Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::WAF::Rule

The AWS::WAF::Rule resource creates an AWS WAF rule that specifies a combination of IPSet, ByteMatchSet, and SqlInjectionMatchSet objects that identify the web requests to allow, block, or count. To implement rules, you must associate them with a web ACL.

For more information, see CreateRule in the AWS WAF API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

Copy
{ "Type" : "AWS::WAF::Rule", "Properties" : { "MetricName" : String, "Name" : String, "Predicates" : [ Predicate, ... ] } }

YAML

Copy
Type: "AWS::WAF::Rule" Properties: MetricName: String Name: String Predicates: - Predicate

Properties

MetricName

A friendly name or description for the metrics of the rule. For valid values, see the MetricName parameter for the CreateRule action in the AWS WAF API Reference.

Required: Yes

Type: String

Update requires: Replacement

Name

A friendly name or description of the rule.

Required: Yes

Type: String

Update requires: Replacement

Predicates

The ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects to include in a rule. If you add more than one predicate to a rule, a request must match all conditions in order to be allowed or blocked.

Required: No

Type: List of AWS WAF Rule Predicates

Update requires: No interruption

Return Value

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Example

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IPSet object with a web ACL rule.

JSON

Copy
"MyIPSetRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }

YAML

Copy
MyIPSetRule: Type: "AWS::WAF::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"