AWS CloudFormation
User Guide (API Version 2010-05-15)


The AWS::WAFRegional::Rule resource creates an AWS WAF Regional rule that specifies a combination of IPSet, ByteMatchSet, and SqlInjectionMatchSet objects that identify the web requests to allow, block, or count. To implement rules, you must associate them with a web ACL.

For more information, see CreateRule in the AWS WAF Regional API Reference.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAFRegional::Rule", "Properties" : { "MetricName" : String, "Name" : String, "Predicates" : [ Predicate, ... ] } }


Type: "AWS::WAFRegional::Rule" Properties: MetricName: String Name: String Predicates: - Predicate



A friendly name or description for the metrics of the rule. For valid values, see the MetricName parameter for the CreateRule action in the AWS WAF Regional API Reference.

Required: Yes

Type: String

Update requires: Replacement


A friendly name or description of the rule.

Required: Yes

Type: String

Update requires: Replacement


The ByteMatchSet, IPSet, SizeConstraintSet, SqlInjectionMatchSet, or XssMatchSet objects to include in a rule. If you add more than one predicate to a rule, a request must match all conditions in order to be allowed or blocked.

Required: No

Type: List of AWS WAF Regional Rule Predicates

Update requires: No interruption

Return Value


When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IPSet object with a web ACL rule.


"MyIPSetRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"