Rule action - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Rule action

The rule action tells Amazon WAF what to do with a web request when it matches the criteria defined in the rule. You can optionally add custom behavior to each rule action.

Note

Rule actions can be terminating or non-terminating. A terminating action stops the web ACL evaluation of the request and either lets it continue to your protected application or blocks it.

Here are the rule action options:

  • Allow – Amazon WAF allows the request to be forwarded to the protected Amazon resource for processing and response. This is a terminating action. In rules that you define, you can insert custom headers into the request before forwarding it to the protected resource.

  • Block – Amazon WAF blocks the request. This is a terminating action. By default, your protected Amazon resource responds with an HTTP 403 (Forbidden) status code. In rules that you define, you can customize the response. When Amazon WAF blocks a request, the Block action settings determine the response that the protected resource sends back to the client.

  • Count – Amazon WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. Amazon WAF continues processing the remaining rules in the web ACL. In rules that you define, you can insert custom headers into the request and you can add labels that other rules can match against.

  • CAPTCHA and Challenge – Amazon WAF uses CAPTCHA puzzles and silent challenges to verify that the request is not coming from a bot, and Amazon WAF uses tokens to track recent successful client responses.

    Note

    You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see Amazon WAF Pricing.

    These rule actions can be terminating or non-terminating, depending on the state of the token in the request:

    • Non-terminating for valid, unexpired token – If the token is valid and unexpired according to the configured CAPTCHA or challenge immunity time, Amazon WAF handles the request similar to the Count action. Amazon WAF continues to inspect the web request based on the remaining rules in the web ACL. Similar to the Count configuration, in rules that you define, you can optionally configure these actions with custom headers to insert into the request, and you can add labels that other rules can match against.

    • Terminating with blocked request for invalid or expired token – If the token is invalid or the indicated timestamp is expired, Amazon WAF terminates the inspection of the web request and blocks the request, similar to the Block action. Amazon WAF then responds to the client with a custom response code. For CAPTCHA, if the request contents indicate that the client browser can handle it, Amazon WAF sends a CAPTCHA puzzle in a JavaScript interstitial, which is designed to distinguish human clients from bots. For the Challenge action, Amazon WAF sends a JavaScript interstitial with a silent challenge that is designed to distinguish normal browsers from sessions that are being run by bots.

    For additional information, see CAPTCHA and Challenge in Amazon WAF.

For information about customizing requests and responses, see Customized web requests and responses in Amazon WAF.

For information about adding labels to matching requests, see Amazon WAF labels on web requests.

For information about how web ACL and rule settings interact, see Web ACL rule and rule group evaluation.