Creating a rule and adding conditions
Warning
Amazon WAF Classic support will end on September 30, 2025.
Note
This is Amazon WAF Classic documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see Migrating your Amazon WAF Classic resources to Amazon WAF.
For the latest version of Amazon WAF, see Amazon WAF.
If you add more than one condition to a rule, a web request must match all the conditions for Amazon WAF Classic to allow or block requests based on that rule.
To create a rule and add conditions
Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/
. If you see Switch to Amazon WAF Classic in the navigation pane, select it.
In the navigation pane, choose Rules.
Choose Create rule.
Enter the following values:
- Name
Enter a name.
- CloudWatch metric name
Enter a name for the CloudWatch metric that Amazon WAF Classic will create and will associate with the rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain white space or metric names reserved for Amazon WAF Classic, including "All" and "Default_Action.
- Rule type
Choose either
Regular rule
orRate–based rule
. Rate–based rules are identical to regular rules, but also take into account how many requests arrive from an IP address in a five-minute period. For more information about these rule types, see How Amazon WAF Classic works.- Rate limit
-
For a rate-based rule, enter the maximum number of requests to allow in any five-minute period from an IP address that matches the rule's conditions. The rate limit must be at least 100.
You can specify a rate limit alone, or a rate limit and conditions. If you specify only a rate limit, Amazon WAF places the limit on all IP addresses. If you specify a rate limit and conditions, Amazon WAF places the limit on IP addresses that match the conditions.
When an IP address reaches the rate limit threshold, Amazon WAF applies the assigned action (block or count) as quickly as possible, usually within 30 seconds. Once the action is in place, if five minutes pass with no requests from the IP address, Amazon WAF resets the counter to zero.
To add a condition to the rule, specify the following values:
- When a request does/does not
If you want Amazon WAF Classic to allow or block requests based on the filters in a condition, choose does. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that come from those IP addresses, choose does.
If you want Amazon WAF Classic to allow or block requests based on the inverse of the filters in a condition, choose does not. For example, if an IP match condition includes the IP address range 192.0.2.0/24 and you want Amazon WAF Classic to allow or block requests that do not come from those IP addresses, choose does not.
- match/originate from
Choose the type of condition that you want to add to the rule:
Cross-site scripting match conditions – choose match at least one of the filters in the cross-site scripting match condition
IP match conditions – choose originate from an IP address in
Geo match conditions – choose originate from a geographic location in
Size constraint conditions – choose match at least one of the filters in the size constraint condition
SQL injection match conditions – choose match at least one of the filters in the SQL injection match condition
String match conditions – choose match at least one of the filters in the string match condition
Regular expression match conditions – choose match at least one of the filters in the regex match condition
- condition name
Choose the condition that you want to add to the rule. The list displays only conditions of the type that you chose in the preceding step.
To add another condition to the rule, choose Add another condition, and repeat steps 4 and 5. Note the following:
If you add more than one condition, a web request must match at least one filter in every condition for Amazon WAF Classic to allow or block requests based on that rule
If you add two IP match conditions to the same rule, Amazon WAF Classic will only allow or block requests that originate from IP addresses that appear in both IP match conditions
When you're finished adding conditions, choose Create.