Creating a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Creating a web ACL

To create a new web ACL, use the web ACL creation wizard following the procedure on this page.

Production traffic risk

Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your AWS WAF protections.

Note

Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL price. For more information, see AWS WAF web ACL capacity units (WCUs) and AWS WAF Pricing.

To create a web ACL
  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. Choose Web ACLs in the navigation pane, and then choose Create web ACL.

  3. For Name, enter the name that you want to use to identify this web ACL.

    Note

    You can't change the name after you create the web ACL.

  4. (Optional) For Description - optional, enter a longer description for the web ACL if you want to.

  5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default_Action."

    Note

    You can't change the CloudWatch metric name after you create the web ACL.

  6. Under Resource type, choose the category of AWS resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see Associating or disassociating a web ACL with an AWS resource.

  7. For Region, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL.

    You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, us-east-1, for Global (CloudFront) applications.

  8. (CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access) For Web request inspection size limit - optional, if you want to specify a different body inspection size limit, select the limit. Inspecting body sizes over the default of 16 KB can incur additional costs. For information about this option, see Managing body inspection size limits.

  9. (Optional) For Associated AWS resources - optional, if you want to specify your resources now, choose Add AWS resources. In the dialog box, choose the resources that you want to associate, and then choose Add. AWS WAF returns you to the Describe web ACL and associated AWS resources page.

  10. Choose Next.

  11. (Optional) If you want to add managed rule groups, on the Add rules and rule groups page, choose Add rules, and then choose Add managed rule groups. Do the following for each managed rule group that you want to add:

    1. On the Add managed rule groups page, expand the listing for AWS managed rule groups or for the AWS Marketplace seller of your choice.

    2. For the rule group that you want to add, in the Action column, turn on the Add to web ACL toggle.

      To customize how your web ACL uses the rule group, choose Edit. The following are common customization settings:

      • Override the rule actions for some or all rules. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see Action overrides in rule groups.

      • Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement. For information about this option, see Scope-down statements.

      • Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the AWS Managed Rules rule groups, see AWS Managed Rules for AWS WAF.

      When you're finished with your settings, choose Save rule.

    Choose Add rules to finish adding managed rules and return to the Add rules and rule groups page.

  12. (Optional) If you want to add your own rule group, on the Add rules and rule groups page, choose Add rules, and then choose Add my own rules and rule groups. Do the following for each rule group that you want to add:

    1. On the Add my own rules and rule groups page, choose Rule group.

    2. For Name, enter the name that you want to use for the rule group rule in this web ACL. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See Rule groups provided by other services.

    3. Choose your rule group from the list.

      Note

      If you want to override the rule actions for a rule group of your own, first save it to the web ACL, and then edit the web ACL and the rule group reference statement in the web ACL's rule listing. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups.

    4. Choose Add rule.

  13. (Optional) If you want to add your own rule, on the Add rules and rule groups page, choose Add rules, Add my own rules and rule groups, Rule builder, then Rule visual editor.

    Note

    The console Rule visual editor supports one level of nesting. For example, you can use a single logical AND or OR statement and nest one level of other statements inside it, but you can't nest logical statements within logical statements. To manage more complex rule statements, use the Rule JSON editor. For information about all options for rules, see AWS WAF rules.

    This procedure covers the Rule visual editor.

    1. For Name, enter the name that you want to use to identify this rule. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services.

    2. Enter your rule definition, according to your needs. You can combine rules inside logical AND and OR rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see AWS WAF rules.

    3. For Action, select the action you want the rule to take when it matches a web request. For information on your choices, see Rule action and Web ACL rule and rule group evaluation.

      If you are using the CAPTCHA or Challenge action, adjust the Immunity time configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the web ACL. To modify the web ACL immunity time settings, edit the web ACL after you create it. For more information about immunity times, see Timestamp expiration: token immunity times.

      Note

      You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see AWS WAF Pricing.

      If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see Customized web requests and responses in AWS WAF.

      If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see AWS WAF labels on web requests.

    4. Choose Add rule.

  14. Choose the default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see The web ACL default action.

    If you want to customize the default action, choose the options for that and fill in the details of your customization. For more information, see Customized web requests and responses in AWS WAF.

  15. You can define a Token domain list to enable token sharing between protected applications. Tokens are used by the CAPTCHA and Challenge actions and by the application integration SDKs that you implement when you use the AWS Managed Rules rule groups for AWS WAF Fraud Control account creation fraud prevention (ACFP), AWS WAF Fraud Control account takeover prevention (ATP), and AWS WAF Bot Control.

    Public suffixes aren't allowed. For example, you can't use gov.au or co.uk as a token domain.

    By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see Configuring the web ACL token domain list.

  16. Choose Next.

  17. In the Set rule priority page, select and move your rules and rule groups to the order that you want AWS WAF to process them. AWS WAF processes rules starting from the top of the list. When you save the web ACL AWS WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see Processing order of rules and rule groups in a web ACL.

  18. Choose Next.

  19. In the Configure metrics page, review the options and apply any updates that you need. You can combine metrics from multiple sources by providing the same CloudWatch metric name for them.

  20. Choose Next.

  21. In the Review and create web ACL page, check over your definitions. If you want to change any area, choose Edit for the area. This returns you to the page in the web ACL wizard. Make any changes, then choose Next through the pages until you come back to the Review and create web ACL page.

  22. Choose Create web ACL. Your new web ACL is listed in the Web ACLs page.