AWS WAF v2New PlanFeature / Spec.Managed Rule Plus
Yes, there is no issue.
Please note that you must subscribe to CSC Managed Rules using the AWS account where the web ACL you plan to use it with is located.
You cannot subscribe to both WafCharm (AWS Marketplace version) and Managed Rules Plus using the same AWS account.
If you subscribe to WafCharm (AWS Marketplace version) using an AWS account that is already subscribed to Managed Rules Plus, the WafCharm account used for Managed Rules Plus will be upgraded to a WafCharm (AWS Marketplace version) account.
Conversely, if you try to subscribe to Managed Rules Plus using an AWS account that is already subscribed to WafCharm (AWS Marketplace version), you will not be able to register a WafCharm account used for WafCharm (AWS Marketplace version) in the WafCharm Console.
Note: WafCharm accounts used for Managed Rules Plus and WafCharm (AWS Marketplace version) cannot be shared. Each must exist independently.
WafCharm is a higher-tier plan designed to be an upgrade from Managed Rules Plus. Since WafCharm includes more advanced features, there is generally no need to use both WafCharm and Managed Rules Plus or CSC Managed Rules on the same web ACL.
Note:
Managed Rules Plus is managed through the WafCharm Console. While product names may vary by language or region, the term WafCharm account refers to accounts used for both WafCharm and Managed Rules Plus. This term will be used consistently throughout this help documentation.
For more information on the relationship between WafCharm and MR Plus, please refer to [What is Managed Rules Plus?].
We recommend using one of the following CSC Managed Rules in combination with Managed Rules Plus:
Note: Both of the above are comprehensive rule sets designed to defend against common web threats such as those in the OWASP Top 10. These rules are designed with the expectation that only one of the two will be used. In most cases, the HighSecurity OWASP Set is the optimal choice. However, if your backend architecture uses services like API Gateway or Lambda, we recommend using the API Gateway/Serverless rule set instead.
Another ruleset provided under CSC Managed Rules is Cyber Security Cloud Managed Rules -Protocol Enforcement by WafCharm-. It can be used with Managed Rules Plus, but it is designed to detect requests that violate HTTP protocol specifications or encoding standards. Since it does not include rules to defend against general web application attacks, we recommend using it in combination with either WafCharm, the HighSecurity OWASP Set, or API Gateway/Serverless.
Although we do not recommend it, Managed Rules Plus can be used on its own without CSC Managed Rules.
Yes, you can.
However, please note that the Attack Type section in the monthly report only categorizes detections from rules provided by Managed Rules Plus and CSC Managed Rules (such as those designed to comprehensively defend against OWASP Top 10 attacks). Detections from other rule sets cannot be classified appropriately. If you are not using CSC Managed Rules, it may be difficult to make full use of the Attack Type data.
To make the most of this feature, we recommend using CSC Managed Rules in combination with Managed Rules Plus.
For more details on which CSC Managed Rules can be used, please see:
Can I use any managed rules if they are from CSC?
No, there are no differences in the available features.
However, please note that the Attack Type section in the monthly report only categorizes detections from rules provided by Managed Rules Plus and CSC Managed Rules (such as those designed to comprehensively defend against OWASP Top 10 attacks). Detections from other rule sets cannot be classified appropriately. If you are not using CSC Managed Rules, it may be difficult to make full use of the Attack Type data.
To make the most of this feature, we recommend using CSC Managed Rules in combination with Managed Rules Plus.
For more details on which CSC Managed Rules can be used, please see:
Can I use any managed rules if they are from CSC?
Customization is available in specific areas.
We support customization for the dynamic denylist feature, which re-evaluates WAF logs against hundreds of signatures, to reduce false positives.
For false positives in CSC Managed Rules, please use rule labels to exclude specific requests yourself. You can also add your own custom rules, such as those to explicitly allow or block certain requests.
To allow or block by IP address, use the Allowlist and Denylist features provided by Managed Rules Plus.
Managed Rules Plus is intended to be used with CSC Managed Rules. To use CSC Managed Rules, please subscribe to it separately and add it to your target web ACL.
Yes, the monthly report feature is available by enabling WAF log retrieval.
However, please note that the Attack Type section in the monthly report only categorizes detections from rules provided by Managed Rules Plus and CSC Managed Rules (such as those designed to comprehensively defend against OWASP Top 10 attacks). Detections from other rule sets cannot be classified appropriately. If you are not using CSC Managed Rules, it may be difficult to make full use of the Attack Type data.
To make the most of this feature, we recommend using CSC Managed Rules in combination with Managed Rules Plus.
For more details on which CSC Managed Rules can be used, please see:
Can I use any managed rules if they are from CSC?
Features that are disabled and marked with a lock icon require an upgrade to WafCharm. For more information about WafCharm, please see: Introduction (AWS WAF v2).
To learn how to upgrade, please refer to: I want to upgrade to WafCharm from Managed Rules Plus.
You can continue to use Managed Rules Plus. The subscription status of Managed Rules Plus and CSC Managed Rules is not linked.
Your WAF Config will not be deleted. However, a message indicating that CSC Managed Rules is not applied will appear in the [CSC MR Configuration] tab. This message cannot be dismissed.
Note: This message will appear once CSC Managed Rules is removed from the associated web ACL.
Additionally, if WAF log retrieval is enabled, you can still use both the dynamic denylist feature and the monthly report feature.
However, please note that the Attack Type section in the monthly report only categorizes detections from rules provided by Managed Rules Plus and CSC Managed Rules (such as those designed to comprehensively defend against OWASP Top 10 attacks). Detections from other rule sets cannot be classified appropriately. If you are not using CSC Managed Rules, it may be difficult to make full use of the Attack Type data.
To make the most of this feature, we recommend using CSC Managed Rules in combination with Managed Rules Plus.
For more details on which CSC Managed Rules can be used, please see:
Can I use any managed rules if they are from CSC?
WafCharm is a higher-tier plan designed as an upgrade from Managed Rules Plus. Since it offers more advanced features, there is generally no need to use WafCharm together with Managed Rules Plus or CSC Managed Rules on the same web ACL.
You can upgrade by subscribing to WafCharm (AWS Marketplace version) using the same AWS account ID currently used for Managed Rules Plus. When upgrading to WafCharm (AWS Marketplace version), you can continue using your existing WafCharm account. Please contact WafCharm Support if you need assistance.
WAF Config migration may be required. Whether migration is possible depends on how your rules are currently configured, so please consult WafCharm Support for more details.
If you wish to upgrade to the WafCharm (website version) instead, you will need to create a new WafCharm account. Please unsubscribe from Managed Rules Plus, then sign up for the WafCharm (website version). Since Managed Rules Plus will be canceled in this case, your WAF Config must also be re-registered.
Migrating from WafCharm to Managed Rules Plus is not officially supported due to differences in available features and data compatibility.
If you still wish to proceed, please cancel your WafCharm subscription and then subscribe to Managed Rules Plus. You will also need to create a new WafCharm account as part of the setup.
To cancel your Managed Rules Plus subscription, please do so via the AWS Marketplace. For detailed instructions, refer to the AWS official documentation: Canceling your SaaS subscription.
Please note that once you cancel your subscription, your WafCharm account will be automatically deleted after a 21-day grace period. If you cancel by mistake, you can resubscribe to Managed Rules Plus within that grace period to continue using your existing WafCharm account.
If your question isn’t covered above, please contact WafCharm Support using the contact form.