What is the web ACL association behavior for AWS Firewall Manager AWS WAF and AWS WAF classic policies?

Resolution

The web ACL association behavior for the Firewall Manager AWS WAF policy depends on the following:

• How auto remediation is configured
• If your in-scope resource already has a web ACL associated

Consider the following scenarios when Creating an AWS Firewall Manager policy for AWS WAF Classic or Creating a Firewall Manager policy for AWS WAF:

If auto remediate any non-compliant resources isn't turned on, then the Firewall Manager created web ACL won't be associated with in-scope resources.

If only auto remediate any non-compliant resources is turned on, then the following happens:

• For non-compliant AWS accounts that are within the policy scope, Firewall Manager creates a web ACL whose name starts with FMManagedWebACLV2 . This web ACL contains the rule groups that are defined in the policy.
• Firewall Manager associates the web ACL with all non-compliant resources in the accounts. However, if an in-scope resource already has a web ACL associated with it, then it won't replace the existing web ACL with the Firewall Manager policy web ACL.

If auto remediate any non-compliant resources and Replace web ACLs that are currently associated with in-scope resources with the web ACLs created by this policy are turned on, then the following happens:

For a Firewall Manager AWS WAF classic policy

If an in-scope resource has a:

• Custom AWS WAF classic web ACL, then the resource is overridden by Firewall Manager AWS WAF classic policy web ACL.
• Custom AWS WAF web ACL, then the resource isn't overridden by Firewall Manager AWS WAF classic policy web ACL.
• Web ACL created by AWS Shield Advanced policy, then it's replaced by Firewall Manager AWS WAF classic policy web ACL.
• Web ACL created by Firewall Manager AWS WAF classic policy, then it isn't replaced by Firewall Manager AWS WAF classic policy web ACL.
• Web ACL created by Firewall Manager AWS WAF policy, then it isn't replaced by Firewall Manager AWS WAF classic policy web ACL.

For example, suppose you have two policies in AWS WAF classic, called Policy A and Policy B with resources in both. If you have a resource that is in scope for Policy A and you want to replace it with a web ACL created by Policy B, then you must edit the Policy A policy scope to exclude the specific resource. After the resource is excluded from Policy A, the corresponding web ACL association for the resource is removed. If the resource is now in scope for Policy B, then the resource will then be associated with the web ACL created by Policy B.

For a Firewall Manager AWS WAF policy

If an in-scope resource has a:

• Custom AWS WAF classic web ACL, then the resource is overridden by Firewall Manager AWS WAF policy web ACL.
• Custom AWS WAF web ACL, then the resource is overridden by Firewall Manager AWS WAF policy web ACL.
• Web ACL created by AWS Shield Advanced policy, then it's replaced by Firewall Manager AWS WAF policy web ACL.
• Web ACL created by Firewall Manager AWS WAF classic policy, then it isn't replaced by Firewall Manager AWS WAF policy web ACL.
• Web ACL created by Firewall Manager AWS WAF policy, then it isn't replaced by Firewall Manager AWS WAF policy web ACL.

For example, suppose you have two policies in AWS WAF, called Policy A and Policy B with in-scope resources. If the resource cleanup policy isn't set to Automatically remove protections from resources that leave the policy scope, then the following happens:

• If the resource leaves the policy scope, then the web ACL created by Policy A won’t be automatically disassociated from the resource.
• If you create a new AWS WAF Policy B with a corresponding in-scope resource, then the new policy overrides the previous AWS WAF policy web ACL.
• If you create a new AWS WAF classic Policy B with a corresponding in-scope resource, then the new policy won’t override the previous AWS WAF policy web ACL.

For more information on policy scope options, see AWS Firewall Manager policy scope.