await sendDescribeRuleGroupCommand(ruleGroupName);
  console.log('#', ruleGroupName);

  const consumedLabels = getSortedNames(ruleGroup.ConsumedLabels);  
  console.log('####', consumedLabels.length, 'consumed labels');
  consumedLabels.forEach(label => console.log('-', label));
  
  const rules = getSortedNames(ruleGroup.Rules);
  console.log('####', rules.length, 'rules');
  rules.forEach(rule => console.log('-', rule));
}

Also, please note that the number of consumed labels is usually way lower than available labels in any rule set, and rule and label names are usually meaningful enough then to correlate them.

AWS
Piotrek
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile pictureAWS
EXPERT
reviewed a month ago
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions