This chapter covers AWS WAF Rule Groups and Managed Rules, a critical component of securing web applications on AWS. For the SAA-C03 exam, understanding how to use managed rule groups to protect against common web exploits like SQL injection and cross-site scripting is essential, as approximately 10-15% of exam questions touch on WAF and related security services. You will learn the internal mechanics of rule groups, how to configure them, and how to combine managed rules with custom rules for defense-in-depth. Mastery of this topic ensures you can design secure architectures that meet compliance requirements and protect against the OWASP Top 10 threats.
Jump to a section
Imagine you manage a large office building with 50 entry points. You hire a security guard (AWS WAF) to inspect everyone entering. Instead of writing custom rules for every possible threat, you subscribe to a security service (Managed Rule Group) that provides pre-written, regularly updated playbooks. For example, the service sends you a playbook called 'SQL Injection Prevention' that contains specific instructions: 'If someone tries to enter and their ID badge contains characters like ' OR 1=1, detain them at the front desk and alert the security team.' Another playbook, 'IP Reputation List,' is a constantly updated list of known troublemaker license plates. When a car with a flagged plate arrives, the guard follows the playbook: deny entry and log the attempt. You, as the building manager, can choose which playbooks to activate and set the action (e.g., block, count, or challenge). The security company updates the playbooks weekly based on new threat intelligence. You don't need to know the latest attack patterns; you just enable the playbook and the guard executes it. If you need custom rules, you can still write your own (custom rule) and combine them with the managed playbooks, with your custom rules taking priority if needed. This is exactly how AWS WAF Managed Rule Groups work: AWS or third-party vendors provide pre-configured, regularly updated rule sets that protect against common web threats, and you simply add them to your web ACL with a specified action.
What Are AWS WAF Rule Groups and Managed Rules?
AWS WAF is a web application firewall that helps protect your web applications from common web exploits that could affect application availability, compromise security, or consume excessive resources. A Rule Group is a reusable collection of rules that you can add to a web ACL. Rule groups can be either your own custom rule groups or managed rule groups provided by AWS or AWS Marketplace sellers. Managed rule groups are pre-configured and maintained by AWS or third-party vendors, automatically updated as new threats emerge.
Why Managed Rule Groups Exist
Writing effective WAF rules from scratch requires deep knowledge of attack patterns, regular updates to keep up with evolving threats, and careful tuning to avoid false positives. Managed rule groups solve this by offering curated, tested, and regularly updated rule sets. They allow you to quickly enable protection against common threats like SQL injection (SQLi), cross-site scripting (XSS), and known bad IP addresses without needing to be a security expert. This is especially important for organizations that must comply with standards like PCI DSS or OWASP Top 10.
Internal Mechanism: How Rule Groups Work
A Web ACL contains rules that are evaluated in order. Each rule can be a standalone rule or a reference to a rule group. When you add a rule group to a web ACL, all rules within that group are evaluated as a block. The evaluation order within a rule group is defined by the rule group itself. You cannot reorder rules inside a managed rule group, but you can set the action override for the entire group (e.g., override to 'Count' instead of 'Block').
Rule Evaluation: For each incoming HTTP request, WAF evaluates the rules in the web ACL in the order they are listed. Rules within a rule group are evaluated in the order defined by the group. If a rule matches and the action is 'Block' (or 'Allow' for allow rules), WAF stops evaluating further rules and takes the action. If the action is 'Count', WAF increments a counter and continues to the next rule.
Action Overrides: You can set an override on a rule group to change the default action of all rules within it. For example, you might set a managed rule group to 'Count' initially to see what requests it would block before enabling 'Block'.
Scope and Capacity: Each rule group has a capacity, which is the number of resource units it consumes. Web ACLs have a maximum capacity (default 1,500, but can be increased by request). You must ensure the total capacity of all rule groups and rules in a web ACL does not exceed the limit.
Key Components, Values, Defaults, and Timers
Web ACL Default Action: If no rule matches, the default action (Allow or Block) is taken. Default is Allow.
Rule Action: Each rule has an action: Allow, Block, or Count. Allow and Block are terminal actions; Count is not terminal.
Rule Group Capacity: Each rule in a group consumes capacity. AWS Managed rule groups have published capacities (e.g., AWSManagedRulesCommonRuleSet has capacity 700).
Update Frequency: AWS Managed rule groups are updated automatically by AWS. You do not need to update them manually. However, you can choose to use a specific version of a managed rule group (e.g., Version 1.0) if you want stability, or use the default (latest) version.
Versioning: Managed rule groups support versioning. You can pin to a specific version or use the default (latest). The exam tests that you can pin to a version to avoid unexpected changes.
Token Domains: For rate-based rules, you can specify token domains (e.g., cookies) to track clients.
Configuration and Verification
To configure a managed rule group, you use the AWS WAF console, AWS CLI, or SDK. Here is an example CLI command to associate a managed rule group with a web ACL:
aws wafv2 update-web-acl \
--name MyWebACL \
--scope REGIONAL \
--default-action Allow={} \
--rules '[{"Name":"AWS-AWSManagedRulesCommonRuleSet","Priority":0,"Statement":{"ManagedRuleGroupStatement":{"VendorName":"AWS","Name":"AWSManagedRulesCommonRuleSet","Version":"Version_1.0"}},"OverrideAction":{"Count":{}},"VisibilityConfig":{"SampledRequestsEnabled":true,"CloudWatchMetricsEnabled":true,"MetricName":"AWSCommonRuleSet"}}]' \
--id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111To verify, you can use aws wafv2 get-web-acl and check the rules list. Also, you can view sampled requests in CloudWatch metrics.
Interaction with Related Technologies
AWS Shield Advanced: When you subscribe to Shield Advanced, you get additional DDoS protection and integration with WAF. Shield Advanced can automatically apply WAF rules to mitigate layer 7 attacks.
AWS Firewall Manager: Allows centralized management of WAF rules across multiple accounts and resources. You can define a common set of managed rule groups and enforce them across your organization.
AWS CloudFront: WAF can be associated with CloudFront distributions to protect at the edge. Managed rule groups work the same way for CloudFront.
AWS Lambda: You can use custom request/response handling with Lambda@Edge, but managed rule groups do not require Lambda.
AWS Config: You can use Config rules to check that WAF web ACLs have certain managed rule groups enabled.
Best Practices
Always start by setting managed rule groups to 'Count' mode to understand what traffic they would block. Monitor CloudWatch metrics for false positives.
Use version pinning for production environments to ensure rule behavior doesn't change unexpectedly.
Combine multiple managed rule groups for layered defense (e.g., Core rule set, SQLi, XSS, IP reputation).
Use custom rules for application-specific logic that managed rules cannot cover.
Monitor the WAF capacity and plan for scaling if you add many rule groups.
Exam-Relevant Details
The SAA-C03 exam expects you to know that managed rule groups are updated automatically by AWS unless you pin a version.
You should understand that action overrides apply to the entire rule group, not individual rules.
Know that you can use managed rule groups from AWS and from AWS Marketplace sellers.
Be aware of the default web ACL capacity limit (1,500) and that rule groups have their own capacity.
Remember that 'Count' action is useful for testing and monitoring before blocking.
Create a Web ACL
First, navigate to the AWS WAF console and create a new Web ACL. Choose the resource type (CloudFront or Regional) and the region. You must specify a default action (Allow or Block) for requests that don't match any rule. For example, if you want to block all traffic except what you explicitly allow, set default action to Block. The Web ACL is the container for all your rules and rule groups. The creation process also includes setting up CloudWatch metrics, sampled requests, and logging configurations.
Add a Managed Rule Group
In the Web ACL rules editor, click 'Add rules' and select 'Add managed rule groups'. You will see a list of AWS managed rule groups (e.g., AWSManagedRulesCommonRuleSet, AWSManagedRulesSQLiRuleSet, AWSManagedRulesKnownBadInputsRuleSet) and third-party groups. Choose the ones relevant to your application. You can set an override action for the entire group (e.g., set to Count for testing). The rule group is added as a single entry in your rule list with a priority number. WAF will evaluate all rules within the group in the order defined by the group.
Configure Rule Group Version
For each managed rule group, you can choose a specific version (e.g., Version_1.0) or use the default (latest). If you pin to a version, you must manually update to a newer version when needed. If you use default, AWS automatically updates the rules within the group as new versions are released. The exam emphasizes that pinning provides stability but requires manual updates. This step is critical for production environments where rule changes must be tested before deployment.
Set Action Overrides and Custom Rules
After adding managed rule groups, you can customize their behavior using action overrides. For example, you might set a managed rule group to 'Count' to monitor its impact. You can also add custom rules above or below the managed rule groups. Custom rules can allow or block specific traffic based on IP addresses, HTTP headers, URI strings, etc. The order of rules matters: if a custom rule matches and its action is Allow or Block, WAF stops processing further rules. This allows you to create exceptions before managed rules are evaluated.
Associate Web ACL with Resources
Finally, associate the Web ACL with the resources you want to protect, such as an Application Load Balancer (ALB), API Gateway, or CloudFront distribution. You can associate one Web ACL with multiple resources, but each resource can only be associated with one Web ACL at a time. After association, WAF starts inspecting incoming requests. You can monitor metrics like AllowedRequests, BlockedRequests, and CountedRequests in CloudWatch. If you see unexpected blocks, adjust the rule group overrides or custom rules accordingly.
In a typical enterprise deployment, a financial services company uses AWS WAF with managed rule groups to protect its public-facing web application from OWASP Top 10 attacks. They enable the AWSManagedRulesCommonRuleSet, AWSManagedRulesSQLiRuleSet, and AWSManagedRulesXSSRuleSet on their Application Load Balancer. During initial deployment, they set all rule groups to 'Count' mode for one week to baseline normal traffic. They observe that the CommonRuleSet triggers on some legitimate requests because of a custom header pattern. They then create a custom rule with higher priority that allows those specific requests before the managed rule group is evaluated. After tuning, they switch the rule groups to 'Block' mode. This approach minimizes false positives while maintaining strong security.
Another scenario involves an e-commerce platform that uses CloudFront with WAF at the edge. They enable the AWSManagedRulesAmazonIpReputationList rule group to block traffic from known malicious IP addresses. They also use the AWSManagedRulesKnownBadInputsRuleSet to block requests containing common attack patterns. To handle flash sales, they add a rate-based custom rule that limits requests per IP to 100 per 5 minutes. The managed rule groups help them quickly achieve PCI DSS compliance without writing custom rules from scratch.
A common misconfiguration occurs when a team enables too many managed rule groups without considering capacity limits. For example, adding both the CommonRuleSet (capacity 700) and the SQLiRuleSet (capacity 200) plus other groups may exceed the default web ACL capacity of 1,500. They must either request a limit increase or remove some groups. Another issue is forgetting to pin the version: during a critical production incident, a managed rule group auto-updates and starts blocking legitimate traffic because the new version includes a stricter rule. The team must then roll back to a previous version or adjust custom rules. In practice, always pin to a specific version in production and test new versions in a staging environment first.
The SAA-C03 exam tests your understanding of AWS WAF rule groups and managed rules under Domain 1: Secure Architectures, Objective 1.3: Design secure application architectures. Specifically, you must know when to use managed rule groups versus custom rules, how to configure action overrides, and how to manage rule group versions.
Common wrong answers on the exam: 1. 'Managed rule groups cannot be overridden' – This is false. You can set an override action (Count, Block, Allow) on the entire rule group. Candidates often think you cannot change the action because the rules are managed, but the override applies to the group as a whole. 2. 'You must update managed rule groups manually' – False. By default, AWS updates them automatically. However, you can pin a version to prevent automatic updates. The exam expects you to know that automatic updates are the default. 3. 'Managed rule groups consume no capacity' – False. Each rule group has a capacity value, and you must ensure total capacity does not exceed the web ACL limit (default 1,500). 4. 'You can reorder rules inside a managed rule group' – False. The order is fixed by the vendor. You can only change the priority of the rule group as a whole within the web ACL.
Specific numbers: Default web ACL capacity is 1,500. AWSManagedRulesCommonRuleSet capacity is 700. AWSManagedRulesSQLiRuleSet capacity is 200. AWSManagedRulesXSSRuleSet capacity is 200. The exam may ask you to calculate whether a set of rule groups fits within the capacity.
Edge cases: If you use a managed rule group with version pinning, you must manually update to a newer version to get new protections. If you don't pin, you get automatic updates but risk unexpected changes. The exam loves to test this trade-off.
Eliminating wrong answers: Focus on the mechanism. If a question asks about blocking a specific attack pattern, consider whether a managed rule group already covers it. If the attack is custom (e.g., a specific user-agent string), you need a custom rule. Remember that managed rule groups are for common, well-known threats; custom rules are for application-specific logic.
Managed rule groups are pre-configured, automatically updated rule sets provided by AWS or third parties.
You can set an action override (Count, Block, Allow) on a managed rule group as a whole.
Default web ACL capacity is 1,500; each rule group has a specific capacity that counts toward this limit.
You can pin a managed rule group to a specific version to prevent automatic updates.
Use 'Count' mode initially to test managed rule groups before enabling 'Block'.
Custom rules can be added before or after managed rule groups to create exceptions.
Managed rule groups are available for both CloudFront and Regional resources (ALB, API Gateway).
These come up on the exam all the time. Here's how to tell them apart.
AWS Managed Rule Groups
Pre-configured by AWS, automatically updated for new threats.
Cannot modify individual rules; only override entire group action.
Capacity is fixed per group (e.g., 700 for CommonRuleSet).
Suitable for common, well-known attack patterns (SQLi, XSS, etc.).
Version pinning available to control updates.
Custom Rule Groups
You write and maintain all rules yourself.
Full control over each rule, including conditions and actions.
Capacity is based on the number and complexity of rules you define.
Suitable for application-specific logic (e.g., block specific IPs, custom headers).
No automatic updates; you must manually update rules as threats evolve.
Mistake
Managed rule groups cannot be customized at all.
Correct
You can set an action override for the entire group (e.g., Count instead of Block). You can also add custom rules before or after the group to allow or block specific requests. However, you cannot modify individual rules inside a managed group.
Mistake
Once you enable a managed rule group, it will block all matching traffic immediately.
Correct
By default, the action is what the vendor defined (usually Block). But you can override the action to 'Count' to only count matches without blocking. This is useful for testing.
Mistake
Managed rule groups are automatically updated and you cannot control the version.
Correct
You can choose to use the default (latest) version or pin to a specific version. Pinning prevents automatic updates, giving you control over when to adopt changes.
Mistake
You can add managed rule groups only from AWS, not from third parties.
Correct
AWS WAF supports managed rule groups from AWS Marketplace sellers. You can subscribe to third-party rule groups and use them in your web ACLs.
Mistake
All managed rule groups have the same capacity.
Correct
Each managed rule group has a different capacity. For example, AWSManagedRulesCommonRuleSet has capacity 700, while AWSManagedRulesSQLiRuleSet has capacity 200. You must sum capacities to ensure they fit within the web ACL limit.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
A rule is a single inspection condition with an action (Allow, Block, Count). A rule group is a collection of rules that you can add to a web ACL as a single unit. Managed rule groups are pre-built rule groups from AWS or third parties. You can also create your own custom rule groups. The key benefit of rule groups is reusability across multiple web ACLs.
No, you cannot modify the rules inside a managed rule group. However, you can set an action override for the entire group. For example, you can set the group to 'Count' instead of 'Block'. To allow specific requests that would otherwise be blocked, add a custom rule with a higher priority that allows those requests before the managed group is evaluated.
If you are using the default version, AWS updates it automatically. If you pinned to a specific version, you must manually update by editing the web ACL and selecting a newer version. You can also switch back to the default version. Always test new versions in a staging environment before applying to production.
You cannot add more rule groups or rules if the total capacity would exceed the web ACL limit (default 1,500). You must either remove some rules/rule groups to free capacity or request a limit increase from AWS Support. The capacity is calculated as the sum of the capacity of all rules and rule groups in the web ACL.
Yes, you can associate a WAF web ACL with a CloudFront distribution. Managed rule groups work the same way for CloudFront as for regional resources. When using CloudFront, you must create the web ACL in the US East (N. Virginia) region (us-east-1) for CloudFront distributions.
Some managed rule groups include rate-based rules. For example, the AWSManagedRulesCommonRuleSet includes a rate-based rule to help mitigate DDoS attacks. However, you can also add your own rate-based custom rules separately. Managed rule groups are not limited to only rate-based or only static rules; they can contain a mix.
Set the rule group's action override to 'Count'. This will count matching requests but not block them. Monitor the 'CountedRequests' metric in CloudWatch for the rule group. If you see legitimate requests being counted, add custom rules to allow them. After tuning, change the override to 'Block'.
You've just covered AWS WAF Rule Groups and Managed Rules — now see how well it sticks with free SAA-C03 practice questions. Full explanations included, no account needed.
Done with this chapter?