Scope-down statements - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Scope-down statements

You can add a scope-down statement inside some rules. The scope-down statement narrows the scope of the requests that the rule evaluates. If a rule has a scope-down statement, traffic is first evaluated using the scope-down statement. If it matches that, then it's evaluated using the rule's standard criteria. Traffic that doesn't match the scope-down statement results as not matching the rule. AWS WAF performs no further evaluation.

You can define a scope-down statement inside the following statement types:

  • Managed rule group statement – If you add a scope-down statement to a managed rule group statement, any request that doesn't match the scope-down statement results as not matching the rule group. Only those requests that match the scope-down statement are evaluated against the rule group. For managed rule groups with pricing that's based on the number of requests evaluated, scope-down statements can help contain costs. For more information about managed rule group statements, see Managed rule group statement.

  • Rate-based rule statement – A rate-based rule without a scope-down statement controls the rate of all requests that come in to your applications. If you want to only control the rate for a specific category of requests, you add a scope-down statement to the rate-based rule. For example, to only track and control the rate of requests from a specific geographical area, you specify that geographical ares in a geographic match rule as the scope-down statement. For more information about rate-based rule statements, see Rate-based rule statement.

You can use any nestable rule in a scope-down statement. The WCUs for the scope-down statement are calculated as the WCUs required for the rule statements that you use in it. For a list of available statements, see Rule statements list.