Amazon WAF rules
This section explains what a Amazon WAF rule is and how it works.
An Amazon WAF rule defines how to inspect HTTP(S) web requests and the action to take on a request when it matches the inspection criteria. You define rules only in the context of a rule group or web ACL.
Rules don't exist in Amazon WAF on their own. They aren't Amazon resources, and they don't have Amazon Resource Names (ARNs). You can access a rule by name in the rule group or web ACL where it's defined. You can manage rules and copy them to other web ACLs by using the JSON view of the rule group or web ACL that contains the rule. You can also manage them through the Amazon WAF console rule builder, which is available for web ACLs and rule groups.
Rule name
Each rule requires a name. Avoid names that start with AWS
and names that are
used for rule groups or rules that are managed for you by other services. See Recognizing rule groups provided by other services.
Note
If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. Amazon WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your web ACL or rule group.
Rule statement
Each rule also requires a rule statement that defines how the rule inspects web requests. The rule statement might contain other, nested statements at any depth, depending on the rule and statement type. Some rule statements take sets of criteria. For example, you can specify up to 10,000 IP addresses or IP address ranges for an IP set match rule.
You can define rules that inspect for criteria like the following:
-
Scripts that are likely to be malicious. Attackers embed scripts that can exploit vulnerabilities in web applications. This is known as cross-site scripting (XSS).
-
IP addresses or address ranges that requests originate from.
-
Country or geographical location that requests originate from.
-
Length of a specified part of the request, such as the query string.
-
SQL code that is likely to be malicious. Attackers try to extract data from your database by embedding malicious SQL code in a web request. This is known as SQL injection.
-
Strings that appear in the request, for example, values that appear in the
User-Agent
header or text strings that appear in the query string. You can also use regular expressions (regex) to specify these strings. -
Labels that prior rules in the web ACL have added to the request.
In addition to statements with web request inspection criteria, like the ones in the
preceding list, Amazon WAF supports logical statements for AND
, OR
, and
NOT
that you use to combine statements in a rule.
For example, based on recent requests that you've seen from an attacker, you might create
a rule with a logical AND
statement that combines the following nested
statements:
-
The requests come from 192.0.2.44.
-
They contain the value
BadBot
in theUser-Agent
header. -
They appear to include SQL-like code in the query string.
In this case, the web request needs to match all of the statements to result in a match
for the top-level AND
.