Creating and configuring a Web Access Control List (Web ACL) - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Creating and configuring a Web Access Control List (Web ACL)

Warning

Amazon WAF Classic support will end on September 30, 2025.

Note

This is Amazon WAF Classic documentation. You should only use this version if you created Amazon WAF resources, like rules and web ACLs, in Amazon WAF prior to November 2019, and you have not migrated them over to the latest version yet. To migrate your web ACLs, see Migrating your Amazon WAF Classic resources to Amazon WAF.

For the latest version of Amazon WAF, see Amazon WAF.

A web access control list (web ACL) gives you fine-grained control over the web requests that your Amazon API Gateway API, Amazon CloudFront distribution or Application Load Balancer responds to. You can allow or block the following types of requests:

  • Originate from an IP address or a range of IP addresses

  • Originate from a specific country or countries

  • Contain a specified string or match a regular expression (regex) pattern in a particular part of requests

  • Exceed a specified length

  • Appear to contain malicious SQL code (known as SQL injection)

  • Appear to contain malicious scripts (known as cross-site scripting)

You can also test for any combination of these conditions, or block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in any 5-minute period.

To choose the requests that you want to allow to have access to your content or that you want to block, perform the following tasks:

  1. Choose the default action, allow or block, for web requests that don't match any of the conditions that you specify. For more information, see Deciding on the default action for a Web ACL.

  2. Specify the conditions under which you want to allow or block requests:

  3. Add the conditions to one or more rules. If you add more than one condition to the same rule, web requests must match all the conditions for Amazon WAF Classic to allow or block requests based on the rule. For more information, see Working with rules. Optionally, you can use a rate-based rule instead of a regular rule to limit the number of requests from any IP address that meets the conditions.

  4. Add the rules to a web ACL. For each rule, specify whether you want Amazon WAF Classic to allow or block requests based on the conditions that you added to the rule. If you add more than one rule to a web ACL, Amazon WAF Classic evaluates the rules in the order that they're listed in the web ACL. For more information, see Working with web ACLs.

    When you add a new rule or update existing rules, it can take up to one minute for those changes to appear and be active across your web ACLs and resources.