How labeling works - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

How labeling works

When a rule matches a web request, if the rule has labels defined, AWS WAF adds the labels to the request. Rules that are evaluated after the matching rule in the same web ACL have access to the labels that the rule has added, and can match against them.

  • Any rule that's included in a single web ACL can access labels that have been added by any rule that has already run in the same web ACL. This includes rules that are defined directly inside the web ACL and those inside rule groups that are used in the web ACL. Labels don't persist with the web request after the web ACL evaluation ends.

  • In order for other rules to match against a label that your rule adds, your rule action must not terminate the evaluation of the web request by the web ACL. The rule action must be set to Count, CAPTCHA, or Challenge. When the web ACL evaluation doesn't terminate, subsequent rules in the web ACL can run their label matching criteria against the request. For more information about rule actions, see Rule action.

  • Labels emit Amazon CloudWatch metrics for the first 100 labels on any single request. For information, see Monitoring with Amazon CloudWatch.

  • AWS WAF records labels in the logs for the first 100 labels on a request. You can use labels, along with the rule action, to filter the logs that AWS WAF records. For information, see Logging AWS WAF web ACL traffic.

  • Your web ACL evaluation can apply more than 100 labels to a web request and match against more than 100 labels, but AWS WAF only records the first 100 in logs and metrics.