Rule statements list

This section describes the statements that you can add to a rule and provides some guidelines for calculating web ACL capacity units (WCU) usage for each.

This page groups the rule statements by category, provides a high-level description for each, and provides a link to a section with more information for the statement type.

Match statements

Match statements compare the web request or its origin against conditions that you provide. For many statements of this type, AWS WAF compares a specific component of the request for matching content.

Match Statement	Description	WCUs	Nestable?
Geographic match	Inspects the request's country of origin.	1	Yes
IP set match	Compares the request origin against a set of IP addresses and address ranges.	1	Yes
Regex pattern set	Compares regex patterns against a specified request component.	25 per pattern set	Yes
Size constraint	Checks size constraints against a specified request component.	1	Yes
SQLi attack	Inspects for malicious SQL code in a specified request component.	20	Yes
String match	Compares a string to a specified request component.	Depends on the type of match	Yes
XSS scripting attack	Inspects for cross-site scripting attacks in a specified request component.	40	Yes

Logical rules statements

Logical rules statements allow you to combine other statements or negate their results. Every logical rule statement takes at least one nested statement.

Logical Statement	Description	WCUs	Nestable?
AND logic	Combines nested statements with AND logic.	Based on nested statements	Yes
NOT logic	Negates the results of a nested statement.	Based on nested statement	Yes
OR logic	Combines nested statements with OR logic.	Based on nested statements	Yes

Complex statements

AWS WAF supports the following complex statements.

Statement	Description	WCUs	Nestable?
Rate-based	Tracks the rate of requests from individual IP addresses. You can narrow the scope with a nested statement.	2 plus any additional WCUs for a nested statement	No
Managed rule group	Runs the rules that are defined in the specified managed rule group.	Defined by rule group.	No
Rule group	Runs the rules that are defined in a rule group that you manage.	You define this for the rule group when you create it.	No

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Rule statements

AND logic