AWS-AddWAFRegionalRuleToWebAcl - Amazon Systems Manager Automation runbook reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).



The AWS-AddWAFRegionalRuleToWebAcl runbook adds an existing Amazon WAF regional rule, rule group or rate-based rule to a Amazon WAF Classic regional web access control list (ACL). This runbook doesn't update existing Amazon WAF Classic regional web ACL’s that are managed by Amazon Firewall Manager.

Run this Automation (console)

Document type





Linux, macOS, Windows


  • AutomationAssumeRole

    Type: String

    Description: (Optional) The Amazon Resource Name (ARN) of the Amazon Identity and Access Management (IAM) role that allows Systems Manager Automation to perform the actions on your behalf. If no role is specified, Systems Manager Automation uses the permissions of the user that starts this runbook.

  • WebACLId

    Type: String

    Description: (Required) The ID of the web ACL that you want to update.

  • ActivatedRulePriority

    Type: Integer

    Description: (Required) The priority for the new rule. Rule priority determines the order in which rules in a web ACL are evaluated. Rules with a lower value have higher priority than rules with a higher value. The value must be a unique integer. If you add multiple rules to a regional web ACL, the values don't have to be consecutive.

  • ActivatedRuleRuleId

    Type: String

    Description: (Required) The ID for the regular rule, rate-based rule, or group you want to add to the web ACL.

  • ActivatedRuleAction

    Type: String

    Valid values: ALLOW | BLOCK | COUNT

    Description: (Optional) Specifies the action that Amazon WAF takes when a web request matches the conditions of the rule.

  • ActivatedRuleType

    Type: String

    Valid values: REGULAR | RATE_BASED | GROUP

    Default: REGULAR

    Description: (Optional) The rule type you're adding to the web ACL. Although this field is optional, note that if you try to add a RATE_BASED rule to a web ACL without setting the type, the request fails because the request defaults to a REGULAR rule.

Required IAM permissions

The AutomationAssumeRole parameter requires the following actions to use the runbook successfully.

  • ssm:StartAutomationExecution

  • ssm:GetAutomationExecution

  • waf-regional:GetChangeToken

  • waf-regional:GetWebACL

  • waf-regional:UpdateWebACL

Document Steps

  • DetermineWebACLNotInFMSAndRulePriority (aws:executeScript) - Verifies if the Amazon WAF web ACL is in a Firewall Manager security policy and verifies the priority ID doesn't conflict with an existing ACL.

  • AddRuleOrRuleGroupToWebACL (aws:executeScript) - Adds the specified rule to the Amazon WAF web ACL.

  • VerifyRuleOrRuleGroupAddedToWebAcl (aws:executeScript) - Verifies the specified Amazon WAF rule was added to the target web ACL.


  • DetermineWebACLNotInFMSAndRulePriority.PrereqResponse: Output from the DetermineWebACLNotInFMSAndRulePriority step.

  • VerifyRuleOrRuleGroupAddedToWebAcl.VerifyRuleOrRuleGroupAddedToWebACLResponse: Output from the AddRuleOrRuleGroupToWebACL step.

  • VerifyRuleOrRuleGroupAddedToWebAcl.ListActivatedRulesOrRuleGroupsInWebACLResponse: Output of the VerifyRuleOrRuleGroupAddedToWebAcl step.