**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Deployments for versioned AWS Managed Rules rule groups
<a name="waf-managed-rule-groups-deployments"></a>

This section introduces how AWS deploys updates to AWS Managed Rules rule groups.

AWS deploys changes to its versioned AWS Managed Rules rule groups in three standard deployments: release candidate, static version, and default version. Additionally, AWS might sometimes need to release an exception deployment or roll back a default version deployment. 

**Note**  
This section applies only to AWS Managed Rules rule groups that are versioned. The only rule groups that aren't versioned are the IP reputation rule groups. 

**Topics**
+ [Notifications for AWS Managed Rules rule groups deployments](waf-managed-rule-groups-deployments-notifications.md)
+ [Overview of the standard deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-standard.md)
+ [Typical version states for AWS Managed Rules](waf-managed-rule-groups-typical-version-states.md)
+ [Release candidate deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-release-candidate.md)
+ [Static version deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-static-version.md)
+ [Default version deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-default-version.md)
+ [Exception deployments for AWS Managed Rules](waf-managed-rule-groups-deployments-exceptions.md)
+ [Default deployment rollbacks for AWS Managed Rules](waf-managed-rule-groups-deployments-default-rollbacks.md)

# Notifications for AWS Managed Rules rule groups deployments
<a name="waf-managed-rule-groups-deployments-notifications"></a>

This section explains how Amazon SNS notifications work with AWS Managed Rules rule groups.

The versioned AWS Managed Rules rule groups all provide SNS update notifications for deployments and they all use the same SNS topic Amazon Resource Name (ARN). The only rule groups that aren't versioned are the IP reputation rule groups. 

For deployments that affect your protections, such as changes to the default version, AWS provides SNS notifications to inform you of planned deployments and to let you know when a deployment is starting. For deployments that don't affect your protections, such as release candidate and static version deployments, AWS might notify you after the deployment has started or even after it's completed. At the completion of the deployment of a new static version, AWS updates this guide, in the changelog at [AWS Managed Rules changelog](aws-managed-rule-groups-changelog.md) and in the document history page at [Document history](doc-history.md). 

To receive all updates that AWS provides for the AWS Managed Rules rule groups, subscribe to the RSS feed from any HTML page of this guide, and subscribe to the SNS topic for the AWS Managed Rules rule groups. For information about subscribing to the SNS notifications, see [Getting notified of new versions and updates to a managed rule group](waf-using-managed-rule-groups-sns-topic.md).

**Contents of the SNS notifications**  
The fields in the Amazon SNS notifications always include the Subject, Message, and MessageAttributes. Additional fields depend on the type of message and which managed rule group the notification is for. The following shows an example notification listing for `AWSManagedRulesCommonRuleSet`.

```
{
    "Type": "Notification",
    "MessageId": "4286b830-a463-5e61-bd15-e1ae72303868",
    "TopicArn": "arn:aws:sns:us-west-2:123456789012:MyTopic",
    "Subject": "New version available for rule group AWSManagedRulesCommonRuleSet",
    "Message": "Welcome to AWSManagedRulesCommonRuleSet version 1.5! We've updated the regex specification in this version to improve protection coverage, adding protections against insecure deserialization. For details about this change, see http://updatedPublicDocs.html. Look for more exciting updates in the future! ",
    "Timestamp": "2021-08-24T11:12:19.810Z",
    "SignatureVersion": "1",
    "Signature": "EXAMPLEHXgJm...",
    "SigningCertURL": "https://sns.us-west-2.amazonaws.com/SimpleNotificationService-f3ecfb7224c7233fe7bb5f59f96de52f.pem",
    "SubscribeURL": "https://sns.us-west-2.amazonaws.com/?Action=ConfirmSubscription&TopicArn=arn:aws:sns:us-west-2:123456789012:MyTopic&Token=2336412f37...",
    "MessageAttributes": {
        "major_version": {
            "Type": "String",
            "Value": "v1"
        },
        "managed_rule_group": {
            "Type": "String",
            "Value": "AWSManagedRulesCommonRuleSet"
        }
    }
}
```

# Overview of the standard deployments for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-standard"></a>

AWS rolls out new AWS Managed Rules functionality using three standard deployment stages: release candidate, static version, and default version. 

The following diagram depicts these standard deployments. Each is described in more detail in the sections that follow. 

![\[Four vertical swimlanes show different standard deployment stages. The leftmost swimlane shows the default version set to the recommended static version 1.4. The second swimlane shows the default set to a release candidate (RC) version for testing and tuning. The RC version contains 1.4 rules and RC rules. A note indicates that after testing, the default is returned to the recommended static version. The third swimlane shows the creation of a static version 1.5 from the rules in the release candidate version. The fourth swimlane shows the default version set to the new recommended static version 1.5.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-flowchart-diagram.png)


# Typical version states for AWS Managed Rules
<a name="waf-managed-rule-groups-typical-version-states"></a>

Normally, a versioned managed rule group has a number of unexpired static versions, and the default version points to the static version that AWS recommends. The following figure shows an example of the typical set of static versions and default version setting. 

![\[Three static versions Version_1.2, Version_1.3, and Version_1.4 are stacked, with Version_1.4 on the top. Version_1.4 has two rules, RuleA and RuleB, both with production action. A default version indicator points to Version_1.4.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-diagram.png)


The production action for most rules in a static version is Block, but it might be set to something different. For detailed information about rule action settings, see the rule listings for each rule group at [AWS Managed Rules rule groups list](aws-managed-rule-groups-list.md). 

# Release candidate deployments for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-release-candidate"></a>

This section explains how a temporary release candidate deployment works.

When AWS has a candidate set of rule changes for a managed rule group, it tests them in a temporary release candidate deployment. AWS evaluates the candidate rules in count mode against production traffic, and performs final tuning activities, including mitigating false positives. AWS tests release candidate rules in this way for all customers who use the default version of the rule group. Release candidate deployments don't apply to customers who use a static version of the rule group.

If you use the default version, a release candidate deployment won't alter how your web traffic is managed by the rule group. You might notice the following while the candidate rules are being tested: 
+ Default version name change from `Default (using Version_X.Y)` to `Default (using Version_X.Y_PLUS_RC_COUNT)`. 
+ Additional count metrics in Amazon CloudWatch with `RC_COUNT` in their names. These are generated by the release candidate rules.

AWS tests a release candidate for about a week, then removes it and resets the default version to the current recommended static version. 

AWS performs the following steps for a release candidate deployment: 

1. **Create the release candidate** – AWS adds a release candidate based on the current recommended static version, which is the version that the default is pointing to. 

   The name of the release candidate is the static version name appended with `_PLUS_RC_COUNT`. For example, if the current recommended static version is `Version_2.1`, then the release candidate would be named `Version_2.1_PLUS_RC_COUNT`.

   The release candidate contains the following rules: 
   + Rules copied exactly from the current recommended static version, with no changes to rule configurations. 
   + Candidate new rules with rule action set to Count and with names that end with `_RC_COUNT`. 

     Most candidate rules provide proposed improvements to rules that exist already in the rule group. The name for each of these rules is the existing rule's name appended with `_RC_COUNT`. 

1. **Set the default version to the release candidate and test** – AWS sets the default version to point to the new release candidate, to perform testing against your production traffic. Testing usually takes about a week.

    You'll see the default version's name change from the one that indicates only the static version, such as `Default (using Version_1.4)`, to one that indicates the static version plus the release candidate rules, such as `Default (using Version_1.4_PLUS_RC_COUNT)`. This naming scheme lets you identify which static version you're using to manage your web traffic. 

   The following diagram shows the state of the example rule group versions at this point.   
![\[At the top of the figure are three stacked static versions, with Version_1.4 on the top. Separate from the static versions stack is the version Version_1.4_PLUS_RC_COUNT. This version contains the rules from Version_1.4 and it also contains two release candidate rules, RuleB_RC_COUNT and RuleZ_RC_COUNT, both with count action. The default version indicator points to Version_1.4_PLUS_RC_COUNT.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-rc-diagram.png)

   The release candidate rules are always configured with Count action, so they don't alter how the rule group manages web traffic. 

   The release candidate rules generate Amazon CloudWatch count metrics that AWS uses to verify behavior and to identify false positives. AWS makes adjustments as needed, to tune the behavior of the release candidate count rules. 

   The release candidate version isn't a static version, and it's not available for you to choose from the list of static rule group versions. You can only see the name of the release candidate version in the default version specification.

1. **Return the default version to the recommended static version** – After testing the release candidate rules, AWS sets the default version back to the current recommended static version. The default version name setting drops the `_PLUS_RC_COUNT` ending, and the rule group stops generating CloudWatch count metrics for the release candidate rules. This is a silent change, and is not the same as a deployment of a default version rollback.

   The following diagram shows the state of the example rule group versions after the testing of the release candidate is complete.   
![\[This is the typical version states figure again. Three static versions Version_1.2, Version_1.3, and Version_1.4 are stacked with Version_1.4 on the top. Version_1.4 has two rules, RuleA and RuleB, both with production action. A default version indicator points to Version_1.4.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-rc-complete-diagram.png)

**Timing and notifications**  
AWS deploys release candidate versions on an as-needed basis, to test improvements to a rule group. 
+ **SNS** – AWS sends an SNS notification at the start of the deployment. The notification indicates the estimated time that the release candidate will be tested. When testing is complete, AWS silently returns the default to the static version setting, without a second notification.
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.

# Static version deployments for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-static-version"></a>

When AWS determines that a release candidate provides valuable changes to the rule group, AWS deploys a new static version for the rule group based on the release candidate. This deployment doesn't change the default version of the rule group. 

The new static version contains the following rules from the release candidate: 
+ Rules from the prior static version that don't have a replacement candidate among the release candidate rules. 
+ Release candidate rules, with the following changes: 
  + AWS changes the rule name by removing the release candidate suffix `_RC_COUNT`.
  + AWS changes the rule actions from Count to their production rule actions. 

   For release candidate rules that are replacements of prior existing rules, this replaces the functionality of the prior rules in the new static version. 

The following diagram depicts the creation of the new static version from the release candidate. 

![\[At the top of the figure is the release candidate version Version_1.4_PLUS_RC_COUNT, with the same rules as in the prior release candidate deployment figure. The version contains the rules from Version_1.4 and it also contains release candidate rules RuleB_RC_COUNT and RuleZ_RC_COUNT, both with count action. Below this, at the bottom of the figure is a static version Version_1.5, which contains rules RuleA, RuleB, and RuleZ, all with production action. Arrows point from the RC version to Version_1.5 to indicate that RuleA is copied from the Version_1.4 rules and RuleB and RuleZ are copied from the release candidate rules. All rules in Version_1.5 have production actions.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-create-static-diagram.png)


After deployment, the new static version is available for you to test and to use in your protections if you want to. You can review new and updated rule actions and descriptions in the rule group's rule listings at [AWS Managed Rules rule groups list](aws-managed-rule-groups-list.md). 

A static version is immutable after deployment, and only changes when AWS expires it. For information about version life cycles, see [Using versioned managed rule groups in AWS WAF](waf-managed-rule-groups-versioning.md).

**Timing and notifications**  
AWS deploys a new static version as needed, in order to deploy improvements to rule group functionality. The deployment of a static version doesn't impact the default version setting.
+ **SNS** – AWS sends an SNS notification when the deployment completes.
+ **Change log** – After the deployment is complete everywhere that AWS WAF is available, AWS updates the rule group definition in this guide as needed, and then announces the release in the AWS Managed Rules rule group change log and in the documentation history page. 

# Default version deployments for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-default-version"></a>

When AWS determines that a new static version provides improved protections for the rule group compared to the current default, AWS updates the default version to the new static version. AWS might release multiple static versions before promoting one to the rule group's default version. 

The following diagram shows the state of the example rule group versions after AWS moves the default version setting to the new static version. 

![\[This is similar to the typical version states figure, but with Version_1.5 on the top of the stack and the default indicator pointing to it.\]](http://docs.aws.amazon.com/waf/latest/developerguide/images/amr-rg-versions-new-default-diagram.png)


Before deploying this change to the default version, AWS provides notifications so that you can test and prepare for the upcoming changes. If you use the default version, you can take no action and remain on it through the update. If instead you want to delay switching to the new version, before the planned start of the default version deployment, you can explicitly configure your rule group to use the static version that the default is set to. 

**Timing and notifications**  
AWS updates the default version when it recommends a different static version for the rule group than the one that's currently in use. 
+ **SNS** – AWS sends an SNS notification at least one week prior to the targeted deployment day and then another on the deployment day, at the start of the deployment. Each notification includes the rule group name, the static version that the default version is being updated to, the deployment date, and the scheduled timing of the deployment for each AWS Region where the update is being performed. 
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.

# Exception deployments for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-exceptions"></a>

AWS might bypass the standard deployment stages in order to quickly deploy updates that address critical security risks. An exception deployment might involve any of the standard deployment types, and it might be rolled out quickly across the AWS Regions. 

AWS provides as much advance notification as possible for exception deployments. 

**Timing and notifications**  
AWS performs exception deployments only when required. 
+ **SNS** – AWS sends an SNS notification as far ahead of the targeted deployment day as possible and then another one at the start of the deployment. Each notification includes the rule group name, the change that's being made, and the deployment date. 
+ **Change log** – If the deployment is for a static version, after the deployment is complete everywhere that AWS WAF is available, AWS updates the rule group definition in this guide as needed, and then announces the release in the AWS Managed Rules rule group change log and in the documentation history page. 

# Default deployment rollbacks for AWS Managed Rules
<a name="waf-managed-rule-groups-deployments-default-rollbacks"></a>

Under certain conditions, AWS might roll back the default version to its prior setting. A rollback usually takes less than ten minutes for all AWS Regions.

AWS performs a rollback only to mitigate a significant issue in a static version, such as an unacceptably high level of false positives. 

After the rollback of the default version setting, AWS expedites both the expiration of the static version that has the issue and the release of a new static version to address the issue. 

**Timing and notifications**  
AWS performs default version rollbacks only when required. 
+ **SNS** – AWS sends a single SNS notification at the time of the rollback. The notification includes the rule group name, the version that the default version is being set to, and the deployment date. This deployment type is very quick, so the notification doesn't provide timing information for Regions. 
+ **Change log** – AWS doesn't update the change log or other parts of this guide for this type of deployment.