The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications. In this post, I will show you which AWS Managed Rule Group is addressing which Web Application Security Risk from the OWASP TOP 10.
Managed rule groups are collections of predefined rules that AWS and AWS Marketplace sellers will maintain for you. There is one difference between AWS and Marketplace rule groups. AWS is mostly available for free (only AWS WAF Bot Control and AWS WAF Fraud Control account takeover prevention rule groups have additional fees) whereas Marketplace managed rule groups are available by subscription through AWS Marketplace.
🚨 Just as a side note Amazon Managed Rules should be considered first-layer of application defense strategy. You still need to consider using custom rules that cover specific vulnerabilities of your applications, or partner managed rules that are more relevant for your specifics.
|OWASP Identifier||AWS Managed Rule Group Name / Comments||Rule Name|
|A01:2021||AWSManagedRulesCommonRuleSet||SizeRestrictions_QUERYSTRING EC2MetaDataSSRF_QUERYARGUMENTS GenericLFI_QUERYARGUMENTS RestrictedExtensions_QUERYARGUMENTS GenericRFI_QUERYARGUMENTS CrossSiteScripting_QUERYARGUMENTS|
|A02:2021||No Web Application Firewall Check - Cryptographic Failures can be detected by tools like prowler.|
|A03:2021||AWSManagedRulesSQLiRuleSet||SQLi_QUERYARGUMENTS SQLiExtendedPatterns_QUERYARGUMENTS SQLi_BODY SQLiExtendedPatterns_BODY SQLi_COOKIE|
|A04:2021||No Web Application Firewall Check - Insecure Design can be detected by tools like prowler.|
|A05:2021||No Web Application Firewall Check - Security Misconfiguration can be checked by tools like prowler.|
|A06:2021||AWSManagedRulesKnownBadInputsRuleSet 🚨 In addition Vulnerable and outdated components can be detected with Tools like sysdig or aquasec.||ExploitablePaths_URIPATH Log4JRCE_HEADER Log4JRCE_QUERYSTRING Log4JRCE_URI Log4JRCE_BODY|
|A07:2021||AWSManagedRulesATPRuleSet AWSManagedRulesAmazonIpReputationList AWSManagedRulesBotControlRuleSet ℹ️ AWSManagedRulesATPRuleSet & AWSManagedRulesBotControlRuleSet have a addtional fees (look at the pricing page)||AttributePasswordTraversal AttributeUsernameTraversal AttributeCompromisedCredentials MissingCredential VolumetricSession TokenRejected AWSManagedIPReputationList AWSManagedReconnaissanceList CategoryAdvertising CategoryArchiver CategoryContentFetcher CategoryHttpLibrary CategoryLinkChecker CategoryMiscellaneous CategoryMonitoring CategoryScrapingFramework CategorySecurity CategorySeo CategorySocialMedia CategorySearchEngine SignalAutomatedBrowser SignalKnownBotDataCenter SignalNonBrowserUserAgent|
|A08:2021||No Web Application Firewall Check - Software and Data Integrity Failures can be detected with Tools like sysdig or aquasec.|
|A09:2021||No Web Application Firewall Check - Take care that you configure proper monitoring of all component from your application.|
|A10:2021||AWSManagedRulesCommonRuleSet||EC2MetaDataSSRF_BODY EC2MetaDataSSRF_COOKIE EC2MetaDataSSRF_URIPATH EC2MetaDataSSRF_QUERYARGUMENTS|
If you are searching for a solution to deploy, update, and stage your Web Application Firewalls while managing them centrally via AWS Firewall Manager take a look at the AWS Firewall Factory tool. AWS Firewall Factory is able to test your deployed firewall using GoTestWAF. GoTestWAF is a tool for API and OWASP attack simulation that supports a wide range of API protocols including REST, GraphQL, gRPC, WebSockets, SOAP, XMLRPC and many more. It was designed to evaluate web application security solutions, such as API security proxies, Web Application Firewalls, IPS, API gateways, etc.