Amazon WAF rules that add labels - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Amazon WAF rules that add labels

In almost all rules, you can define labels and Amazon WAF will apply them to any matching request.

The following rule types are the only exceptions:

  • Rate-based rules label only while rate limiting – Rate-based rules only add labels to web requests for a specific aggregation instance while that instance is being rate limited by Amazon WAF. For information about rate-based rules, see Using rate-based rule statements in Amazon WAF.

  • Labeling isn't allowed in rule group reference statements – The console doesn't accept labels for rule group statements or managed rule group statements. Through the API, specifying a label for either statement type results in a validation exception. For information about these statement types, see Using managed rule group statements in Amazon WAF and Using rule group statements in Amazon WAF.

WCUs – 1 WCU for every 5 labels that you define in your protection pack or web ACL or rule group rules.

Where to find this

  • Rule builder on the console – Under the rule's Action settings, under Label.

  • API data typeRule RuleLabels

You define a label in a rule by specifying the custom namespace strings and name to append to the label namespace prefix. Amazon WAF derives the prefix from the context in which you define the rule. For information about this, see the label syntax information under Label syntax and naming requirements in Amazon WAF.