Scope-down statements - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Scope-down statements

A scope-down statement is a nestable rule statement that you add inside a managed rule group statement or a rate-based statement to narrow the set of requests that the containing rule evaluates. The containing rule only evaluates requests that first match the scope-down statement.

  • Managed rule group statement – If you add a scope-down statement to a managed rule group statement, any request that doesn't match the scope-down statement results as not matching the rule group. Only those requests that match the scope-down statement are evaluated against the rule group. For managed rule groups with pricing that's based on the number of requests evaluated, scope-down statements can help contain costs. For more information about managed rule group statements, see Managed rule group statement.

  • Rate-based rule statement – A rate-based rule without a scope-down statement controls the rate of all requests that it evaluates. If you want to only control the rate for a specific category of requests, you add a scope-down statement to the rate-based rule. For example, to only track and control the rate of requests from a specific geographical area, you specify that geographical area in a geographic match rule that you add to the rate-based rule as the scope-down statement. For more information about rate-based rule statements, see Rate-based rule statement.

You can use any nestable rule in a scope-down statement. The WCUs for the scope-down statement are calculated as the WCUs required for the rule statements that you use in it. For a list of available statements, see Rule statements list.