Rule statements list - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Rule statements list

This section describes the statements that you can add to a rule and provides some guidelines for calculating web ACL capacity units (WCU) usage for each.

This page groups the rule statements by category, provides a high-level description for each, and provides a link to a section with more information for the statement type.

Match statements

Match statements compare the web request or its origin against conditions that you provide. For many statements of this type, AWS WAF compares a specific component of the request for matching content.

Match Statement Description WCUs Nestable?
Geographic match Inspects the request's country of origin. 1 Yes
IP set match Compares the request origin against a set of IP addresses and address ranges. 1 Yes
Regex pattern set Compares regex patterns against a specified request component. 25 per pattern set Yes
Size constraint Checks size constraints against a specified request component. 1 Yes
SQLi attack Inspects for malicious SQL code in a specified request component. 20 Yes
String match Compares a string to a specified request component.

Depends on the type of match

Yes
XSS scripting attack Inspects for cross-site scripting attacks in a specified request component. 40 Yes

Logical rules statements

Logical rules statements allow you to combine other statements or negate their results. Every logical rule statement takes at least one nested statement.

Logical Statement Description WCUs Nestable?
AND logic Combines nested statements with AND logic. Based on nested statements Yes
NOT logic Negates the results of a nested statement. Based on nested statement Yes
OR logic Combines nested statements with OR logic. Based on nested statements Yes

Complex statements

AWS WAF supports the following complex statements.

Statement Description WCUs Nestable?
Rate-based Tracks the rate of requests from individual IP addresses. You can narrow the scope with a nested statement. 2 plus any additional WCUs for a nested statement No
Managed rule group Runs the rules that are defined in the specified managed rule group. Defined by rule group. No
Rule group Runs the rules that are defined in a rule group that you manage. You define this for the rule group when you create it. No