Label match rule statement - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Label match rule statement

The label match statement inspects the labels that are on the web request against a string specification. The labels that are available to a rule for inspection are those that have already been added to the web request by other rules in the same web ACL evaluation.

Labels don't persist outside of the web ACL evaluation, but you can access label metrics in CloudWatch and you can see summaries of label information for any web ACL in the AWS WAF console. For more information, see Label metrics and dimensions and Monitoring and tuning. You can also see labels in the logs. For information, see Log fields.


A label match statement can only see labels from rules that are evaluated earlier in the web ACL. For information about how AWS WAF evaluates the rules and rule groups in a web ACL, see Processing order of rules and rule groups in a web ACL.

For more information about adding and matching labels, see AWS WAF labels on web requests.

Nestable – You can nest this statement type.

WCUs – 1 WCU

This statement uses the following settings:

  • Match scope – Set this to Label to match against the label name and, optionally, the preceding namespaces and prefix. Set this to Namespace to match against some or all of the namespace specifications and, optionally, the preceding prefix.

  • Key – The string that you want to match against. If you specify a namespace match scope, this should only specify namespaces and optionally the prefix, with an ending colon. If you specify a label match scope, this must include the label name and can optionally include preceding namespaces and prefix.

For more information about these settings, see Matching against a label and Label match examples.

Where to find this rule statement
  • Rule builder on the console – For Request option, choose Has label.

  • APILabelMatchStatement