Why isn't automatic remediation working for my Firewall Manager AWS WAF policy?

3 minute read

Automatic remediation isn't working for my AWS Firewall Manager WAF policy.

Short description

Firewall Manager AWS WAF polices use an auto remediation feature that associates the web ACL to your resources that you want to protect.


Follow these best practices for creating an AWS Firewall Manager policy for AWS WAF.

Before you begin, be sure that you completed the AWS Firewall Manager prerequisites. For more information, see How do I set up AWS Firewall Manager for my AWS account?

Make sure that the AWS WAF policy scope includes the following:

  • The AWS accounts in the AWS Organization or specific organizational units (OUs).
  • If you are protecting Amazon CloudFront distributions, make sure that the AWS Region is set to Global.
  • If you are using managed rule groups, make sure that you are subscribed to the service in the AWS Marketplace first. For more information, see Rule groups.
  • For resource type, make sure that you include the types of resources that you want to protect. Note: The option to choose CloudFront distributions as a resource type is available only if you choose Global.
  • If you are using rule groups from AWS Marketplace sellers, make sure that your AWS accounts have active subscriptions. Otherwise, AWS WAF can't associate the web ACL to your in-scope resources.
  • After you review the effects of your policy, make sure that you activate automatic remediation.

For AWS WAF Classic, see Working with AWS WAF Classic rule groups for use with AWS Firewall Manager.

Firewall Manger policy precedence with Application Load Balancers

Scenario 1

If you have a policy for AWS Shield Advanced and another for Firewall Manager with an Application Load Balancer, the Firewall Manager policy takes precedence. This means that the Firewall Manager policy is associated with the Application Load Balancer because it overrides the Shield Advanced policy's web ACL.

Note: The Shield policy's blank web ACL is only in place to capture data that's coming into the resource. This data can be helpful for analyzing DDoS attacks.

Scenario 2

If you have two AWS WAF policies (P1 AND P2) for an Application Load Balancer in scope, then the policy that reaches the association first gets applied (P1). The second policy (P2) checks if the Application Load Balancer already has a web ACL associated with it.

Related information

AWS Firewall Manager FAQs

How can I use custom policy rules with my Firewall Manager content audit security group policy?

AWS OFFICIALUpdated a year ago