Basic handling of the rule and rule group actions in a web ACL - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Basic handling of the rule and rule group actions in a web ACL

When you configure your rules and rule groups, you choose how you want AWS WAF to handle matching web requests:

  • Allow and Block are terminating actions – Allow and block actions stop all other processing of the web ACL on the matching web request. If a rule in a web ACL finds a match for a request and the rule action is allow or block, that match determines the final disposition of the web request for the web ACL. AWS WAF doesn't process any other rules in the web ACL that come after the matching one. This is true for rules that you add directly to the web ACL and rules that are inside an added rule group. With the block action, the protected resource doesn't receive or process the web request.

  • Count is a non-terminating action – When a rule with a count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the web ACL rule set. If the only rules that match have count action set, AWS WAF applies the web ACL default action setting.

  • CAPTCHA can be a non-terminating or a terminating action – When a rule with a CAPTCHA action matches a request, AWS WAF checks its CAPTCHA status. If the request has a valid CAPTCHA token, AWS WAF continues processing the rules that follow in the web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and runs a CAPTCHA challenge puzzle that the caller must solve.

The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the web ACL. For example, say that your web ACL has a rule that has Allow action and a numeric priority of 50 and another rule that has Count action and a numeric priority of 100. AWS WAF evaluates the rules in a web ACL in the order of their priority, starting from the lowest setting, so it will evaluate the Allow rule before the Count rule. If you have a web request that matches both rules, it will match the Allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request againt the Count rule. If you want count metrics from the Count rule even for requests that match the Allow rule, you'd need to give the Count rule a lower numeric priority setting than the Allow rule so that it runs first. For more information about priority settings, see Processing order of rules and rule groups in a web ACL.

In your web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see Overriding the actions of a rule group or its rules.