**Introducing a new console experience for AWS WAF** You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). # Managing your own rule groups You can create your own rule group to reuse collections of rules that you either don't find in the managed rule group offerings or that you prefer to handle on your own. Rule groups that you create hold rules just like a protection pack (web ACL) does, and you add rules to a rule group in the same way as you do to a protection pack (web ACL). When you create your own rule group, you must set an immutable maximum capacity for it. **Topics** + [ # Creating a rule group ](waf-rule-group-creating.md) + [ # Editing a rule group ](waf-rule-group-editing.md) + [ # Using your rule group in a protection pack (web ACL) ](waf-rule-group-using.md) + [ # Deleting a rule group ](waf-rule-group-deleting.md) + [ # Sharing a rule group ](waf-rule-group-sharing.md) # Creating a rule group To create a new rule group, follow the procedure on this page. **To create a rule group** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. In the navigation pane, choose **Rule groups**, and then **Create rule group**. 1. Enter a name and description for the rule group. You'll use these to identify the rule set to manage it and use it. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md). **Note** You can't change the name after you create the rule group. 1. For **Region**, choose the Region where you want to store the rule group. To use a rule group in protection packs (web ACLs) that protect Amazon CloudFront distributions, you must use the global setting. You can use the global setting for regional applications, too. 1. Choose **Next**. 1. Add rules to the rule group using the **Rule builder** wizard, the same as you do in protection pack (web ACL) management. The only difference is that you can't add a rule group to another rule group. 1. For **Capacity**, set the maximum for the rule group's use of protection pack (web ACL) capacity units (WCUs). This is an immutable setting. For information about WCUs, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md). As you add rules to the rule group, the **Add rules and set capacity** pane displays the minimum required capacity, which is based on the rules that you've already added. You can use this and your future plans for the rule group to help estimate the capacity that the rule group will require. 1. Review the settings for the rule group, and choose **Create**. # Editing a rule group To add or remove rules from a rule group or change configuration settings, access the rule group using the procedure on this page. **Production traffic risk** If you change a rule group that you're currently using in a protection pack (web ACL), those changes will affect your protection pack (web ACL) behavior wherever it's being used. Be sure to test and tune all changes in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md). **To edit a rule group** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. In the navigation pane, choose **Rule groups**. 1. Choose the name of the rule group that you want to edit. The console takes you to the rule group's page. **Note** If you don't see the rule group that you want to edit, check the Region selection inside the **Rule groups** section. For rule groups used to protect Amazon CloudFront distributions, use the **Global (CloudFront)** setting. 1. Edit the rule group as needed. You can edit the rule group's mutable properties, similar to how you did during creation. The console saves your changes as you go. **Note** If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack (web ACL) or rule group. **Temporary inconsistencies during updates** When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. The following are examples of the temporary inconsistencies that you might notice during change propagation: + After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable. + After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another. + After you change a rule action setting, you might see the old action in some places and the new action in others. + After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another. # Using your rule group in a protection pack (web ACL) To use a rule group in a protection pack (web ACL), you add it to the protection pack (web ACL) in a rule group reference statement. **Production traffic risk** Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md). **Note** Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). **To use a rule group** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. In the navigation pane, choose **Rule groups**. 1. Choose the name of the rule group that you want to use. 1. Choose **Add rules**, and then choose **Add my own rules and rule groups**. 1. Choose **Rule group** and select your rule group from the list. In your protection pack (web ACL), you can alter the behavior of a rule group and its rules by setting the individual rule actions to Count or any other action. This can help you do things like test a rule group, identify false positives from rules in a rule group, and customize how a managed rule group handles your requests. For more information, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md). If your rule group contains a rate-based statement, each protection pack (web ACL) where you use the rule group has its own separate rate tracking and management for the rate-based rule, independent of any other protection pack (web ACL) where you use the rule group. For more information, see [Using rate-based rule statements in AWS WAF](waf-rule-statement-type-rate-based.md). **Temporary inconsistencies during updates** When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. The following are examples of the temporary inconsistencies that you might notice during change propagation: + After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable. + After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another. + After you change a rule action setting, you might see the old action in some places and the new action in others. + After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another. # Deleting a rule group Follow the guidance in this section to delete a rule group. **Deleting referenced sets and rule groups** When you delete an entity that you can use in a protection pack (web ACL), like an IP set, regex pattern set, or rule group, AWS WAF checks to see if the entity is currently being used in a protection pack (web ACL). If it finds that it is in use, AWS WAF warns you. AWS WAF is almost always able to determine if an entity is being referenced by a protection pack (web ACL). However, in rare cases it might not be able to do so. If you need to be sure that nothing is currently using the entity, check for it in your protection packs (web ACLs) before deleting it. If the entity is a referenced set, also check that no rule groups are using it. **To delete a rule group** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. In the navigation pane, choose **Rule groups**. 1. Choose the rule group that you want to delete, and then choose **Delete**. **Note** If you don't see the rule group that you want to delete, check the Region selection inside the **Rule groups** section. For rule groups used to protect Amazon CloudFront distributions, use the **Global (CloudFront)** setting. # Sharing a rule group You can share a rule group with other acccounts, for use by those accounts. **Sharing a rule group** You can share with one or more specific accounts, and you can share with all accounts in an organization. To share a rule group, you use the AWS WAF API to create a policy for the rule group sharing that you want. For more information, see [PutPermissionPolicy](https://docs.aws.amazon.com/waf/latest/APIReference/API_PutPermissionPolicy.html) in the *AWS WAF API Reference*. **Using a rule group that's been shared with you** If a rule group has been shared with your account, you can access it through the API and you can reference it when you create or update your protection packs (web ACLs) through the API. For more information, see [GetRuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_GetRuleGroup.html), [CreateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_CreateWebACL.html), and [UpdateWebACL](https://docs.aws.amazon.com/waf/latest/APIReference/API_UpdateWebACL.html) in the *AWS WAF API Reference*. Rule groups that are shared with you don't appear in your AWS WAF console rule groups listing.