AWS CloudFormation
User Guide (Version )


A combination of ByteMatchSet, IPSet, and/or SqlInjectionMatchSet objects that identify the web requests that you want to allow, block, or count. For example, you might create a Rule that includes the following predicates:

  • An IPSet that causes AWS WAF to search for web requests that originate from the IP address

  • A ByteMatchSet that causes AWS WAF to search for web requests for which the value of the User-Agent header is BadBot.

To match the settings in this Rule, a request must originate from AND include a User-Agent header for which the value is BadBot.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::WAFRegional::Rule", "Properties" : { "MetricName" : String, "Name" : String, "Predicates" : [ Predicate, ... ] } }


Type: AWS::WAFRegional::Rule Properties: MetricName: String Name: String Predicates: - Predicate



A friendly name or description for the metrics for this Rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't change MetricName after you create the Rule.

Required: Yes

Type: String

Update requires: Replacement


The friendly name or description for the Rule. You can't change the name of a Rule after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Update requires: Replacement


The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet object that you want to include in a Rule.

Required: No

Type: List of Predicate

Update requires: No interruption

Return Values


When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.


Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetBlacklist IPSet object with a web ACL rule.


"MyIPSetRule" : { "Type": "AWS::WAFRegional::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }


MyIPSetRule: Type: "AWS::WAFRegional::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"