Editing a web ACL - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Editing a web ACL

To add or remove rules from a web ACL or change configuration settings, access the web ACL using the procedure on this page. While updating a web ACL, Amazon WAF provides continuous coverage to the resources that you have associated with the web ACL.

Production traffic risk

Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see Testing and tuning your Amazon WAF protections.


Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL price. For more information, see Amazon WAF web ACL capacity units (WCUs) and Amazon WAF Pricing.

To edit a web ACL
  1. Sign in to the Amazon Web Services Management Console and open the Amazon WAF console at https://console.amazonaws.cn/wafv2/.

  2. In the navigation pane, choose Web ACLs.

  3. Choose the name of the web ACL that you want to edit. The console takes you to the web ACL's description.


    Web ACLs that are managed by Amazon Firewall Manager have names that start with FMManagedWebACLV2-. The Firewall Manager administrator manages these in Firewall Manager Amazon WAF policies. These web ACLs might contain rule group sets that are designated to run first and last in the web ACL, on either side of any rules or rule groups that you add and manage. You can't change any of these first and last rule group specifications. The first and last rule groups have names that start with PREFMManaged- and POSTFMManaged-, respectively. For more information about these policies, see Amazon WAF policies.

  4. Edit the web ACL as needed. Select the tabs for the configuration areas that you're interested in and edit the mutable settings. For each setting that you edit, when you choose Save and return to the web ACL's description page, the console saves your changes to the web ACL.

    The following lists the tabs that contain web ACL configuration components.

    • Rules tab

      • Rules defined in the web ACL – You can edit and manage the rules that you have defined in the web ACL similar to how you did during web ACL creation.


        Don't change the names of any rules that you didn't add by hand to your web ACL. If you are using other services to manage rules for you, changing their names could remove or lessen their ability to provide the intended protections. Amazon Shield Advanced and Amazon Firewall Manager both create rules in your web ACL. For information, see Rule groups provided by other services.


        If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. Amazon WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your web ACL or rule group.

        For information about rules and rule group settings, see Amazon WAF rules and Amazon WAF rule groups.

      • Web ACL rule capacity units used – The current capacity usage for your web ACL. This is view only.

      • Default web ACL action for requests that don't match any rules– For information about this setting, see The web ACL default action.

      • Web ACL CAPTCHA and challenge configurations – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the web ACL. For information about these settings, see Timestamp expiration: Amazon WAF token immunity times.

      • Token domain list – Amazon WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see Amazon WAF web ACL token domain list configuration.

    • Associated Amazon resources tab

      • Web request inspection size limit – Included only for web ACLs that protect CloudFront distributions. The body inspection size limit determines how much of the body component is forwarded to Amazon WAF for inspection. For more information about this setting, see Managing body inspection size limits.

      • Associated Amazon resources – The list of resources that the web ACL is currently associated with and protecting. You can locate resources that are within the same Region as the web ACL and associate them to the web ACL. For more information, see Associating or disassociating a web ACL with an Amazon resource.

    • Custom response bodies tab

    • Logging and metrics tab

Temporary inconsistencies during updates

When you create or change a web ACL or other Amazon WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes.

The following are examples of the temporary inconsistencies that you might notice during change propagation:

  • After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable.

  • After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another.

  • After you change a rule action setting, you might see the old action in some places and the new action in others.

  • After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.