AWS::WAFRegional::RateBasedRule
Note
This is AWS WAF Classic documentation. For more information, see AWS WAF Classic in the developer guide.
For the latest version of AWS WAF , use the AWS WAFV2 API and see the AWS WAF Developer Guide. With the latest version, AWS WAF has a single set of endpoints for regional and global use.
A RateBasedRule is identical to a regular Rule, with
one addition: a RateBasedRule counts the number of requests that arrive from a
specified IP address every five minutes. For example, based on recent requests that you've
seen from an attacker, you might create a RateBasedRule that includes the
following conditions:
-
The requests come from 192.0.2.44.
-
They contain the value
BadBotin theUser-Agentheader.
In the rule, you also define the rate limit as 15,000.
Requests that meet both of these conditions and exceed 15,000 requests every five minutes trigger the rule's action (block or count), which is defined in the web ACL.
Note you can only create rate-based rules using an AWS CloudFormation template. To add the rate-based rules created through AWS CloudFormation to a web ACL, use the AWS WAF console, API, or command line interface (CLI). For more information, see UpdateWebACL.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::WAFRegional::RateBasedRule", "Properties" : { "MatchPredicates" :[ Predicate, ... ], "MetricName" :String, "Name" :String, "RateKey" :String, "RateLimit" :Integer} }
YAML
Type: AWS::WAFRegional::RateBasedRule Properties: MatchPredicates:- PredicateMetricName:StringName:StringRateKey:StringRateLimit:Integer
Properties
MatchPredicates-
The
Predicatesobject contains onePredicateelement for eachByteMatchSet,IPSet, orSqlInjectionMatchSet>object that you want to include in aRateBasedRule.Required: No
Type: Array of Predicate
Update requires: No interruption
MetricName-
A name for the metrics for a
RateBasedRule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default_Action." You can't change the name of the metric after you create theRateBasedRule.Required: Yes
Type: String
Pattern:
.*\S.*Minimum:
1Maximum:
128Update requires: Replacement
Name-
A friendly name or description for a
RateBasedRule. You can't change the name of aRateBasedRuleafter you create it.Required: Yes
Type: String
Pattern:
.*\S.*Minimum:
1Maximum:
128Update requires: Replacement
RateKey-
The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for
RateKeyisIP.IPindicates that requests arriving from the same IP address are subject to theRateLimitthat is specified in theRateBasedRule.Required: Yes
Type: String
Allowed values:
IPUpdate requires: Replacement
RateLimit-
The maximum number of requests, which have an identical value in the field specified by the
RateKey, allowed in a five-minute period. If the number of requests exceeds theRateLimitand the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.Required: Yes
Type: Integer
Update requires: No interruption
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.
For more information about using the Ref function, see Ref.
Fn::GetAtt
Examples
Associate an IPSet with a Rate-Based Rule
The following example associates the MyIPSetBlacklist
IPSet object with a rate-based rule.
JSON
"MyIPSetRateBasedRule" : { "Type": "AWS::WAFRegional::RateBasedRule", "Properties": { "Name": "MyIPSetRateBasedRule", "MetricName" : "MyIPSetRateBasedRule", "RateKey" : "IP", "RateLimit" : 8000 "MatchPredicates": [ { "DataId" : { "Ref" : "MyIPSetBlacklist" }, "Negated" : false, "Type" : "IPMatch" } ] } }
YAML
MyIPSetRateBasedRule: Type: "AWS::WAFRegional::RateBasedRule" Properties: Name: "MyIPSetRateBasedRule" MetricName: "MyIPSetRateBasedRule" RateKey : "IP" RateLimit : 8000 MatchPredicates: - DataId: Ref: "MyIPSetBlacklist" Negated: false Type: "IPMatch"
