Label match rule statement - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Label match rule statement

This section explains what a label match statement is and how it works.

The label match statement inspects the labels that are on the web request against a string specification. The labels that are available to a rule for inspection are those that have already been added to the web request by other rules in the same web ACL evaluation.

Labels don't persist outside of the web ACL evaluation, but you can access label metrics in CloudWatch and you can see summaries of label information for any web ACL in the AWS WAF console. For more information, see Label metrics and dimensions and Monitoring and tuning your AWS WAF protections. You can also see labels in the logs. For information, see Log fields for web ACL traffic.

Note

A label match statement can only see labels from rules that are evaluated earlier in the web ACL. For information about how AWS WAF evaluates the rules and rule groups in a web ACL, see Setting rule priority in a web ACL.

For more information about adding and matching labels, see Web request labeling in AWS WAF.

Rule statement characteristics

Nestable – You can nest this statement type.

WCUs – 1 WCU

This statement uses the following settings:

  • Match scope – Set this to Label to match against the label name and, optionally, the preceding namespaces and prefix. Set this to Namespace to match against some or all of the namespace specifications and, optionally, the preceding prefix.

  • Key – The string that you want to match against. If you specify a namespace match scope, this should only specify namespaces and optionally the prefix, with an ending colon. If you specify a label match scope, this must include the label name and can optionally include preceding namespaces and prefix.

For more information about these settings, see AWS WAF rules that match labels and AWS WAF label match examples.

Where to find this rule statement

  • Rule builder on the console – For Request option, choose Has label.

  • APILabelMatchStatement