**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Configuring protection in AWS WAF
<a name="web-acl"></a>

This page explains what protection packs (web ACLs) are and how they work.

 A protection pack (web ACL) gives you fine-grained control over all of the HTTP(S) web requests that your protected resource responds to. You can protect Amazon CloudFront, Amazon API Gateway, Application Load Balancer, AWS AppSync, Amazon Cognito, AWS App Runner, AWS Amplify, Amazon CloudWatch, and AWS Verified Access resources.

You can use criteria like the following to allow or block requests: 
+ IP address origin of the request
+ Country of origin of the request
+ String match or regular expression (regex) match in a part of the request
+ Size of a particular part of the request
+ Detection of malicious SQL code or scripting 

You can also test for any combination of these conditions. You can block or count web requests that not only meet the specified conditions, but also exceed a specified number of requests in a single minute. You can combine conditions using logical operators. You can also run CAPTCHA puzzles and silent client session challenges against requests. 

You provide your matching criteria and the action to take on matches in AWS WAF rule statements. You can define rule statements directly inside your protection pack (web ACL) and in reusable rule groups that you use in your protection pack (web ACL). For a full list of the options, see [Using rule statements in AWS WAF](waf-rule-statements.md) and [Using rule actions in AWS WAF](waf-rule-action.md).

When you create a protection pack (web ACL), you specify the types of resources that you want to use it with. For information, see [Creating a protection pack (web ACL) in AWS WAF](web-acl-creating.md). After you define a protection pack (web ACL), you can associate it with your resources to begin providing protection for them. For more information, see [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md). 

**Note**  
On some occasions, AWS WAF might encounter an internal error that delays the response to associated AWS resources about whether to allow or block a request. On those occasions, CloudFront typically allows the request or serves the content, while the Regional services typically deny the request and don't serve the content.

**Production traffic risk**  
Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**Temporary inconsistencies during updates**  
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. 

The following are examples of the temporary inconsistencies that you might notice during change propagation: 
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable. 
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others. 
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.

**Topics**
+ [

# Creating a protection pack (web ACL) in AWS WAF
](web-acl-creating.md)
+ [

# Editing a protection pack (web ACL) in AWS WAF
](web-acl-editing.md)
+ [

# Managing rule group behavior
](web-acl-rule-group-settings.md)
+ [

# Associating or disassociating protection with an AWS resource
](web-acl-associating-aws-resource.md)
+ [

# Using protection packs (web ACLs) with rules and rule groups in AWS WAF
](web-acl-processing.md)
+ [

# Setting the protection pack (web ACL) default action in AWS WAF
](web-acl-default-action.md)
+ [

# Considerations for managing body inspection in AWS WAF
](web-acl-setting-body-inspection-limit.md)
+ [

# Configuring CAPTCHA, challenge, and tokens in AWS WAF
](web-acl-captcha-challenge-token-domains.md)
+ [

# Viewing web traffic metrics in AWS WAF
](web-acl-working-with.md)
+ [

# Deleting a protection pack (web ACL)
](web-acl-deleting.md)

# Creating a protection pack (web ACL) in AWS WAF
<a name="web-acl-creating"></a>

------
#### [ Using the new console ]

This section provides procedures for creating protection packs (web ACLs) through the new AWS console. 

To create a new protection pack (web ACL), use the protection pack (web ACL) creation wizard following the procedure on this page. 

**Production traffic risk**  
Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

1. Sign in to the new AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2-pro](https://console.aws.amazon.com/wafv2-pro). 

1. In the navigation pane, choose **Resources & protection packs (web ACLs)**.

1. On the **Resources & protection packs (web ACLs)** page, choose **Add protection pack (web ACL)**.

1. Under **Tell us about your app**, for **App category**, select one or more app categories.

1. For **Traffic source**, choose the type of traffic the application engages with; **API**, **Web**, or **Both API and Web**.

1. Under **Resources to protect,** choose **Add resources**.

1. Choose the category of AWS resource that you want to associate with this protection pack (web ACL), either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md). 

1. Under **Choose initial protections,** select your preferred protection level: **Recommended**, **Essentials**, or **You build it**. 

1. (Optional) If you choose **You build it**, build your rules.

   1. (Optional) If you want to add your own rule, on the **Add rules ** page, choose **Custom rule** and then choose **Next**.

      1. Choose the rule type.

      1. For **Action**, select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in AWS WAF](waf-rule-action.md) and [Using protection packs (web ACLs) with rules and rule groups in AWS WAF](web-acl-processing.md).

         If you are using the **CAPTCHA** or **Challenge** action, adjust the **Immunity time** configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the protection pack (web ACL). To modify the protection pack (web ACL) immunity time settings, edit the protection pack (web ACL) after you create it. For more information about immunity times, see [Setting timestamp expiration and token immunity times in AWS WAF](waf-tokens-immunity-times.md).
**Note**  
You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

         If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

         If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see [Web request labeling in AWS WAF](waf-labels.md).

      1. For **Name**, enter the name that you want to use to identify this rule. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services.

      1. Enter your rule definition, according to your needs. You can combine rules inside logical `AND` and `OR` rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see [AWS WAF rules](waf-rules.md). 

      1. Choose **Create rule**.
**Note**  
If you add more than one rule to a protection pack (web ACL), AWS WAF evaluates the rules in the order that they're listed for the protection pack (web ACL). For more information, see [Using protection packs (web ACLs) with rules and rule groups in AWS WAF](web-acl-processing.md).

   1. (Optional) If you want to add managed rule groups, on the **Add rules** page, choose **AWS-managed rule group** or **AWS Marketplace rule group** and then choose **Next**. Do the following for each managed rule group that you want to add:

      1. On the **Add rules** page, expand the listing for AWS managed rule groups or for the AWS Marketplace seller.

      1. Choose the version of the rule group.

      1. To customize how your protection pack (web ACL) uses the rule group, choose **Edit**. The following are common customization settings: 
         + Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement in the **Inspection** section. For information about this option, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md).
         + Override the rule actions for some or all rules in **Rule overrides**. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md). 
         + Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the AWS Managed Rules rule groups, see [AWS Managed Rules for AWS WAF](aws-managed-rule-groups.md). 

      1. Choose **Next**.

   1. (Optional) If you want to add your own rule group, on the **Add rules** page, choose **Custom rule group** and then choose **Next**. Do the following for each rule group that you want to add:

      1. For **Name**, enter the name that you want to use for the rule group rule in this protection pack (web ACL). Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md). 

      1. Choose your rule group from the list. 

      1. (Optional) Under **Rule configuration**, choose a **Rule override**. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups.

      1. (Optional) Under **Add labels**, choose **Add label** and then enter any labels you want to add to requests that match the rule. Rules that are evaluated later in the same protection pack (web ACL) can reference the labels this rule adds.

      1. Choose **Create rule**.

1. Under **Name and description**, enter a name for your protection pack (web ACL). Optionally, enter a description.
**Note**  
You can't change the name after you create the protection pack (web ACL).

1. (Optional) Under **Customize protection pack (web ACL)**, configure default rule actions, configurations, and logging destination:

   1. (Optional) Under **Default rule actions**, choose the default action for the protection pack (web ACL). This is the action that AWS WAF takes on a request when the rules in the protection pack (web ACL) don't explicitly take an action. For more information, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

   1. (Optional) Under Rule configuration, customize settings for rules in the protection pack (web ACL):
      + **Default rate limits** - Set rate limits to block Denial of Service (DoS) attacts that can affect availability, compromise security, or consume excessive resources. This rule rate blocks requests per IP address that exceed the allowed rate for your application. For more information, see [Using rate-based rule statements in AWS WAF](waf-rule-statement-type-rate-based.md)
      + **IP Addresses** - Enter IP addresses to block or allow. This setting overrides other rules.
      + **Country specific origins** - Block requests from specified countries or Count all traffic.

   1. For **Logging destination**, configure the logging destination type and the place to store logs. For more information, see [AWS WAF logging destinations](logging-destinations.md).

1. Review your settings and choose **Add protection pack (web ACL)**.

------
#### [ Using the standard console ]

This section provides procedures for creating web ACLs through the AWS console. 

To create a new web ACL, use the web ACL creation wizard following the procedure on this page. 

**Production traffic risk**  
Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**To create a web ACL**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. Choose **web ACLs** in the navigation pane, and then choose **Create web ACL**.

1. For **Name**, enter the name that you want to use to identify this web ACL. 
**Note**  
You can't change the name after you create the web ACL.

1. (Optional) For **Description - optional**, enter a longer description for the web ACL if you want to. 

1. For **CloudWatch metric name**, change the default name if applicable. Follow the guidance on the console for valid characters. The name can't contain special characters, white space, or metric names reserved for AWS WAF, including "All" and "Default\$1Action."
**Note**  
You can't change the CloudWatch metric name after you create the web ACL.

1. Under **Resource type**, choose the category of AWS resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md).

1. For **Region**, if you've chosen a Regional resource type, choose the Region where you want AWS WAF to store the web ACL. 

   You only need to choose this option for Regional resource types. For CloudFront distributions, the Region is hard-coded to the US East (N. Virginia) Region, `us-east-1`, for Global (CloudFront) applications.

1. (CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access) For **Web request inspection size limit - optional**, if you want to specify a different body inspection size limit, select the limit. Inspecting body sizes over the default of 16 KB can incur additional costs. For information about this option, see [Considerations for managing body inspection in AWS WAF](web-acl-setting-body-inspection-limit.md). 

1. (Optional) For **Associated AWS resources - optional**, if you want to specify your resources now, choose **Add AWS resources**. In the dialog box, choose the resources that you want to associate, and then choose **Add**. AWS WAF returns you to the **Describe web ACL and associated AWS resources** page.
**Note**  
When you choose to associate an Application Load Balancer with your web ACL, **Resource-level DDoS protection** is enabled. For more information, see [AWS WAF Distributed Denial of Service (DDoS) prevention](waf-anti-ddos.md).

1. Choose **Next**.

1. (Optional) If you want to add managed rule groups, on the **Add rules and rule groups** page, choose **Add rules**, and then choose **Add managed rule groups**. Do the following for each managed rule group that you want to add:

   1. On the **Add managed rule groups** page, expand the listing for AWS managed rule groups or for the AWS Marketplace seller of your choice.

   1. For the rule group that you want to add, in the **Action** column, turn on the **Add to web ACL** toggle. 

      To customize how your web ACL uses the rule group, choose **Edit**. The following are common customization settings: 
      + Override the rule actions for some or all rules. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md). 
      + Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement. For information about this option, see [Using scope-down statements in AWS WAF](waf-rule-scope-down-statements.md).
      + Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the AWS Managed Rules rule groups, see [AWS Managed Rules for AWS WAF](aws-managed-rule-groups.md). 

      When you're finished with your settings, choose **Save rule**.

   Choose **Add rules** to finish adding managed rules and return to the **Add rules and rule groups** page.
**Note**  
If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see [Using protection packs (web ACLs) with rules and rule groups in AWS WAF](web-acl-processing.md).

1. (Optional) If you want to add your own rule group, on the **Add rules and rule groups** page, choose **Add rules**, and then choose **Add my own rules and rule groups**. Do the following for each rule group that you want to add:

   1. On the **Add my own rules and rule groups** page, choose **Rule group**.

   1. For **Name**, enter the name that you want to use for the rule group rule in this web ACL. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md). 

   1. Choose your rule group from the list. 
**Note**  
If you want to override the rule actions for a rule group of your own, first save it to the web ACL, and then edit the web ACL and the rule group reference statement in the web ACL's rule listing. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups.

   1. Choose **Add rule**.

1. (Optional) If you want to add your own rule, on the **Add rules and rule groups** page, choose **Add rules**, **Add my own rules and rule groups**, **Rule builder**, then **Rule visual editor**. 
**Note**  
The console **Rule visual editor** supports one level of nesting. For example, you can use a single logical `AND` or `OR` statement and nest one level of other statements inside it, but you can't nest logical statements within logical statements. To manage more complex rule statements, use the **Rule JSON editor**. For information about all options for rules, see [AWS WAF rules](waf-rules.md).   
This procedure covers the **Rule visual editor**. 

   1. For **Name**, enter the name that you want to use to identify this rule. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services.

   1. Enter your rule definition, according to your needs. You can combine rules inside logical `AND` and `OR` rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see [AWS WAF rules](waf-rules.md). 

   1. For **Action**, select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in AWS WAF](waf-rule-action.md) and [Using protection packs (web ACLs) with rules and rule groups in AWS WAF](web-acl-processing.md).

      If you are using the **CAPTCHA** or **Challenge** action, adjust the **Immunity time** configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the web ACL. To modify the web ACL immunity time settings, edit the web ACL after you create it. For more information about immunity times, see [Setting timestamp expiration and token immunity times in AWS WAF](waf-tokens-immunity-times.md).
**Note**  
You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

      If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

      If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see [Web request labeling in AWS WAF](waf-labels.md).

   1. Choose **Add rule**.

1. Choose the default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see [Setting the protection pack (web ACL) default action in AWS WAF](web-acl-default-action.md).

   If you want to customize the default action, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

1. You can define a **Token domain list** to enable token sharing between protected applications. Tokens are used by the CAPTCHA and Challenge actions and by the application integration SDKs that you implement when you use the AWS Managed Rules rule groups for AWS WAF Fraud Control account creation fraud prevention (ACFP), AWS WAF Fraud Control account takeover prevention (ATP), and AWS WAF Bot Control. 

   Public suffixes aren't allowed. For example, you can't use `gov.au` or `co.uk` as a token domain.

   By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack (web ACL) token domain list configuration](waf-tokens-domains.md#waf-tokens-domain-lists).

1. Choose **Next**.

1. In the **Set rule priority** page, select and move your rules and rule groups to the order that you want AWS WAF to process them. AWS WAF processes rules starting from the top of the list. When you save the web ACL AWS WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see [Setting rule priority](web-acl-processing-order.md). 

1. Choose **Next**.

1. In the **Configure metrics** page, review the options and apply any updates that you need. You can combine metrics from multiple sources by providing the same **CloudWatch metric name** for them. 

1. Choose **Next**.

1. In the **Review and create web ACL** page, check over your definitions. If you want to change any area, choose **Edit** for the area. This returns you to the page in the web ACL wizard. Make any changes, then choose **Next** through the pages until you come back to the **Review and create web ACL** page.

1. Choose **Create web ACL**. Your new web ACL is listed in the **web ACLs** page.

------

# Editing a protection pack (web ACL) in AWS WAF
<a name="web-acl-editing"></a>

------
#### [ Using the new console ]

This section provides procedures for editing protection packs (web ACLs) through the AWS console. 

To add or remove rules from a protection pack (web ACL) or change configuration settings, access the protection pack (web ACL) using the procedure on this page. While updating a protection pack (web ACL), AWS WAF provides continuous coverage to the resources that you have associated with the protection pack (web ACL). 

**Production traffic risk**  
Before you deploy changes in your protection pack (web ACL) for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**To edit a protection pack (web ACL)**

1. Sign in to the new AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2-pro](https://console.aws.amazon.com/wafv2-pro). 

1. In the navigation pane, choose **Resources & protection packs (web ACLs)**.

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side pane with details you can edit.

1. Edit the protection pack (web ACL) as needed. 

   The following lists the editable protection pack (web ACL) configuration components. 

   This section provides procedures for editing web ACLs through the AWS console. 

   To add or remove rules from a web ACL or change configuration settings, access the web ACL using the procedure on this page. While updating a web ACL, AWS WAF provides continuous coverage to the resources that you have associated with the web ACL. 

**Production traffic risk**  
Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**Temporary inconsistencies during updates**  
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. 

The following are examples of the temporary inconsistencies that you might notice during change propagation: 
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable. 
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others. 
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.

------
#### [ Using the standard console ]

This section provides procedures for editing web ACLs through the AWS console. 

To add or remove rules from a web ACL or change configuration settings, access the web ACL using the procedure on this page. While updating a web ACL, AWS WAF provides continuous coverage to the resources that you have associated with the web ACL. 

**Production traffic risk**  
Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

**Note**  
Using more than 1,500 WCUs in a protection pack (web ACL) incurs costs beyond the basic protection pack (web ACL) price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](aws-waf-capacity-units.md) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**To edit a web ACL**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Choose the name of the web ACL that you want to edit. The console takes you to the web ACL's description. 

1. Edit the web ACL as needed. Select the tabs for the configuration areas that you're interested in and edit the mutable settings. For each setting that you edit, when you choose **Save** and return to the web ACL's description page, the console saves your changes to the web ACL. 

   The following lists the tabs that contain web ACL configuration components. 
   + **Rules** tab
     + **Rules defined in the web ACL** – You can edit and manage the rules that you have defined in the web ACL, similar to how you did during web ACL creation. 
**Note**  
Don't change the names of any rules that you didn't add by hand to your web ACL. If you are using other services to manage rules for you, changing their names could remove or lessen their ability to provide the intended protections. AWS Shield Advanced and AWS Firewall Manager both can create rules in your web ACL. For information, see [Recognizing rule groups provided by other services](waf-service-owned-rule-groups.md).
**Note**  
If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack (web ACL) or rule group.

       For information about rules and rule group settings, see [AWS WAF rules](waf-rules.md) and [AWS WAF rule groups](waf-rule-groups.md).
     + **web ACL rule capacity units used** – The current capacity usage for your web ACL. This is view only. 
     + **Default web ACL action for requests that don't match any rules**– For information about this setting, see [Setting the protection pack (web ACL) default action in AWS WAF](web-acl-default-action.md). 
     + **web ACL CAPTCHA and challenge configurations** – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the web ACL. For information about these settings, see [Setting timestamp expiration and token immunity times in AWS WAF](waf-tokens-immunity-times.md).
     + **Token domain list** – AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack (web ACL) token domain list configuration](waf-tokens-domains.md#waf-tokens-domain-lists).
   + **Associated AWS resources** tab
     + **Web request inspection size limit** – Included only for web ACLs that protect CloudFront distributions. The body inspection size limit determines how much of the body component is forwarded to AWS WAF for inspection. For more information about this setting, see [Considerations for managing body inspection in AWS WAF](web-acl-setting-body-inspection-limit.md).
     + **Associated AWS resources** – The list of resources that the web ACL is currently associated with and protecting. You can locate resources that are within the same Region as the web ACL and associate them to the web ACL. For more information, see [Associating or disassociating protection with an AWS resource](web-acl-associating-aws-resource.md).
   + **Custom response bodies** tab
     + Custom response bodies that are available for use by your web ACL rules that have the action set to Block. For more information, see [Sending custom responses for Block actions](customizing-the-response-for-blocked-requests.md).
   + **Logging and metrics** tab
     + **Logging** – Logging for the traffic that the web ACL evaluates. For information, see [Logging AWS WAF protection pack (web ACL) traffic](logging.md).
     + **Security Lake integration** – The status of any data collection that you've configured for the web ACL in Amazon Security Lake. For information, see [Collecting data from AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) in the *Amazon Security Lake user guide*. 
     + **Sampled requests** – Information about the rules that match web requests. For information about viewing sampled requests, see [Viewing a sample of web requests](web-acl-testing-view-sample.md).
     + **Data protection settings** – You can configure web traffic data redaction and filtering for all data that's available for the web ACL and for just the data that the AWS WAF sends to the configured web ACL logging destination. For information about data protection, see [Data protection and logging for AWS WAF protection pack (web ACL) traffic](waf-data-protection-and-logging.md). 
     + **CloudWatch metrics** – Metrics for the rules in your web ACL. For information about Amazon CloudWatch metrics, see [Monitoring with Amazon CloudWatch](monitoring-cloudwatch.md). 

**Temporary inconsistencies during updates**  
When you create or change a protection pack (web ACL) or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. 

The following are examples of the temporary inconsistencies that you might notice during change propagation: 
+ After you create a protection pack (web ACL), if you try to associate it with a resource, you might get an exception indicating that the protection pack (web ACL) is unavailable. 
+ After you add a rule group to a protection pack (web ACL), the new rule group rules might be in effect in one area where the protection pack (web ACL) is used and not in another.
+ After you change a rule action setting, you might see the old action in some places and the new action in others. 
+ After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another.

------

# Managing rule group behavior
<a name="web-acl-rule-group-settings"></a>

This section describes your options for modifying how you use a rule group in your protection pack (web ACL). This information applies to all rule group types. After you add a rule group to a protection pack (web ACL), you can override the actions of the individual rules in the rule group to Count or to any other valid rule action setting. You can also override the rule group's resulting action to Count, which has no effect on how the rules are evaluated inside the rule group. 

For information about these options, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md).

## Overriding rule actions in a rule group
<a name="web-acl-rule-group-rule-action-override"></a>

For each rule group in a protection pack (web ACL), you can override the contained rule's actions for some or all of the rules. 

The most common use case for this is overriding the rule actions to Count to test new or updated rules. If you have metrics enabled, you receive metrics for each rule that you override. For more information about testing, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

You can make these changes when you're adding a managed rule group to the protection pack (web ACL), and you can make them to any type of rule group when you edit the protection pack (web ACL). These instructions are for a rule group that has already been added to the protection pack (web ACL). See additional information about this option at [Rule group rule action overrides](web-acl-rule-group-override-options.md#web-acl-rule-group-override-options-rules).

------
#### [ Using the new console ]

**To override rule actions in a rule group**

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Rules** to open the **Manage rules **panel.

1. In the **Manage rules** section for the rule group, choose the managed rule to open its action settings.
   + **Override rule group** – Changes the rule group action to Count mode but keeps all individual rule actions unchanged.
   + **Override all rule actions** – Applies a rule action to all rules, overriding their current state.
   + **Single rule override** – Applies a rule action to an individual rule.

1. When you are finished making your changes, choose **Save rule**. 

------
#### [ Using the standard console ]

**To override rule actions in a rule group**

1. Edit the web ACL. 

1. In the web ACL page **Rules** tab, select the rule group, then choose **Edit**. 

1. In the **Rules** section for the rule group, manage the action settings as needed. 
   + **All rules** – To set an override action for all rules in the rule group, open the **Override all rule actions** dropdown and select the override action. To remove the overrides for all rules, select **Remove all overrides**. 
   + **Single rule** – To set an override action for a single rule, open the rule's dropdown and select the override action. To remove an override for a rule, open the rule's dropdown and select **Remove override**.

1. When you are finished making your changes, choose **Save rule**. The rule action and override action settings are listed in the rule group page. 

------

The following example JSON listing shows a rule group declaration inside a protection pack (web ACL) that overrides the rule actions to Count for the rules `CategoryVerifiedSearchEngine` and `CategoryVerifiedSocialMedia`. In the JSON, you override all rule actions by providing a `RuleActionOverrides` entry for each individual rule.

```
{
    "Name": "AWS-AWSBotControl-Example",
   "Priority": 5, 
   "Statement": {
    "ManagedRuleGroupStatement": {
        "VendorName": "AWS",
        "Name": "AWSManagedRulesBotControlRuleSet",
        "RuleActionOverrides": [
          {
            "ActionToUse": {
              "Count": {}
            },
            "Name": "CategoryVerifiedSearchEngine"
          },
          {
            "ActionToUse": {
              "Count": {}
            },
            "Name": "CategoryVerifiedSocialMedia"
          }
        ],
        "ExcludedRules": []
    },
   "VisibilityConfig": {
       "SampledRequestsEnabled": true,
       "CloudWatchMetricsEnabled": true,
       "MetricName": "AWS-AWSBotControl-Example"
   }
}
```

## Overriding a rule group's evaluation result to Count
<a name="web-acl-rule-group-action-override"></a>

You can override the action that results from a rule group evaluation, without altering how the rules in the rule group are configured or evaluated. This option is not commonly used. If any rule in the rule group results in a match, this override sets the resulting action from the rule group to Count.

**Note**  
This is an uncommon use case. Most action overrides are done at the rule level, inside the rule group, as described in [Overriding rule actions in a rule group](#web-acl-rule-group-rule-action-override).

You can override the rule group's resulting action in the protection pack (web ACL) when you add or edit the rule group. In the console, open the rule group's **Override rule group action - optional** pane and enable the override. In the JSON set `OverrideAction` in the rule group statement, as shown in the following example listing: 

```
{
   "Name": "AWS-AWSBotControl-Example",
   "Priority": 5,  
   "Statement": {
    "ManagedRuleGroupStatement": {
     "VendorName": "AWS",
     "Name": "AWSManagedRulesBotControlRuleSet"
     }
   },
    "OverrideAction": {
       "Count": {}
    },
   "VisibilityConfig": {
        "SampledRequestsEnabled": true,
        "CloudWatchMetricsEnabled": true,
        "MetricName": "AWS-AWSBotControl-Example"
   }
}
```

# Associating or disassociating protection with an AWS resource
<a name="web-acl-associating-aws-resource"></a>

You can use AWS WAF to create the following associations between protection packs (web ACLs) and your resources: 
+ Associate a regional protection pack (web ACL) with any of the regional resources listed below. For this option, the protection pack (web ACL) must be in the same region as your resource. 
  + Amazon API Gateway REST API
  + Application Load Balancer
  + AWS AppSync GraphQL API
  + Amazon Cognito user pool
  + AWS App Runner service
  + AWS Verified Access instance
  + AWS Amplify
+ Associate a global protection pack (web ACL) with a Amazon CloudFront distribution. The global protection pack (web ACL) will have a hard-coded Region of US East (N. Virginia) Region.

You can also associate a protection pack (web ACL) with a CloudFront distribution when you create or update the distribution itself. For information, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the *Amazon CloudFront Developer Guide*.

**Restrictions on multiple associations**  
You can associate a single protection pack (web ACL) with one or more AWS resources, according to the following restrictions:
+ You can associate each AWS resource with only one protection pack (web ACL). The relationship between protection pack (web ACL) and AWS resources is one-to-many. 
+ You can associate a protection pack (web ACL) with one or more CloudFront distributions. You cannot associate a protection pack (web ACL) that you have associated with a CloudFront distribution with any other AWS resource type.

**Additional restrictions**  
The following additional restrictions apply to protection pack (web ACL) associations: 
+ You can only associate a protection pack (web ACL) to an Application Load Balancer within AWS Regions. For example, you cannot associate a protection pack (web ACL) to an Application Load Balancer that is on AWS Outposts.
+ You can't associate an Amazon Cognito user pool with a protection pack (web ACL) that uses the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group `AWSManagedRulesACFPRuleSet` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group `AWSManagedRulesATPRuleSet`. For information about account creation fraud prevention, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](waf-acfp.md). For information about account takeover prevention, see [AWS WAF Fraud Control account takeover prevention (ATP)](waf-atp.md). 

**Production traffic risk**  
Before you deploy your protection pack (web ACL) for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

# Associating protection with an AWS resource
<a name="web-acl-associating"></a>

------
#### [ Using the new console ]

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Resources** to open the **Manage resources **panel.

1. In the **Manage resources** section for the rule group, choose **Add regional resources** or **Add global resources**.

1. Choose resources and then choose **Add**.

------
#### [ Using the standard console ]

To associate a web ACL with an AWS resource, perform the following procedure.

**To associate a web ACL with an AWS resource**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Choose the name of the web ACL that you want to associate with a resource. The console takes you to the web ACL's description, where you can edit it.

1. On the **Associated AWS resources** tab, choose **Add AWS resources**.

1. When prompted, choose the resource type, select the radio button next to the resource that you want to associate, and then choose **Add**. 

------

# Disassociating a protection from an AWS resource
<a name="web-acl-dissociating-aws-resource"></a>

------
#### [ Using the new console ]

1. Choose the protection pack (web ACL) that you want to edit. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Resources** to open the **Manage resources ** panel.

1. In the **Manage resources** section for the rule group, choose the resource you want to disassociate, and then choose **Disassociate**.
**Note**  
You must disassociate one resource at a time. Do not choose multiple resources. 

1. In the confirmation page, type "disassociate", and then choose **Disassociate**.

------
#### [ Using the standard console ]

To dissociate a web ACL from an AWS resource, perform the following procedure.

**To disassociate a web ACL from an AWS resource**

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Choose the name of the web ACL that you want to disassociate from your resource. The console takes you to the web ACL's description, where you can edit it.

1. On the **Associated AWS resources** tab, select the resource that you want to disassociate this web ACL from. 
**Note**  
You must disassociate one resource at a time. Do not choose multiple resources. 
**Note**  
When you choose to associate an Application Load Balancer with your webACL, **Resource-level DDoS protection** is enabled. For more information, see [AWS WAF Distributed Denial of Service (DDoS) prevention](waf-anti-ddos.md).

1. Choose **Disassociate**. The console opens a confirmation dialogue. Confirm your choice to disassociate the web ACL from the AWS resource. 

------

# Using protection packs (web ACLs) with rules and rule groups in AWS WAF
<a name="web-acl-processing"></a>

This section introduces how protection packs (web ACLs) and web ACLs work with rules and rule groups.

The way a protection pack (web ACL) handles a web request depends on the following: 
+ The numeric priority settings of the rules in the protection pack (web ACL) and inside rule groups
+ The action settings on the rules and protection pack (web ACL)
+ Any overrides that you place on the rules in the rule groups that you add

For a list of the rule action settings, see [Using rule actions in AWS WAF](waf-rule-action.md). 

You can customize request and response handling in your rule action settings and default protection pack (web ACL) action settings. For information, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

**Topics**
+ [

# Setting rule priority
](web-acl-processing-order.md)
+ [

# How AWS WAF handles rule and rule group actions
](web-acl-rule-actions.md)
+ [

# Overriding rule group actions in AWS WAF
](web-acl-rule-group-override-options.md)

# Setting rule priority
<a name="web-acl-processing-order"></a>

This section explains how AWS WAF uses numeric priority settings to set the evaluation order for rules.

In a protection pack (web ACL) and inside any rule group, you determine the evaluation order of the rules using numeric priority settings. You must give each rule in a protection pack (web ACL) a unique priority setting within that protection pack (web ACL), and you must give each rule in a rule group a unique priority setting within that rule group. 

**Note**  
When you manage rule groups, protection packs (web ACLs) through the console, AWS WAF assigns unique numeric priority settings for you based on the order of the rules in the list. AWS WAF assigns the lowest numeric priority to the rule at the top of the list, and the highest numeric priority to the rule at the bottom. 

When AWS WAF evaluates any rule group, protection pack (web ACL) against a web request, it evaluates the rules from the lowest numeric priority setting on up until it either finds a match that terminates the evaluation or exhausts all of the rules.

For example, say you have the following rules and rule groups in your protection pack (web ACL), prioritized as shown:
+ Rule1 – priority 0
+ RuleGroupA – priority 100
  + RuleA1 – priority 10,000
  + RuleA2 – priority 20,000
+ Rule2 – priority 200
+ RuleGroupB – priority 300
  + RuleB1 – priority 0
  + RuleB2 – priority 1

AWS WAF would evaluate the rules for this protection pack (web ACL) in the following order:
+ Rule1
+ RuleGroupA RuleA1
+ RuleGroupA RuleA2
+ Rule2
+ RuleGroupB RuleB1
+ RuleGroupB RuleB2

# How AWS WAF handles rule and rule group actions
<a name="web-acl-rule-actions"></a>

This section explains how AWS WAF uses rules and rule groups to handle actions.

When you configure your rules and rule groups, you choose how you want AWS WAF to handle matching web requests: 
+ **Allow and Block are terminating actions** – Allow and Block actions stop all other processing of the protection pack (web ACL) on the matching web request. If a rule in a protection pack (web ACL) finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the protection pack (web ACL). AWS WAF doesn't process any other rules in the protection pack (web ACL) that come after the matching one. This is true for rules that you add directly to the protection pack (web ACL) and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request.
+ **Count is a non-terminating action** – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the protection pack (web ACL) rule set. 
+ **CAPTCHA and Challenge can be non-terminating or terminating actions** – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the protection pack (web ACL) rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve. 

If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the protection pack (web ACL) default action to the request. For information, see [Setting the protection pack (web ACL) default action in AWS WAF](web-acl-default-action.md).

In your protection pack (web ACL), you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see [Overriding rule group actions in AWS WAF](web-acl-rule-group-override-options.md). 

**Interaction between actions and priority settings**  
The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the protection pack (web ACL). For example, say that your protection pack (web ACL) has a rule with Allow action and a numeric priority of 50 and another rule with Count action and a numeric priority of 100. AWS WAF evaluates the rules in a protection pack (web ACL) in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. A web request that matches both rules will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request against the count rule. 
+ If you only want to include requests that don't match the allow rule in your count rule metrics, then the priority settings of the rules would work. 
+ On the other hand, if you want count metrics from the count rule even for requests that match the allow rule, you'd need to give the count rule a lower numeric priority setting than the allow rule, so that it runs first. 

For more information about priority settings, see [Setting rule priority](web-acl-processing-order.md). 

# Overriding rule group actions in AWS WAF
<a name="web-acl-rule-group-override-options"></a>

This section explains how to override rule group actions.

When you add a rule group to your protection pack (web ACL), you can override the actions it takes on matching web requests. Overriding the actions for a rule group inside your protection pack (web ACL) configuration doesn't alter the rule group itself. It only alters how AWS WAF uses the rule group in the context of the protection pack (web ACL). 

## Rule group rule action overrides
<a name="web-acl-rule-group-override-options-rules"></a>

You can override the actions of the rules inside a rule group to any valid rule action. When you do this, matching requests are handled exactly as if the configured rule's action were the override setting. 

**Note**  
Rule actions can be terminating or non-terminating. A terminating action stops the protection pack (web ACL) evaluation of the request and either lets it continue to your protected application or blocks it. 

Here are the rule action options: 
+ **Allow** – AWS WAF allows the request to be forwarded to the protected AWS resource for processing and response. This is a terminating action. In rules that you define, you can insert custom headers into the request before forwarding it to the protected resource.
+ **Block** – AWS WAF blocks the request. This is a terminating action. By default, your protected AWS resource responds with an HTTP `403 (Forbidden)` status code. In rules that you define, you can customize the response. When AWS WAF blocks a request, the Block action settings determine the response that the protected resource sends back to the client. 
+ **Count** – AWS WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. AWS WAF continues processing the remaining rules in the protection pack (web ACL). In rules that you define, you can insert custom headers into the request and you can add labels that other rules can match against.
+ **CAPTCHA and Challenge** – AWS WAF uses CAPTCHA puzzles and silent challenges to verify that the request is not coming from a bot, and AWS WAF uses tokens to track recent successful client responses. 

  CAPTCHA puzzles and silent challenges can only run when browsers are accessing HTTPS endpoints. Browser clients must be running in secure contexts in order to acquire tokens. 
**Note**  
You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

  These rule actions can be terminating or non-terminating, depending on the state of the token in the request: 
  + **Non-terminating for valid, unexpired token** – If the token is valid and unexpired according to the configured CAPTCHA or challenge immunity time, AWS WAF handles the request similar to the Count action. AWS WAF continues to inspect the web request based on the remaining rules in the protection pack (web ACL). Similar to the Count configuration, in rules that you define, you can optionally configure these actions with custom headers to insert into the request, and you can add labels that other rules can match against. 
  + **Terminating with blocked request for invalid or expired token** – If the token is invalid or the indicated timestamp is expired, AWS WAF terminates the inspection of the web request and blocks the request, similar to the Block action. AWS WAF then responds to the client with a custom response code. For CAPTCHA, if the request contents indicate that the client browser can handle it, AWS WAF sends a CAPTCHA puzzle in a JavaScript interstitial, which is designed to distinguish human clients from bots. For the Challenge action, AWS WAF sends a JavaScript interstitial with a silent challenge that is designed to distinguish normal browsers from sessions that are being run by bots. 

  For additional information, see [CAPTCHA and Challenge in AWS WAF](waf-captcha-and-challenge.md).

For information about how to use this option, see [Overriding rule actions in a rule group](web-acl-rule-group-settings.md#web-acl-rule-group-rule-action-override).

### Overriding the rule action to Count
<a name="web-acl-rule-group-override-to-count"></a>

The most common use case for rule action overrides is overriding some or all of the rule actions to Count, to test and monitor a rule group's behavior before putting it into production. 

You can also use this to troubleshoot a rule group that's generating false positives. False positives occur when a rule group blocks traffic that you aren't expecting it to block. If you identify a rule within a rule group that would block requests that you want to allow through, you can keep the count action override on that rule, to exclude it from acting on your requests.

For more information about using the rule action override in testing, see [Testing and tuning your AWS WAF protections](web-acl-testing.md).

### JSON listing: `RuleActionOverrides` replaces `ExcludedRules`
<a name="web-acl-rule-group-override-replaces-exclude"></a>

If you set rule group rule actions to Count in your protection pack (web ACL) configuration before October 27, 2022, AWS WAF saved your overrides in the protection pack (web ACL) JSON as `ExcludedRules`. Now, the JSON setting for overriding a rule to Count is in the `RuleActionOverrides` settings. 

We recommend that you update all of your `ExcludedRules` settings in your JSON listings to `RuleActionOverrides` settings with the action set to Count. The API accepts either setting, but you'll get consistency in your JSON listings, between your console work and your API work, if you only use the new `RuleActionOverrides` setting. 

**Note**  
In the AWS WAF console, the protection pack (web ACL) **Sampled requests** tab doesn't show samples for rules with the old setting. For more information, see [Viewing a sample of web requests](web-acl-testing-view-sample.md). 

When you use the AWS WAF console to edit the existing rule group settings, the console automatically converts any `ExcludedRules` settings in the JSON to `RuleActionOverrides` settings, with the override action set to Count. 
+ Current setting example: 

  ```
         "ManagedRuleGroupStatement": {
            "VendorName": "AWS",
            "Name": "AWSManagedRulesAdminProtectionRuleSet",
            "RuleActionOverrides": [
              {
                "Name": "AdminProtection_URIPATH",
                "ActionToUse": {
                  "Count": {}
                }
              }
            ]
  ```
+ Old setting example: 

  ```
  OLD SETTING
         "ManagedRuleGroupStatement": {
            "VendorName": "AWS",
            "Name": "AWSManagedRulesAdminProtectionRuleSet",
            "ExcludedRules": [
              {
                "Name": "AdminProtection_URIPATH"
              }
            ]
  OLD SETTING
  ```

## Rule group return action override to Count
<a name="web-acl-rule-group-override-options-rule-group"></a>

You can override the action that the rule group returns, setting it to Count. 

**Note**  
This is not a good option for testing the rules in a rule group, because it doesn't alter how AWS WAF evaluates the rule group itself. It only affects how AWS WAF handles results that are returned to the protection pack (web ACL) from the rule group evaluation. If you want to test the rules in a rule group, use the option described in the preceding section, [Rule group rule action overrides](#web-acl-rule-group-override-options-rules).

When you override the rule group action to Count, AWS WAF processes the rule group evaluation normally. 

If no rules in the rule group match or if all matching rules have a Count action, then this override has no effect on the processing of the rule group or the protection pack (web ACL).

The first rule in the rule group that matches a web request and that has a terminating rule action causes AWS WAF to stop evaluating the rule group and return the terminating action result to the protection pack (web ACL) evaluation level. At this point, in the protection pack (web ACL) evaluation, this override takes effect. AWS WAF overrides the terminating action so that the result of the rule group evaluation is only a Count action. AWS WAF then continues processing the rest of the rules in the protection pack (web ACL).

For information about how to use this option, see [Overriding a rule group's evaluation result to Count](web-acl-rule-group-settings.md#web-acl-rule-group-action-override).

# Setting the protection pack (web ACL) default action in AWS WAF
<a name="web-acl-default-action"></a>

This section explains how protection pack (web ACL) default actions work.

When you create and configure a protection pack (web ACL), you must set the protection pack (web ACL) default action. AWS WAF applies this action to any web request that makes it through all of the protection pack (web ACL)'s rule evaluations without having a terminating action applied to it. A terminating action stops the protection pack (web ACL) evaluation of the request and either lets it continue to your protected application or blocks it. For information about rule actions, see [Using rule actions in AWS WAF](waf-rule-action.md).

The protection pack (web ACL) default action must determine the final disposition of the web request, so it's a terminating action: 
+ **Allow** – If you want to allow most users to access your website, but you want to block access to attackers whose requests originate from specified IP addresses, or whose requests appear to contain malicious SQL code or specified values, choose Allow for the default action. Then, when you add rules to your protection pack (web ACL), add rules that identify and block the specific requests that you want to block. With this action, you can insert custom headers into the request before forwarding it to the protected resource.
+ **Block** – If you want to prevent most users from accessing your website, but you want to allow access to users whose requests originate from specified IP addresses, or whose requests contain specified values, choose Block for the default action. Then when you add rules to your protection pack (web ACL), add rules that identify and allow the specific requests that you want to allow in. By default, for the Block action, the AWS resource responds with an HTTP `403 (Forbidden)` status code, but you can customize the response. 

For information about customizing requests and responses, see [Customized web requests and responses in AWS WAF](waf-custom-request-response.md).

Your configuration of your own rules and rule groups depends in part on whether you want to allow or block most web requests. For example, if you want to *allow* most requests, you would set the protection pack (web ACL) default action to Allow, and then add rules that identify web requests that you want to *block*, such as the following:
+ Requests that originate from IP addresses that are making an unreasonable number of requests
+ Requests that originate from countries that either you don't do business in or are the frequent source of attacks
+ Requests that include fake values in the `User-agent` header
+ Requests that appear to include malicious SQL code

Managed rule group rules usually use the Block action, but not all do. For examples, some rules used for Bot Control use the CAPTCHA and Challenge action settings. For information about managed rule groups, see [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md).

# Considerations for managing body inspection in AWS WAF
<a name="web-acl-setting-body-inspection-limit"></a>

The body inspection size limit is the maximum request body size that AWS WAF can inspect. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. 
+ For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB (8,192 bytes).
+ For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for any of the resource types by increments of 16 KB, up to 64 KB. The setting options are 16 KB, 32 KB, 48 KB, and 64 KB. 

**Important**  
AWS WAF does not support request body inspection rules for gRPC traffic. If you enabled these rules on the protection pack (web ACL) for a CloudFront distribution or Application Load Balancer, any request that uses gRPC will ignore the request body inspection rules. All other AWS WAF rules will still apply. For more information, see [Enable AWS WAF for distributions](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/WAF-one-click.html) in the *Amazon CloudFront Developer Guide*. 

**Oversize body handling**  
If your web traffic includes bodies that are larger than the limit, your configured oversize handling will apply. For information about the options for oversize handling, see [Oversize web request components in AWS WAF](waf-oversize-request-components.md). 

**Pricing considerations for increasing the limit setting**  
AWS WAF charges a base rate for inspecting traffic that's within the default limit for the resource type. 

For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources, if you increase the limit setting, the traffic that AWS WAF can inspect includes body sizes up to your new limit. You're charged extra only for the inspection of requests that have body sizes larger than the default 16 KB. For more information about pricing, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).

**Options for modifying the body inspection size limit**  
You can configure the body inspection size limit for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. 

When you create or edit a protection pack (web ACL), you can modify the body inspection size limits in the resource association configuration. For the API, see the protection pack (web ACL)'s association configuration at [AssociationConfig](https://docs.aws.amazon.com/waf/latest/APIReference/API_AssociationConfig.html). For the console, see the configuration on the page where you specify the protection pack (web ACL)'s associated resources. For guidance on the console configuration, see [Viewing web traffic metrics in AWS WAF](web-acl-working-with.md). 

# Configuring CAPTCHA, challenge, and tokens in AWS WAF
<a name="web-acl-captcha-challenge-token-domains"></a>

You can configure options in your protection pack (web ACL) for the rules that use the CAPTCHA or Challenge rule actions and for the application integration SDKs that manage silent client challenges for AWS WAF managed protections. 

These features mitigate bot activity by challenging end users with CAPTCHA puzzles and by presenting client sessions with silent challenges. When the client responds successfully, AWS WAF provides a token for them to use in their web request, timestamped with the last successful puzzle and challenge responses. For more information, see [Intelligent threat mitigation in AWS WAF](waf-managed-protections.md).

In your protection pack (web ACL) configuration, you can configure how AWS WAF manages these tokens: 
+ **CAPTCHA and challenge immunity times** – These specify how long a CAPTCHA or challenge timestamp remains valid. The protection pack (web ACL) settings are inherited by all rules that don't have their own immunity time settings configured and also by the application integration SDKs. For more information, see [Setting timestamp expiration and token immunity times in AWS WAF](waf-tokens-immunity-times.md).
+ **Token domains** – By default, AWS WAF accepts tokens only for the domain of the resource that the protection pack (web ACL) is associated with. If you configure a token domain list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack (web ACL) token domain list configuration](waf-tokens-domains.md#waf-tokens-domain-lists).

# Viewing web traffic metrics in AWS WAF
<a name="web-acl-working-with"></a>

This section explains how to access summaries of web traffic metrics.

For any protection pack (web ACL) that you're using, you can access summaries of the web traffic metrics on the protection pack (web ACL)'s page in the AWS WAF console, under the **Traffic overview** tab. The console dashboards provide near real-time summaries of the Amazon CloudWatch metrics that AWS WAF collects when it evaluates your application web traffic. For more information about the dashboards, see [Traffic overview dashboards for protection packs (web ACLs)](web-acl-dashboards.md). For additional information about monitoring your protection pack (web ACL)'s traffic, see [Monitoring and tuning your AWS WAF protections](web-acl-testing-activities.md).

# Deleting a protection pack (web ACL)
<a name="web-acl-deleting"></a>

This section provides procedures for deleting protection packs (web ACLs) through the AWS console. 

**Important**  
Deleting a protection pack (web ACL) is permanent and can't be undone.

To delete a protection pack (web ACL), you first disassociate all AWS resources from the protection pack (web ACL). Perform the following procedure.

------
#### [ Using the new console ]

1. Sign in to the new AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2-pro](https://console.aws.amazon.com/wafv2-pro). 

1. In the navigation pane, choose **Resources & protection packs (web ACLs)**.

1. In the protection pack (web ACL) card, choose the **Edit** link next to **Resources** to open the **Manage resources ** panel.

1. In the **Manage resources** section for the rule group, choose the resource you want to disassociate, and then choose **Disassociate**.
**Note**  
You must disassociate one resource at a time. Do not choose multiple resources. 

1. In the confirmation page, type "disassociate", and then choose **Disassociate**. Repeat to disassociate each resource in the protection pack (web ACL).

1. Choose the protection pack (web ACL) that you want to delete. The console makes the main protection pack (web ACL) card editable, and also opens a side panel with details you can edit.

1. In the details panel, choose the trash can icon.

1. In the confirmation page, type "delete" and then choose **Delete**.

------
#### [ Using the standard console ]

1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 

1. In the navigation pane, choose **web ACLs**.

1. Select the name of the web ACL that you want to delete. The console takes you to the web ACL's description, where you can edit it.
**Note**  
If you don't see the web ACL that you want to delete, make sure the Region selection inside the web ACLs section is correct. Any web ACLs that protect Amazon CloudFront distributions are in **Global (CloudFront)**.

1. On the **Associated AWS resources** tab, for each associated resource, select the radio button next to the resource name and then choose **Disassociate**. This disassociates the protection pack (web ACL) from your AWS resources. 

1. In the navigation pane, choose **web ACLs**.

1. Select the radio button next to the web ACL that you are deleting, and then choose **Delete**.

------