**Introducing a new console experience for Amazon WAF** You can now use the updated experience to access Amazon WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.amazonaws.cn/waf/latest/developerguide/working-with-console.html). # Creating a protection pack (web ACL) in Amazon WAF ------ #### [ Using the new console ] This section provides procedures for creating protection packs (web ACLs) through the new Amazon console. To create a new protection pack (web ACL), use the protection pack (web ACL) creation wizard following the procedure on this page. **Production traffic risk** Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your Amazon WAF protections](web-acl-testing.md). **Note** Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in Amazon WAF](aws-waf-capacity-units.md) and [Amazon WAF Pricing](https://www.amazonaws.cn/waf/pricing/). 1. Sign in to the new Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2-pro](https://console.amazonaws.cn/wafv2-pro). 1. In the navigation pane, choose **Resources & protection packs (web ACLs)**. 1. On the **Resources & protection packs (web ACLs)** page, choose **Add protection pack (web ACL)**. 1. Under **Tell us about your app**, for **App category**, select one or more app categories. 1. For **Traffic source**, choose the type of traffic the application engages with; **API**, **Web**, or **Both API and Web**. 1. Under **Resources to protect,** choose **Add resources**. 1. Choose the category of Amazon resource that you want to associate with this protection pack (web ACL), either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an Amazon resource](web-acl-associating-aws-resource.md). 1. Under **Choose initial protections,** select your preferred protection level: **Recommended**, **Essentials**, or **You build it**. 1. (Optional) If you choose **You build it**, build your rules. 1. (Optional) If you want to add your own rule, on the **Add rules ** page, choose **Custom rule** and then choose **Next**. 1. Choose the rule type. 1. For **Action**, select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in Amazon WAF](waf-rule-action.md) and [Using protection packs (web ACLs) with rules and rule groups in Amazon WAF](web-acl-processing.md). If you are using the **CAPTCHA** or **Challenge** action, adjust the **Immunity time** configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the protection pack (web ACL). To modify the protection pack (web ACL) immunity time settings, edit the protection pack (web ACL) after you create it. For more information about immunity times, see [Setting timestamp expiration and token immunity times in Amazon WAF](waf-tokens-immunity-times.md). **Note** You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [Amazon WAF Pricing](https://www.amazonaws.cn/waf/pricing/). If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in Amazon WAF](waf-custom-request-response.md). If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see [Web request labeling in Amazon WAF](waf-labels.md). 1. For **Name**, enter the name that you want to use to identify this rule. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. 1. Enter your rule definition, according to your needs. You can combine rules inside logical `AND` and `OR` rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see [Amazon WAF rules](waf-rules.md). 1. Choose **Create rule**. **Note** If you add more than one rule to a protection pack (web ACL), Amazon WAF evaluates the rules in the order that they're listed for the protection pack (web ACL). For more information, see [Using protection packs (web ACLs) with rules and rule groups in Amazon WAF](web-acl-processing.md). 1. (Optional) If you want to add managed rule groups, on the **Add rules** page, choose **Amazon-managed rule group** or **Amazon Marketplace rule group** and then choose **Next**. Do the following for each managed rule group that you want to add: 1. On the **Add rules** page, expand the listing for Amazon managed rule groups or for the Amazon Web Services Marketplace seller. 1. Choose the version of the rule group. 1. To customize how your protection pack (web ACL) uses the rule group, choose **Edit**. The following are common customization settings: + Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement in the **Inspection** section. For information about this option, see [Using scope-down statements in Amazon WAF](waf-rule-scope-down-statements.md). + Override the rule actions for some or all rules in **Rule overrides**. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see [Overriding rule group actions in Amazon WAF](web-acl-rule-group-override-options.md). + Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the Amazon Managed Rules rule groups, see [Amazon Managed Rules for Amazon WAF](aws-managed-rule-groups.md). 1. Choose **Next**. 1. (Optional) If you want to add your own rule group, on the **Add rules** page, choose **Custom rule group** and then choose **Next**. Do the following for each rule group that you want to add: 1. For **Name**, enter the name that you want to use for the rule group rule in this protection pack (web ACL). Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md). 1. Choose your rule group from the list. 1. (Optional) Under **Rule configuration**, choose a **Rule override**. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups. 1. (Optional) Under **Add labels**, choose **Add label** and then enter any labels you want to add to requests that match the rule. Rules that are evaluated later in the same protection pack (web ACL) can reference the labels this rule adds. 1. Choose **Create rule**. 1. Under **Name and description**, enter a name for your protection pack (web ACL). Optionally, enter a description. **Note** You can't change the name after you create the protection pack (web ACL). 1. (Optional) Under **Customize protection pack (web ACL)**, configure default rule actions, configurations, and logging destination: 1. (Optional) Under **Default rule actions**, choose the default action for the protection pack (web ACL). This is the action that Amazon WAF takes on a request when the rules in the protection pack (web ACL) don't explicitly take an action. For more information, see [Customized web requests and responses in Amazon WAF](waf-custom-request-response.md). 1. (Optional) Under Rule configuration, customize settings for rules in the protection pack (web ACL): + **Default rate limits** - Set rate limits to block Denial of Service (DoS) attacts that can affect availability, compromise security, or consume excessive resources. This rule rate blocks requests per IP address that exceed the allowed rate for your application. For more information, see [Using rate-based rule statements in Amazon WAF](waf-rule-statement-type-rate-based.md) + **IP Addresses** - Enter IP addresses to block or allow. This setting overrides other rules. + **Country specific origins** - Block requests from specified countries or Count all traffic. 1. For **Logging destination**, configure the logging destination type and the place to store logs. For more information, see [Amazon WAF logging destinations](logging-destinations.md). 1. Review your settings and choose **Add protection pack (web ACL)**. ------ #### [ Using the standard console ] This section provides procedures for creating web ACLs through the Amazon console. To create a new web ACL, use the web ACL creation wizard following the procedure on this page. **Production traffic risk** Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your Amazon WAF protections](web-acl-testing.md). **Note** Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in Amazon WAF](aws-waf-capacity-units.md) and [Amazon WAF Pricing](https://www.amazonaws.cn/waf/pricing/). **To create a web ACL** 1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at [https://console.amazonaws.cn/wafv2/homev2](https://console.amazonaws.cn/wafv2/homev2). 1. Choose **web ACLs** in the navigation pane, and then choose **Create web ACL**. 1. For **Name**, enter the name that you want to use to identify this web ACL. **Note** You can't change the name after you create the web ACL. 1. (Optional) For **Description - optional**, enter a longer description for the web ACL if you want to. 1. For **CloudWatch metric name**, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for Amazon WAF, including "All" and "Default\$1Action." **Note** You can't change the CloudWatch metric name after you create the web ACL. 1. Under **Resource type**, choose the category of Amazon resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an Amazon resource](web-acl-associating-aws-resource.md). 1. For **Region**, if you've chosen a Regional resource type, choose the Region where you want Amazon WAF to store the web ACL. You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, `us-east-1`, for Global (CloudFront) applications. 1. (CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access) For **Web request inspection size limit - optional**, if you want to specify a different body inspection size limit, select the limit. Inspecting body sizes over the default of 16 KB can incur additional costs. For information about this option, see [Considerations for managing body inspection in Amazon WAF](web-acl-setting-body-inspection-limit.md). 1. (Optional) For **Associated Amazon resources - optional**, if you want to specify your resources now, choose **Add Amazon resources**. In the dialog box, choose the resources that you want to associate, and then choose **Add**. Amazon WAF returns you to the **Describe web ACL and associated Amazon resources** page. **Note** When you choose to associate an Application Load Balancer with your web ACL, **Resource-level DDoS protection** is enabled. For more information, see [Amazon WAF Distributed Denial of Service (DDoS) prevention](waf-anti-ddos.md). 1. Choose **Next**. 1. (Optional) If you want to add managed rule groups, on the **Add rules and rule groups** page, choose **Add rules**, and then choose **Add managed rule groups**. Do the following for each managed rule group that you want to add: 1. On the **Add managed rule groups** page, expand the listing for Amazon managed rule groups or for the Amazon Web Services Marketplace seller of your choice. 1. For the rule group that you want to add, in the **Action** column, turn on the **Add to web ACL** toggle. To customize how your web ACL uses the rule group, choose **Edit**. The following are common customization settings: + Override the rule actions for some or all rules. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see [Overriding rule group actions in Amazon WAF](web-acl-rule-group-override-options.md). + Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement. For information about this option, see [Using scope-down statements in Amazon WAF](waf-rule-scope-down-statements.md). + Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the Amazon Managed Rules rule groups, see [Amazon Managed Rules for Amazon WAF](aws-managed-rule-groups.md). When you're finished with your settings, choose **Save rule**. Choose **Add rules** to finish adding managed rules and return to the **Add rules and rule groups** page. **Note** If you add more than one rule to a web ACL, Amazon WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see [Using protection packs (web ACLs) with rules and rule groups in Amazon WAF](web-acl-processing.md). 1. (Optional) If you want to add your own rule group, on the **Add rules and rule groups** page, choose **Add rules**, and then choose **Add my own rules and rule groups**. Do the following for each rule group that you want to add: 1. On the **Add my own rules and rule groups** page, choose **Rule group**. 1. For **Name**, enter the name that you want to use for the rule group rule in this web ACL. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md). 1. Choose your rule group from the list. **Note** If you want to override the rule actions for a rule group of your own, first save it to the web ACL, and then edit the web ACL and the rule group reference statement in the web ACL's rule listing. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups. 1. Choose **Add rule**. 1. (Optional) If you want to add your own rule, on the **Add rules and rule groups** page, choose **Add rules**, **Add my own rules and rule groups**, **Rule builder**, then **Rule visual editor**. **Note** The console **Rule visual editor** supports one level of nesting. For example, you can use a single logical `AND` or `OR` statement and nest one level of other statements inside it, but you can't nest logical statements within logical statements. To manage more complex rule statements, use the **Rule JSON editor**. For information about all options for rules, see [Amazon WAF rules](waf-rules.md). This procedure covers the **Rule visual editor**. 1. For **Name**, enter the name that you want to use to identify this rule. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. 1. Enter your rule definition, according to your needs. You can combine rules inside logical `AND` and `OR` rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see [Amazon WAF rules](waf-rules.md). 1. For **Action**, select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in Amazon WAF](waf-rule-action.md) and [Using protection packs (web ACLs) with rules and rule groups in Amazon WAF](web-acl-processing.md). If you are using the **CAPTCHA** or **Challenge** action, adjust the **Immunity time** configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the web ACL. To modify the web ACL immunity time settings, edit the web ACL after you create it. For more information about immunity times, see [Setting timestamp expiration and token immunity times in Amazon WAF](waf-tokens-immunity-times.md). **Note** You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [Amazon WAF Pricing](https://www.amazonaws.cn/waf/pricing/). If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in Amazon WAF](waf-custom-request-response.md). If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see [Web request labeling in Amazon WAF](waf-labels.md). 1. Choose **Add rule**. 1. Choose the default action for the web ACL, either Block or Allow. This is the action that Amazon WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see [Setting the protection pack (web ACL) default action in Amazon WAF](web-acl-default-action.md). If you want to customize the default action, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in Amazon WAF](waf-custom-request-response.md). 1. You can define a **Token domain list** to enable token sharing between protected applications. Tokens are used by the CAPTCHA and Challenge actions and by the application integration SDKs that you implement when you use the Amazon Managed Rules rule groups for Amazon WAF Fraud Control account creation fraud prevention (ACFP), Amazon WAF Fraud Control account takeover prevention (ATP), and Amazon WAF Bot Control. Public suffixes aren't allowed. For example, you can't use `gov.au` or `co.uk` as a token domain. By default, Amazon WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, Amazon WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [Amazon WAF protection pack (web ACL) token domain list configuration](waf-tokens-domains.md#waf-tokens-domain-lists). 1. Choose **Next**. 1. In the **Set rule priority** page, select and move your rules and rule groups to the order that you want Amazon WAF to process them. Amazon WAF processes rules starting from the top of the list. When you save the web ACL Amazon WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see [Setting rule priority](web-acl-processing-order.md). 1. Choose **Next**. 1. In the **Configure metrics** page, review the options and apply any updates that you need. You can combine metrics from multiple sources by providing the same **CloudWatch metric name** for them. 1. Choose **Next**. 1. In the **Review and create web ACL** page, check over your definitions. If you want to change any area, choose **Edit** for the area. This returns you to the page in the web ACL wizard. Make any changes, then choose **Next** through the pages until you come back to the **Review and create web ACL** page. 1. Choose **Create web ACL**. Your new web ACL is listed in the **web ACLs** page. ------