**Introducing a new console experience for AWS WAF** You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). # Migrating a protection pack (web ACL) from AWS WAF Classic to AWS WAF Migrating a protection pack (web ACL) The automated migration carries over most of your AWS WAF Classic protection pack (web ACL) configuration, leaving some things that you need to handle manually. **Note** Some protection configurations cannot be automatically migrated, and require manual configuration in AWS WAF (v2). See the list at [Migration caveats and limitations](waf-migrating-caveats.md). The following lists the high-level steps for migrating a protection pack (web ACL). 1. The automated migration reads everything related to your existing protection pack (web ACL), without modifying or deleting anything in AWS WAF Classic. It creates a representation of the web ACL and its related resources, compatible with AWS WAF. It generates an CloudFormation template for the new protection pack (web ACL) and stores it in an Amazon S3 bucket. 1. You deploy the template into CloudFormation, in order to recreate the protection pack (web ACL) and related resources in AWS WAF. 1. You review the protection pack (web ACL), and manually complete the migration, making sure that your new protection pack (web ACL) takes full advantage of the capabilities of the latest AWS WAF. 1. You manually switch your protected resources over to the new protection pack (web ACL). **Topics** + [ # Migrating a protection pack (web ACL): automated migration ](waf-migrating-procedure-automatic.md) + [ # Migrating a protection pack (web ACL): manual follow-up ](waf-migrating-procedure-manual-finish.md) + [ # Migrating a protection pack (web ACL): additional considerations ](waf-migrating-procedure-additional.md) + [ # Migrating a protection pack (web ACL): switchover ](waf-migrating-procedure-switchover.md) # Migrating a protection pack (web ACL): automated migration Automated migration **To automatically migrate a protection pack (web ACL) configuration from AWS WAF Classic to AWS WAF** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. Choose **Switch to AWS WAF Classic** and review your configuration settings for the protection pack (web ACL). Make note of the settings, considering the caveats and limitations described in the preceding section, [Migration caveats and limitations](waf-migrating-caveats.md). 1. In the informational dialogue at the top, locate the sentence that starts with **Migrate protection packs (web ACLs)** and choose the link to the **migration wizard**. This launches the migration wizard. If you don't see the informational dialogue, you might have closed it since you launched the AWS WAF Classic console. In the navigation bar, choose **Switch to new AWS WAF** then choose **Switch to AWS WAF Classic**, and the informational dialogue should reappear. 1. Select the protection pack (web ACL) that you want to migrate. 1. For **Migration configuration**, provide an Amazon S3 bucket to use for the template. You need an Amazon S3 bucket that's configured properly for the migration API, to store the AWS CloudFormation template that it generates. + If the bucket is encrypted, the encryption must use Amazon S3 (SSE-S3) keys. The migration doesn't support encryption with AWS Key Management Service (SSE-KMS) keys. + The bucket name must start with `aws-waf-migration-`. For example, `aws-waf-migration-my-web-acl`. + The bucket must be in the Region where you are deploying the template. For example, for a protection pack (web ACL) in `us-west-2`, you must use an Amazon S3 bucket in `us-west-2` and you must deploy the template stack to `us-west-2`. 1. For **S3 bucket policy**, we recommend choosing **Auto apply the bucket policy required for migration**. Alternatively, if you want to manage the bucket on your own, you must manually apply the following bucket policy: + For global Amazon CloudFront applications (`waf`): ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apiv2migration.waf.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::/AWSWAF//*" } ] } ``` ------ + For regional Amazon API Gateway or Application Load Balancer applications (`waf-regional`): ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "apiv2migration.waf-regional.amazonaws.com" }, "Action": "s3:PutObject", "Resource": "arn:aws:s3:::/AWSWAF//*" } ] } ``` ------ 1. For **Choose how to handle rules that cannot be migrated**, choose either to exclude rules that can't be migrated, or to stop the migration. For information about rules that can't be migrated, see [Migration caveats and limitations](waf-migrating-caveats.md). 1. Choose **Next**. 1. For **Create CloudFormation template**, verify your settings, then choose **Start creating CloudFormation template** to begin the migration process. This can take a few minutes, depending on the complexity of your protection pack (web ACL). 1. In **Create and run CloudFormation stack to complete migration**, you can choose to go to the AWS CloudFormation console to create a stack from the template, to create the new protection pack (web ACL) and its resources. To do this, choose **Create CloudFormation stack**. After the automatic migration process completes, you're ready to proceed to the manual follow-up steps. See [Migrating a protection pack (web ACL): manual follow-up](waf-migrating-procedure-manual-finish.md). # Migrating a protection pack (web ACL): manual follow-up Manual follow-up After the automated migration is complete, review the newly created protection pack (web ACL) and fill in the components that the migration doesn't bring over for you. The following procedure covers the aspects of protection pack (web ACL) management that the migration doesn't handle. For the list, see [Migration caveats and limitations](waf-migrating-caveats.md). **To finish the basic migration - manual steps** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. The console should automatically use the latest version of AWS WAF. To verify this, in the navigation pane, check that you can see the option **Switch to AWS WAF Classic**. If you see **Switch to new AWS WAF**, choose that to switch to the latest version. 1. In the navigation pane, choose **protection packs (web ACLs)**. 1. In the **protection packs (web ACLs)** page, locate your new protection pack (web ACL) in the list for the Region where you created it. Choose the protection pack (web ACL)'s name to bring up the settings for the protection pack (web ACL). 1. Review all of the settings for the new protection pack (web ACL) against your prior AWS WAF Classic web ACL. By default, logging and protected resource associations are disabled. You enable those when you're ready to switch over. 1. If your AWS WAF Classic protection pack (web ACL) had a managed rule group, the rule group inclusion wasn't brought over in the migration. You can add managed rule groups to the new protection pack (web ACL). Review the information about managed rule groups, including the list of AWS Managed Rules that are available with the new version of AWS WAF, at [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md). To add a managed rule group, do the following: 1. In your protection pack (web ACL) settings page, choose the protection pack (web ACL) **Rules** tab. 1. Choose **Add rules**, then choose **Add managed rule groups**. 1. Expand the listing for the vendor of your choice and select the rule groups that you want to add. For AWS Marketplace sellers, you might need to subscribe to the rule groups. For more information about using managed rule groups in your protection pack (web ACL), see [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md) and [Using protection packs (web ACLs) with rules and rule groups in AWS WAF](web-acl-processing.md). After you finish the basic migration process, we recommend that you review your needs and consider additional options, to be sure that the new configuration is as efficient as possible and that it's using the latest available security options. See [Migrating a protection pack (web ACL): additional considerations](waf-migrating-procedure-additional.md). # Migrating a protection pack (web ACL): additional considerations Additional considerations Review your new protection pack (web ACL) and consider the options available to you in the new AWS WAF to be sure that the configuration is as efficient as possible and that it's using the latest available security options. **Additional AWS Managed Rules** Consider implementing additional AWS Managed Rules in your protection pack (web ACL) to increase the security posture for your application. These are included with AWS WAF at no additional cost. AWS Managed Rules feature the following types of rule groups: + Baseline rule groups provide general protection against a variety of common threats, such as stopping known bad inputs from making it into your application and preventing admin page access. + Use-case specific rule groups provide incremental protection for many diverse use cases and environments. + IP reputation lists provide threat intelligence based on the client’s source IP. For more information, see [AWS Managed Rules for AWS WAF](aws-managed-rule-groups.md). **Rule optimization and cleanup** Revisit your old rules and consider optimizing them by rewriting them or removing outdated ones. For example, if in the past, you deployed an AWS CloudFormation template from the technical paper for OWASP Top 10 Web Application Vulnerabilities, [Prepare for the OWASP Top 10 Web Application Vulnerabilities Using AWS WAF and Our New White Paper](https://aws.amazon.com/blogs/aws/prepare-for-the-owasp-top-10-web-application-vulnerabilities-using-aws-waf-and-our-new-white-paper/), you should consider replacing that with AWS Managed Rules. While the concept found within the document is still applicable and may assist you in writing your own rules, the rules created by the template have been largely superseded by AWS Managed Rules. **Amazon CloudWatch metrics and alarms** Revisit your Amazon CloudWatch metrics and set up alarms as needed. The migration doesn't carry over CloudWatch alarms and it's possible that your metric names aren't what you want. **Review with your application team** Work with your application team and check your security posture. Find out what fields are parsed frequently by the application and add rules to sanitize the input accordingly. Check for any edge cases and add rules to catch these cases if the application’s business logic fails to process them. **Plan the switchover** Plan the timing of the switch with your application team. The switch from the old protection pack (web ACL) association to the new one can take a small amount of time to propagate to all areas where your resources are stored. The propagation time can be from a few seconds to a number of minutes. During this time, some requests will be processed by the old protection pack (web ACL) and others will be processed by the new protection pack (web ACL). Your resources will be protected throughout the switch, but you might notice inconsistencies in request handling while the switch is underway. When you are ready to switch over, follow the procedure at [Migrating a protection pack (web ACL): switchover](waf-migrating-procedure-switchover.md). # Migrating a protection pack (web ACL): switchover Switchover After you've verified your new protection pack (web ACL) settings, you can start to use it in place of your AWS WAF Classic protection pack (web ACL). **To begin using your new AWS WAF protection pack (web ACL)** 1. Associate the AWS WAF protection pack (web ACL) with the resources that you want to protect, following the guidance at [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md). This automatically disassociates the resources from the old protection pack (web ACL). The switch can take from a few seconds to a number of minutes to propagate. During this time, some requests might be processed by the old protection pack (web ACL) and others by the new protection pack (web ACL). Your resources will be protected throughout the switch, but you might notice inconsistencies in request handling until it's complete. 1. Configure logging for the new protection pack (web ACL), following the guidance at [Logging AWS WAF protection pack (web ACL) traffic](logging.md). 1. (Optional) If your AWS WAF Classic protection pack (web ACL) is no longer associated with any resources, consider removing it entirely from AWS WAF Classic. For information, see [Deleting a Web ACL](classic-web-acl-deleting.md).