AWS::WAF::Rule - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China.

AWS::WAF::Rule

Note

This is Amazon WAF Classic documentation. For more information, see Amazon WAF Classic in the developer guide.

For the latest version of Amazon WAF , use the Amazon WAFV2 API and see the Amazon WAF Developer Guide. With the latest version, Amazon WAF has a single set of endpoints for regional and global use.

A combination of ByteMatchSet, IPSet, and/or SqlInjectionMatchSet objects that identify the web requests that you want to allow, block, or count. For example, you might create a Rule that includes the following predicates:

  • An IPSet that causes Amazon WAF to search for web requests that originate from the IP address 192.0.2.44

  • A ByteMatchSet that causes Amazon WAF to search for web requests for which the value of the User-Agent header is BadBot.

To match the settings in this Rule, a request must originate from 192.0.2.44 AND include a User-Agent header for which the value is BadBot.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::WAF::Rule", "Properties" : { "MetricName" : String, "Name" : String, "Predicates" : [ Predicate, ... ] } }

YAML

Type: AWS::WAF::Rule Properties: MetricName: String Name: String Predicates: - Predicate

Properties

MetricName

The name of the metrics for this Rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for Amazon WAF, including "All" and "Default_Action." You can't change MetricName after you create the Rule.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: .*\S.*

Update requires: Replacement

Name

The friendly name or description for the Rule. You can't change the name of a Rule after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: .*\S.*

Update requires: Replacement

Predicates

The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet object that you want to include in a Rule.

Required: No

Type: List of Predicate

Update requires: No interruption

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Associate an IPSet with a Web ACL Rule

The following example associates the MyIPSetDenylist IPSet object with a web ACL rule.

JSON

"MyIPSetRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetDenylist" }, "Negated" : false, "Type" : "IPMatch" } ] } }

YAML

MyIPSetRule: Type: "AWS::WAF::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetDenylist" Negated: false Type: "IPMatch"