Creating a protection pack or web ACL in Amazon WAF - Amazon WAF, Amazon Firewall Manager, Amazon Shield Advanced, and Amazon Shield network security director
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Introducing a new console experience for Amazon WAF

You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see Working with the updated console experience.

Creating a protection pack or web ACL in Amazon WAF

Creating a protection pack

This section provides procedures for creating protection packs through the Amazon console.

To create a new protection pack, use the protection pack creation wizard following the procedure on this page.

Production traffic risk

Before you deploy changes in your protection pack for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your Amazon WAF protections.

Note

Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see Web ACL capacity units (WCUs) in Amazon WAF and Amazon WAF Pricing.

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/homev2.

  2. In the navigation pane, choose Resources & protections.

  3. On the Resources & protections page, choose Add protection pack.

  4. Under Tell us about your app, for App category, select one or more app categories.

  5. For Traffic source, choose the type of traffic the application engages with; API, Web, or Both API and Web.

  6. Under Resources to protect, choose Add resources.

  7. Choose the category of Amazon resource that you want to associate with this protection pack, either Amazon CloudFront distributions or Regional resources. For more information, see Associating or disassociating protection with an Amazon resource.

  8. Under Choose rule protections, select your preferred protection level: Recommended, Essentials, or You build it.

  9. (Optional) If you choose You build it, build your rules.

    1. (Optional) If you want to add your own rule, on the Add rules page, choose Custom rule and then choose Next.

      1. Choose the rule type.

      2. For Action, select the action you want the rule to take when it matches a web request. For information on your choices, see Using rule actions in Amazon WAF and Using protection pack or web ACLs with rules and rule groups in Amazon WAF.

        If you are using the CAPTCHA or Challenge action, adjust the Immunity time configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the protection pack. To modify the protection pack immunity time settings, edit the protection pack after you create it. For more information about immunity times, see Setting timestamp expiration and token immunity times in Amazon WAF.

        Note

        You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see Amazon WAF Pricing.

        If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see Customized web requests and responses in Amazon WAF.

        If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see Web request labeling in Amazon WAF.

      3. For Name, enter the name that you want to use to identify this rule. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services.

      4. Enter your rule definition, according to your needs. You can combine rules inside logical AND and OR rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see Amazon WAF rules.

      5. Choose Create rule.

        Note

        If you add more than one rule to a protection pack, Amazon WAF evaluates the rules in the order that they're listed for the protection pack. For more information, see Using protection pack or web ACLs with rules and rule groups in Amazon WAF.

    2. (Optional) If you want to add managed rule groups, on the Add rules page, choose Amazon-managed rule group or Amazon Marketplace rule group and then choose Next. Do the following for each managed rule group that you want to add:

      1. On the Add rules page, expand the listing for Amazon managed rule groups or for the Amazon Web Services Marketplace seller.

      2. Choose the version of the rule group.

      3. To customize how your protection pack uses the rule group, choose Edit. The following are common customization settings:

        • Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement in the Inspection section. For information about this option, see Using scope-down statements in Amazon WAF.

        • Override the rule actions for some or all rules in Rule overrides. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see Overriding rule group actions in Amazon WAF.

        • Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the Amazon Managed Rules rule groups, see Amazon Managed Rules for Amazon WAF.

      4. Choose Next.

    3. (Optional) If you want to add your own rule group, on the Add rules page, choose Custom rule group and then choose Next. Do the following for each rule group that you want to add:

      1. For Name, enter the name that you want to use for the rule group rule in this protection pack. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See Recognizing rule groups provided by other services.

      2. Choose your rule group from the list.

      3. (Optional) Under Rule configuration, choose a Rule override. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups.

      4. (Optional) Under Add labels, choose Add label and then enter any labels you want to add to requests that match the rule. Rules that are evaluated later in the same protection pack can reference the labels this rule adds.

      5. Choose Create rule.

  10. Under Name and description, enter a name for your protection pack. Optionally, enter a description.

    Note

    You can't change the name after you create the protection pack.

  11. (Optional) Under Customize protection pack, configure default rule actions, configurations, and logging destination:

    1. (Optional) Under Default rule actions, choose the default action for the protection pack. This is the action that Amazon WAF takes on a request when the rules in the protection pack don't explicitly take an action. For more information, see Customized web requests and responses in Amazon WAF.

    2. (Optional) Under Rule configuration, customize settings for rules in the protection pack:

      • Default rate limits - Set rate limits to block Denial of Service (DoS) attacts that can affect availability, compromise security, or consume excessive resources. This rule rate blocks requests per IP address that exceed the allowed rate for your application. For more information, see Using rate-based rule statements in Amazon WAF

      • IP Addresses - Enter IP addresses to block or allow. This setting overrides other protection rules.

      • Country specific origins - Block requests from specified countries or Count all traffic.

    3. For Logging destination, configure the logging destination type and the place to store logs. For more information, see Amazon WAF logging destinations.

  12. Review your settings and choose Add protection pack.

Creating a web ACL

This section provides procedures for creating web ACLs through the Amazon console.

To create a new web ACL, use the web ACL creation wizard following the procedure on this page.

Production traffic risk

Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your Amazon WAF protections.

Note

Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see Web ACL capacity units (WCUs) in Amazon WAF and Amazon WAF Pricing.

To create a web ACL

  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/homev2.

  2. Choose web ACLs in the navigation pane, and then choose Create web ACL.

  3. For Name, enter the name that you want to use to identify this web ACL.

    Note

    You can't change the name after you create the web ACL.

  4. (Optional) For Description - optional, enter a longer description for the web ACL if you want to.

  5. For CloudWatch metric name, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for Amazon WAF, including "All" and "Default_Action."

    Note

    You can't change the CloudWatch metric name after you create the web ACL.

  6. Under Resource type, choose the category of Amazon resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see Associating or disassociating protection with an Amazon resource.

  7. For Region, if you've chosen a Regional resource type, choose the Region where you want Amazon WAF to store the web ACL.

    You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, us-east-1, for Global (CloudFront) applications.

  8. (CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access) For Web request inspection size limit - optional, if you want to specify a different body inspection size limit, select the limit. Inspecting body sizes over the default of 16 KB can incur additional costs. For information about this option, see Managing body inspection size limits for Amazon WAF.

  9. (Optional) For Associated Amazon resources - optional, if you want to specify your resources now, choose Add Amazon resources. In the dialog box, choose the resources that you want to associate, and then choose Add. Amazon WAF returns you to the Describe web ACL and associated Amazon resources page.

    Note

    When you choose to associate an Application Load Balancer with your web ACL, Resource-level DDoS protection is enabled. For more information, see Amazon WAF Distributed Denial of Service (DDoS) prevention.

  10. Choose Next.

  11. (Optional) If you want to add managed rule groups, on the Add rules and rule groups page, choose Add rules, and then choose Add managed rule groups. Do the following for each managed rule group that you want to add:

    1. On the Add managed rule groups page, expand the listing for Amazon managed rule groups or for the Amazon Web Services Marketplace seller of your choice.

    2. For the rule group that you want to add, in the Action column, turn on the Add to web ACL toggle.

      To customize how your web ACL uses the rule group, choose Edit. The following are common customization settings:

      • Override the rule actions for some or all rules. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see Overriding rule group actions in Amazon WAF.

      • Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement. For information about this option, see Using scope-down statements in Amazon WAF.

      • Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the Amazon Managed Rules rule groups, see Amazon Managed Rules for Amazon WAF.

      When you're finished with your settings, choose Save rule.

    Choose Add rules to finish adding managed rules and return to the Add rules and rule groups page.

    Note

    If you add more than one rule to a web ACL, Amazon WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see Using protection pack or web ACLs with rules and rule groups in Amazon WAF.

  12. (Optional) If you want to add your own rule group, on the Add rules and rule groups page, choose Add rules, and then choose Add my own rules and rule groups. Do the following for each rule group that you want to add:

    1. On the Add my own rules and rule groups page, choose Rule group.

    2. For Name, enter the name that you want to use for the rule group rule in this web ACL. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See Recognizing rule groups provided by other services.

    3. Choose your rule group from the list.

      Note

      If you want to override the rule actions for a rule group of your own, first save it to the web ACL, and then edit the web ACL and the rule group reference statement in the web ACL's rule listing. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups.

    4. Choose Add rule.

  13. (Optional) If you want to add your own rule, on the Add rules and rule groups page, choose Add rules, Add my own rules and rule groups, Rule builder, then Rule visual editor.

    Note

    The console Rule visual editor supports one level of nesting. For example, you can use a single logical AND or OR statement and nest one level of other statements inside it, but you can't nest logical statements within logical statements. To manage more complex rule statements, use the Rule JSON editor. For information about all options for rules, see Amazon WAF rules.

    This procedure covers the Rule visual editor.

    1. For Name, enter the name that you want to use to identify this rule. Don't use names that start with AWS, Shield, PreFM, or PostFM. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services.

    2. Enter your rule definition, according to your needs. You can combine rules inside logical AND and OR rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see Amazon WAF rules.

    3. For Action, select the action you want the rule to take when it matches a web request. For information on your choices, see Using rule actions in Amazon WAF and Using protection pack or web ACLs with rules and rule groups in Amazon WAF.

      If you are using the CAPTCHA or Challenge action, adjust the Immunity time configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the web ACL. To modify the web ACL immunity time settings, edit the web ACL after you create it. For more information about immunity times, see Setting timestamp expiration and token immunity times in Amazon WAF.

      Note

      You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see Amazon WAF Pricing.

      If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see Customized web requests and responses in Amazon WAF.

      If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see Web request labeling in Amazon WAF.

    4. Choose Add rule.

  14. Choose the default action for the web ACL, either Block or Allow. This is the action that Amazon WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see Setting the protection pack or web ACL default action in Amazon WAF.

    If you want to customize the default action, choose the options for that and fill in the details of your customization. For more information, see Customized web requests and responses in Amazon WAF.

  15. You can define a Token domain list to enable token sharing between protected applications. Tokens are used by the CAPTCHA and Challenge actions and by the application integration SDKs that you implement when you use the Amazon Managed Rules rule groups for Amazon WAF Fraud Control account creation fraud prevention (ACFP), Amazon WAF Fraud Control account takeover prevention (ATP), and Amazon WAF Bot Control.

    Public suffixes aren't allowed. For example, you can't use gov.au or co.uk as a token domain.

    By default, Amazon WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, Amazon WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see Amazon WAF protection pack or web ACL token domain list configuration.

  16. Choose Next.

  17. In the Set rule priority page, select and move your rules and rule groups to the order that you want Amazon WAF to process them. Amazon WAF processes rules starting from the top of the list. When you save the web ACL Amazon WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see Setting rule priority.

  18. Choose Next.

  19. In the Configure metrics page, review the options and apply any updates that you need. You can combine metrics from multiple sources by providing the same CloudWatch metric name for them.

  20. Choose Next.

  21. In the Review and create web ACL page, check over your definitions. If you want to change any area, choose Edit for the area. This returns you to the page in the web ACL wizard. Make any changes, then choose Next through the pages until you come back to the Review and create web ACL page.

  22. Choose Create web ACL. Your new web ACL is listed in the web ACLs page.