AWS CloudFormation
User Guide (Version )


A RateBasedRule is identical to a regular Rule, with one addition: a RateBasedRule counts the number of requests that arrive from a specified IP address every five minutes. For example, based on recent requests that you've seen from an attacker, you might create a RateBasedRule that includes the following conditions:

  • The requests come from

  • They contain the value BadBot in the User-Agent header.

In the rule, you also define the rate limit as 15,000.

Requests that meet both of these conditions and exceed 15,000 requests every five minutes trigger the rule's action (block or count), which is defined in the web ACL.

Note you can only create rate-based rules using a CloudFormation template. To add the rate-based rules created through CloudFormation to a web ACL, use the AWS WAF console, API, or command line interface (CLI). For more information, see UpdateWebACL.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAFRegional::RateBasedRule", "Properties" : { "MatchPredicates" : [ Predicate, ... ], "MetricName" : String, "Name" : String, "RateKey" : String, "RateLimit" : Integer } }


Type: AWS::WAFRegional::RateBasedRule Properties: MatchPredicates: - Predicate MetricName: String Name: String RateKey: String RateLimit: Integer



The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet> object that you want to include in a RateBasedRule.

Required: No

Type: List of Predicate

Update requires: No interruption


A friendly name or description for the metrics for a RateBasedRule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't change the name of the metric after you create the RateBasedRule.

Required: Yes

Type: String

Update requires: Replacement


A friendly name or description for a RateBasedRule. You can't change the name of a RateBasedRule after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: Replacement


The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for RateKey is IP. IP indicates that requests arriving from the same IP address are subject to the RateLimit that is specified in the RateBasedRule.

Required: Yes

Type: String

Allowed Values: IP

Update requires: Replacement


The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

Required: Yes

Type: Integer

Update requires: No interruption

Return Values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Associate an IPSet with a Rate-Based Rule

The following example associates the MyIPSetBlacklist IPSet object with a rate-based rule.


"MyIPSetRateBasedRule" : { "Type": "AWS::WAFRegional::RateBasedRule", "Properties": { "Name": "MyIPSetRateBasedRule", "MetricName" : "MyIPSetRateBasedRule", "RateKey" : "IP", "RateLimit" : 8000 "MatchPredicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRateBasedRule: Type: "AWS::WAFRegional::RateBasedRule" Properties: Name: "MyIPSetRateBasedRule" MetricName: "MyIPSetRateBasedRule" RateKey : "IP" RateLimit : 8000 MatchPredicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"