Tips and lessons learnt by using AWS FMS and WAFv2
Properly plan for your WAF logs, this will be the hardest part;
Logs are activated per WebACL so each account needs to have a properly configured Kinesis Data Firehose. It is possible to enable the logs from FMS
When creating Cloudformation stack make sure you make resources dependent on another or WAF will quickly rate limit Cloudformation and your stack will fail
Use JSON in Cloudformation if you have accounts starting with 0. PyYAML has a bug
Instead of Cloudformation you can use Terraform (when I started building the solution this wasn’t possible)
Before activating an account on a FMS Policy, make sure that account has AWS Config enabled
Use AWS Managed rules as they are created with standards in mind for example protecting from OWASP Top 10
AWS WAF uses web ACL capacity units and you are limited to 1500, you can request increase but it’s not simple, so plan accordingly because if you need to change the WCU capacity of a Rule group you have to create a new one and delete the old one
Rate limit rules can ONLY be added to WebACLs and are related to that WebACL. There is no option at the moment to add them to FMS, we are working with AWS to change this;