Rate-based rule high-level settings in Amazon WAF - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Rate-based rule high-level settings in Amazon WAF

A rate-based rule statement uses the following high level settings:

  • Evaluation window – The amount of time, in seconds, that Amazon WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when Amazon WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60 (1 minute), 120 (2 minutes), 300 (5 minutes), and 600 (10 minutes), and 300 (5 minutes) is the default.

    This setting doesn't determine how often Amazon WAF checks the rate, but how far back it looks each time it checks. Amazon WAF checks the rate frequently, with timing that's independent of the evaluation window setting.

  • Rate limit – The maximum number of requests matching your criteria that Amazon WAF should just track for the specified evaluation window. The lowest limit setting allowed is 10. When this limit is breached, Amazon WAF applies the rule action setting to additional requests matching your criteria.

    Amazon WAF applies rate limiting near the limit that you set, but does not guarantee an exact limit match. For more information, see Rate-based rule caveats.

  • Request aggregation – The aggregation criteria to use on the web requests that the rate-based rule counts and rate limits. The rate limit that you set applies to each aggregation instance. For details, see Aggregating rate-based rules and Aggregation instances and counts.

  • Action – The action to take on requests that the rule rate limits. You can use any rule action except Allow. This is set at the rule level as usual, but has some restrictions and behaviors that are specific to rate-based rules. For general information about rule actions, see Using rule actions in Amazon WAF. For information specific to rate limiting, see Applying rate limiting to requests in Amazon WAF in this section.

  • Scope of inspection and rate limiting – You can narrow the scope of the requests that the rate-based statement tracks and rate limits by adding a scope-down statement. If you specify a scope-down statement, the rule only aggregates, counts, and rate limits requests that match the scope-down statement. If you choose the request aggregation option Count all, then the scope-down statement is required. For more information about scope-down statements, see Using scope-down statements.

  • (Optional) Forwarded IP configuration – This is only used if you specify IP address in header in your request aggregation, either alone or as part of the custom keys settings. Amazon WAF retrieves the first IP address in the specified header and uses that as the aggregation value. A common header for this purpose is X-Forwarded-For, but you can specify any header. For more information, see Using forwarded IP addresses.