This page explains how to configure Managed Rules Plus (also known as WafCharm Lite and abbreviated as MR Plus).

If you already have an MR Plus / WafCharm account or have already created resources, you can continue from the next step.

Below is an overview of the setup process. For a more detailed outline, see the setup procedure overview.

1. Subscribe to Managed Rules Plus.
2. Create a WafCharm account.
3. Register your credentials.
4. Register a WAF Config.

Note:
Managed Rules Plus is managed through the WafCharm Console. While product names may vary by language or region, the term WafCharm account refers to accounts used for both WafCharm and Managed Rules Plus. This term will be used consistently throughout this help documentation.
For more information on the relationship between WafCharm and MR Plus, please refer to [What is Managed Rules Plus?].

Preparation

To use MR Plus, please prepare the following resources:

• AWS WAF v2 web ACL
• IAM role or IAM user with the following permissions:

  Please refer to the Required permissions for AWS WAF v2 (new plan/MP ver.) for details.

  • AWSWAFFullAccess
  • AmazonS3ReadOnlyAccess
  • CloudWatchReadOnlyAccess
• [Optional] CSC Managed Rules subscription
  • While not required, using MR Plus in combination with CSC Managed Rules is recommended.
  • You may use either of the following CSC Managed Rules products:
    • Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-
    • Cyber Security Cloud Managed Rules for AWS WAF -API Gateway/Serverless-
• [Optional] Output WAF logs to an S3 bucket
  • This is not required to use MR Plus, but it must be enabled to use the monthly report feature or make full use of the dynamic denylist.
  • If you enable WAF logging, be sure to output the logs directly to an S3 bucket.
    • Kinesis Data Firehose and CloudWatch Logs are not supported. Using either of these destinations will result in an error after registration.

Setup notes and considerations

• Before subscribing to MR Plus, please confirm the AWS account ID you intend to use.
  • If you use an AWS account ID that has previously subscribed to WafCharm (AWS Marketplace version), the subscription will still complete, but you will not be able to register an MR Plus account in the WafCharm Console. Please make sure to use an AWS account ID that has not been used for WafCharm (AWS Marketplace version).
  • You can use the same AWS account ID for both CSC Managed Rules and MR Plus.
• MR Plus is designed to be used in combination with CSC Managed Rules. These are separate products and must be subscribed to individually. Subscribing to MR Plus alone does not include CSC Managed Rules.
  • Using CSC Managed Rules is not required, but if they are not applied, a message will be displayed indicating that CSC Managed Rules are not in use.
  • The following CSC Managed Rules are expected to be used in combination when using MR Plus:
    • Cyber Security Cloud Managed Rules for AWS WAF -HighSecurity OWASP Set-
    • Cyber Security Cloud Managed Rules for AWS WAF -API Gateway/Serverless-
• The monthly report feature includes attack type categorization based on detected rules. This categorization is only supported when using the recommended CSC Managed Rules. If these rules are not used, some data in the monthly report may not be fully categorized.
• There are no restrictions on the types of resources that can be attached to a web ACL.
• When using MR Plus, all user-defined rules, including AWS Managed Rules and any other rules you apply, must be placed at priority 1000 or higher during initial registration. Any rules outside this range will be temporarily moved to 1000 or higher during registration. After setup is complete, you may adjust the rule priorities back to 0–99 or leave them at 1000+, depending on your needs.
  • If a user-defined rule is intended to evaluate requests before other rules, such as denylist rules, temporarily moving it to priority 1000+ may cause it to behave unexpectedly. After registration, please move such rules back to the 0–99 range.
  • If you're using IP-based allow rules, we recommend using the Allowlist rule provided by MR Plus.
  • For details, refer to About rule priorities of Managed Rules Plus.
• Features marked with a lock icon require an upgrade to WafCharm. These features are not available with an MR Plus subscription.

For first-time setup

The following steps apply if you are using Managed Rules Plus (MR Plus) and CSC Managed Rules for the first time.

If you are already using CSC Managed Rules, please refer to [Using MR Plus with an existing CSC Managed Rules setup].

1. Subscribe to MR Plus.

   Access the MR Plus product page on AWS Marketplace, click the [View purchase options] button, and select an offer to subscribe.
   For more details on how to subscribe via AWS Marketplace, please refer to the official AWS documentation:

   Subscribe to a SaaS contract or usage-based product.

2. Access the sign-up page from the AWS Marketplace and sign up on the WafCharm Console.

   After subscribing, click the [Set up your account] button shown on the AWS Marketplace page.

3. When the WafCharm Console sign-up page opens, enter your email address and password.
4. Click [Sign up].
5. Open the confirmation email sent to your registered email address.
6. Click the [Confirm] link in the confirmation email.
   Registration is complete when the message "Email address has been successfully verified" appears on the screen.
   Your account registration will not be complete until this step is finished, so please make sure to confirm your email address before proceeding.
7. Click [Sign in] to log in to the WafCharm Console.
8. Enter your account information.
9. Read the Terms of Service and other policies, and check the box labeled: [Please check if you have read and agree to the Terms of service and the other policies].
10. Click [Save].
11. Register credential information.
    Follow the instructions in How to configure Credential Store for AWS WAF v2 (new plan/MP ver.) to complete this step.
12. Click [WAF] in the left-hand menu.
13. Click [Add].
14. Select the registered credential.
15. Select the region where the target web ACL is located.
16. Click [Get web ACLs].
17. Select the radio button for the web ACL you want to configure with MR Plus, then click [Next].

    If you check the [Show configured web ACLs] checkbox, web ACLs already using WafCharm or MR Plus will also be displayed.

    Please note that you cannot proceed with registration for web ACLs that are already configured with WafCharm or MR Plus.

18. Check the WAF Config name.

    The name is automatically populated based on the web ACL name. You can change it to a custom value if needed.

19. Subscribe to CSC Managed Rules.
    If CSC Managed Rules are not applied to the target web ACL, a message saying [CSC Managed Rules Not Configured.] will appear under [Rules in Use]. Follow the on-screen instructions under [How to Configure CSC Managed Rules] to complete the subscription.

    If you are already subscribed to CSC Managed Rules, opening the AWS Marketplace page and clicking the [View purchase options] button will show the message:

    [You’ve already accepted this offer].
    In this case, you do not need to subscribe again. You can proceed to the next step.
    If you prefer to register the WAF Config first and subscribe to CSC Managed Rules later, click the [Configure Later] button to proceed to [Rule Configuration].

20. Apply CSC Managed Rules to the target web ACL.
    The configuration steps are shown in the [Procedure in the AWS Management Console] pop-up. Follow the on-screen instructions to apply CSC Managed Rules.
21. Click [Check Usage Status].
    If CSC Managed Rules have been correctly applied to the target web ACL, clicking [Check Usage Status] will update the page to display:

    [Usage Status: In Use].

    If the page does not update, please check the following:

    • You have selected the correct target web ACL.
    • CSC Managed Rules have been applied properly.
    • CSC Managed Rules were not mistakenly applied to a different web ACL.
22. Check for errors in the [Rule Priority] section.

    At initial setup, all user-defined rules, including AWS Managed Rules, and CSC Managed Rules must be assigned a priority of 1000 or higher.
    If any user-defined rules have a priority below 1000, you will not be able to proceed to the next step. If a message appears prompting you to adjust the priority, click the [Change Rule Priority] button. Clicking this button will add 1000 to each rule’s current priority value.
    If you have rules intended to evaluate requests before the IP-based block rules (denylist), changing their priority to 1000 or higher may cause them to behave unexpectedly. In such cases, please move those rules back to the 0–99 range after this setup step is complete.
    If you're using IP-based allow rules, we recommend using the Allowlist feature provided by MR Plus.
    For more information, refer to About rule priorities of Managed Rules Plus.
    If the rule priorities are in the expected state, the message [Rule Priority: Verified] will be displayed. You may then proceed to the next step.

23. Configure rules in [Rule Configuration].
    You can configure the following: IP addresses to allow (Allowlist), IP addresses to block (Denylist), rule action for dynamic denylist rules, the IP address source to use, and IP addresses to exclude from the dynamic denylist.
    These settings can also be added or updated later by editing the WAF Config.
    For more details, refer to IP address management features and Exception configurations (excluded IP addresses).
24. Configure log and notification settings in [Log and Notification Configuration].

    To use the monthly report feature and the dynamic denylist feature, WAF log integration must be enabled. If you plan to use these features, check the confirmation items shown on screen and proceed to the next step.
    WAF logs must be output directly to an S3 bucket. Kinesis Data Firehose and CloudWatch Logs are not supported. Using either of these destinations will result in an error after registration.
    If needed, please also configure field redaction to mask log fields.

25. Confirm the registered information.
26. Click the [Add] button.

After returning to the WAF Config list page, a loading icon will appear next to the name of the WAF Config you just registered. This icon indicates that the configuration is currently being applied.
Once the application completes successfully, the [Status] field under the [Basic Configuration] tab of the WAF Config details page will display: [Success].
If an error appears in the [Status] section, please resolve the issue and click the [Reapply] button to confirm that the error has been resolved.

For more information about errors, refer to Common errors in Managed Rules Plus.

Note: You can open the WAF Config details page by clicking the WAF Config name.

Using MR Plus with an existing CSC Managed Rules setup

The following steps apply if you already have a web ACL using CSC Managed Rules and want to add Managed Rules Plus (MR Plus).

If you are using MR Plus and CSC Managed Rules for the first time, please refer to [For first-time setup].

1. Subscribe to MR Plus.

   Access the MR Plus product page on AWS Marketplace, click the [View purchase options] button, and select an offer to subscribe.
   For more details on how to subscribe via AWS Marketplace, please refer to the official AWS documentation:

   Subscribe to a SaaS contract or usage-based product.

2. Access the sign-up page from the AWS Marketplace and sign up on the WafCharm Console.

   After subscribing, click the [Set up your account] button shown on the AWS Marketplace page.

3. When the WafCharm Console sign-up page opens, enter your email address and password.
4. Click [Sign up].
5. Open the confirmation email sent to your registered email address.
6. Click the [Confirm] link in the confirmation email.
   Registration is complete when the message "Email address has been successfully verified" appears on the screen.
   Your account registration will not be complete until this step is finished, so please make sure to confirm your email address before proceeding.
7. Click [Sign in] to log in to the WafCharm Console.
8. Enter your account information.
9. Read the Terms of Service and other policies, and check the box labeled: [Please check if you have read and agree to the Terms of service and the other policies].
10. Click [Save].
11. Register credential information.
    Follow the instructions in How to configure Credential Store for AWS WAF v2 (new plan/MP ver.) to complete this step.
12. Click [WAF] in the left-hand menu.
13. Click [Add].
14. Select the registered credential.
15. Select the region where the target web ACL is located.
16. Click [Get web ACLs].
17. Select the radio button for the web ACL you want to configure with MR Plus, then click [Next].

    If you check the [Show configured web ACLs] checkbox, web ACLs already using WafCharm or MR Plus will also be displayed.

    Please note that you cannot proceed with registration for web ACLs that are already configured with WafCharm or MR Plus.

18. Check the WAF Config name.

    The name is automatically populated based on the web ACL name. You can change it to a custom value if needed.

19. Check for errors in the [Rule Priority] section.

    At initial setup, all user-defined rules, including AWS Managed Rules, and CSC Managed Rules must be assigned a priority of 1000 or higher.
    If any user-defined rules have a priority below 1000, you will not be able to proceed to the next step. If a message appears prompting you to adjust the priority, click the [Change Rule Priority] button. Clicking this button will add 1000 to each rule’s current priority value.
    If you have rules intended to evaluate requests before the IP-based block rules (denylist), changing their priority to 1000 or higher may cause them to behave unexpectedly. In such cases, please move those rules back to the 0–99 range after this setup step is complete.
    If you're using IP-based allow rules, we recommend using the Allowlist feature provided by MR Plus.
    For more information, refer to About rule priorities of Managed Rules Plus.
    If the rule priorities are in the expected state, the message [Rule Priority: Verified] will be displayed. You may then proceed to the next step.
    Please note: If the message [CSC Managed Rules Not Configured.] is displayed under [Rules in Use], it means that CSC Managed Rules have not been applied to the target web ACL. In this case, please refer to the steps in [For first-time setup], or apply CSC Managed Rules to the web ACL before proceeding to the next step.

20. Configure rules in [Rule Configuration].
    You can configure the following: IP addresses to allow (Allowlist), IP addresses to block (Denylist), rule action for dynamic denylist rules, the IP address source to use, and IP addresses to exclude from the dynamic denylist.
    These settings can also be added or updated later by editing the WAF Config.
    For more details, refer to IP address management features and Exception configurations (excluded IP addresses).
21. Configure log and notification settings in [Log and Notification Configuration].

    To use the monthly report feature and the dynamic denylist feature, WAF log integration must be enabled. If you plan to use these features, check the confirmation items shown on screen and proceed to the next step.
    WAF logs must be output directly to an S3 bucket. Kinesis Data Firehose and CloudWatch Logs are not supported. Using either of these destinations will result in an error after registration.
    If needed, please also configure field redaction to mask log fields.

22. Confirm the registered information.
23. Click the [Add] button.

After returning to the WAF Config list page, a loading icon will appear next to the name of the WAF Config you just registered. This icon indicates that the configuration is currently being applied.
Once the application completes successfully, the [Status] field under the [Basic Configuration] tab of the WAF Config details page will display: [Success].
If an error appears in the [Status] section, please resolve the issue and click the [Reapply] button to confirm that the error has been resolved.

For more information about errors, refer to Common errors in Managed Rules Plus.

Note: You can open the WAF Config details page by clicking the WAF Config name.