AWS WAF, AWS Firewall Manager, and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Creating a Rule and Adding Conditions

If you add more than one condition to a rule, a web request must match all the conditions for AWS WAF to allow or block requests based on that rule.

To create a rule and add conditions

  1. Sign in to the AWS Management Console and open the AWS WAF console at https://console.aws.amazon.com/wafv2/.

  2. In the navigation pane, choose Rules.

  3. Choose Create rule.

  4. Enter the following values:

    Name

    Enter a name.

    CloudWatch metric name

    Enter a name for the CloudWatch metric that AWS WAF will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for AWS WAF, including "All" and "Default_Action.

    Rule type

    Choose either Regular rule or Rate–based rule. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see How AWS WAF Works.

    Rate limit

    For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.

    You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, AWS WAF places the limit on all IP addresses. If you specify a rate limit and conditions, AWS WAF places the limit on IP addresses that match the conditions.

    When an IP address reaches the rate limit threshold, AWS WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, AWS WAF resets the counter to zero.

  5. To add a condition to the rule, specify the following values:

    When a request does/does not

    If you want AWS WAF to allow or block requests based on the filters in a condition, choose does. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF to allow or block requests that come from those IP addresses, choose does.

    If you want AWS WAF to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want AWS WAF to allow or block requests that do not come from those IP addresses, choose does not.

    match/originate from

    Choose the type of condition that you want to add to the rule:

    • Cross-site scripting match conditions – choose match at least one of the filters in the cross-site scripting match condition

    • IP match conditions – choose originate from an IP address in

    • Geo match conditions – choose originate from a geographic location in

    • Size constraint conditions – choose match at least one of the filters in the size constraint condition

    • SQL injection match conditions – choose match at least one of the filters in the SQL injection match condition

    • String match conditions – choose match at least one of the filters in the string match condition

    • Regular expression match conditions – choose match at least one of the filters in the regex match condition

    condition name

    Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.

  6. To add another condition to the rule, choose Add another condition, and repeat steps 4 and 5. Note the following:

    • If you add more than one condition, a web request must match at least one filter in every condition for AWS WAF to allow or block requests based on that rule

    • If you add two IP match conditions to the same rule, AWS WAF will only allow or block requests that originate from IP addresses that appear in both IP match conditions

  7. When you're finished adding conditions, choose Create.