Menu
AWS WAF and AWS Shield Advanced
Developer Guide (API Version 2015-08-24)

Creating and Configuring a Web Access Control List (Web ACL)

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon CloudFront distributions or Application Load Balancers respond to. You can allow or block the following types of requests:

  • Originate from an IP address or a range of IP addresses

  • Originate from a specific country or countries

  • Contain a specified string or match a regular expression (regex) pattern in a particular part of requests

  • Exceed a specified length

  • Appear to contain malicious SQL code (known as SQL injection)

  • Appear to contain malicious scripts (known as cross-site scripting)

You can also test for any combination of these conditions, or block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

To choose the requests that you want to allow to have access to your content or that you want to block, perform the following tasks:

  1. Choose the default action, allow or block, for web requests that don't match any of the conditions that you specify. For more information, see Deciding on the Default Action for a Web ACL.

  2. Specify the conditions under which you want to allow or block requests:

  3. Add the conditions to one or more rules. If you add more than one condition to the same rule, web requests must match all the conditions for AWS WAF to allow or block requests based on the rule. For more information, see Working with Rules. Optionally, also add a rate limit to the rule, which specifies the maximum number of requests that are allowed from a specific IP address.

  4. Add the rules to a web ACL. For each rule, specify whether you want AWS WAF to allow or block requests based on the conditions that you added to the rule. If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed in the web ACL. For more information, see Working with Web ACLs.