# UpdateRateBasedRule
**Note**
AWS WAF Classic support will end on September 30, 2025.
This is ** AWS WAF Classic** documentation. For more information, see [AWS WAF Classic](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.html) in the developer guide.
**For the latest version of AWS WAF **, use the AWS WAFV2 API and see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). With the latest version, AWS WAF has a single set of endpoints for regional and global use.
Inserts or deletes [Predicate](API_waf_Predicate.md) objects in a rule and updates the `RateLimit` in the rule.
Each `Predicate` object identifies a predicate, such as a [ByteMatchSet](API_waf_ByteMatchSet.md) or an [IPSet](API_waf_IPSet.md), that specifies the web requests that you want to block or count. The `RateLimit` specifies the number of requests every five minutes that triggers the rule.
If you add more than one predicate to a `RateBasedRule`, a request must match all the predicates and exceed the `RateLimit` to be counted or blocked. For example, suppose you add the following to a `RateBasedRule`:
+ An `IPSet` that matches the IP address `192.0.2.44/32`
+ A `ByteMatchSet` that matches `BadBot` in the `User-Agent` header
Further, you specify a `RateLimit` of 1,000.
You then add the `RateBasedRule` to a `WebACL` and specify that you want to block requests that satisfy the rule. For a request to be blocked, it must come from the IP address 192.0.2.44 *and* the `User-Agent` header in the request must contain the value `BadBot`. Further, requests that match these two conditions much be received at a rate of more than 1,000 every five minutes. If the rate drops below this limit, AWS WAF no longer blocks the requests.
As a second example, suppose you want to limit requests to a particular page on your site. To do this, you could add the following to a `RateBasedRule`:
+ A `ByteMatchSet` with `FieldToMatch` of `URI`
+ A `PositionalConstraint` of `STARTS_WITH`
+ A `TargetString` of `login`
Further, you specify a `RateLimit` of 1,000.
By adding this `RateBasedRule` to a `WebACL`, you could limit requests to your login page without affecting the rest of your site.
## Request Syntax
```
{
"ChangeToken": "string",
"RateLimit": number,
"RuleId": "string",
"Updates": [
{
"Action": "string",
"Predicate": {
"DataId": "string",
"Negated": boolean,
"Type": "string"
}
}
]
}
```
## Request Parameters
For information about the parameters that are common to all actions, see [Common Parameters](CommonParameters.md).
The request accepts the following data in JSON format.
** [ChangeToken](#API_waf_UpdateRateBasedRule_RequestSyntax) **
The value returned by the most recent call to [GetChangeToken](API_waf_GetChangeToken.md).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: `.*\S.*`
Required: Yes
** [RateLimit](#API_waf_UpdateRateBasedRule_RequestSyntax) **
The maximum number of requests, which have an identical value in the field specified by the `RateKey`, allowed in a five-minute period. If the number of requests exceeds the `RateLimit` and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.
Type: Long
Valid Range: Minimum value of 100. Maximum value of 2000000000.
Required: Yes
** [RuleId](#API_waf_UpdateRateBasedRule_RequestSyntax) **
The `RuleId` of the `RateBasedRule` that you want to update. `RuleId` is returned by `CreateRateBasedRule` and by [ListRateBasedRules](API_waf_ListRateBasedRules.md).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: `.*\S.*`
Required: Yes
** [Updates](#API_waf_UpdateRateBasedRule_RequestSyntax) **
An array of `RuleUpdate` objects that you want to insert into or delete from a [RateBasedRule](API_waf_RateBasedRule.md).
Type: Array of [RuleUpdate](API_waf_RuleUpdate.md) objects
Required: Yes
## Response Syntax
```
{
"ChangeToken": "string"
}
```
## Response Elements
If the action is successful, the service sends back an HTTP 200 response.
The following data is returned in JSON format by the service.
** [ChangeToken](#API_waf_UpdateRateBasedRule_ResponseSyntax) **
The `ChangeToken` that you used to submit the `UpdateRateBasedRule` request. You can also use this value to query the status of the request. For more information, see [GetChangeTokenStatus](API_waf_GetChangeTokenStatus.md).
Type: String
Length Constraints: Minimum length of 1. Maximum length of 128.
Pattern: `.*\S.*`
## Errors
For information about the errors that are common to all actions, see [Common Error Types](CommonErrors.md).
** WAFInternalErrorException **
The operation failed because of a system problem, even though the request was valid. Retry your request.
HTTP Status Code: 500
** WAFInvalidAccountException **
The operation failed because you tried to create, update, or delete an object by using an invalid account identifier.
HTTP Status Code: 400
** WAFInvalidOperationException **
The operation failed because there was nothing to do. For example:
+ You tried to remove a `Rule` from a `WebACL`, but the `Rule` isn't in the specified `WebACL`.
+ You tried to remove an IP address from an `IPSet`, but the IP address isn't in the specified `IPSet`.
+ You tried to remove a `ByteMatchTuple` from a `ByteMatchSet`, but the `ByteMatchTuple` isn't in the specified `WebACL`.
+ You tried to add a `Rule` to a `WebACL`, but the `Rule` already exists in the specified `WebACL`.
+ You tried to add a `ByteMatchTuple` to a `ByteMatchSet`, but the `ByteMatchTuple` already exists in the specified `WebACL`.
HTTP Status Code: 400
** WAFInvalidParameterException **
The operation failed because AWS WAF didn't recognize a parameter in the request. For example:
+ You specified an invalid parameter name.
+ You specified an invalid value.
+ You tried to update an object (`ByteMatchSet`, `IPSet`, `Rule`, or `WebACL`) using an action other than `INSERT` or `DELETE`.
+ You tried to create a `WebACL` with a `DefaultAction` `Type` other than `ALLOW`, `BLOCK`, or `COUNT`.
+ You tried to create a `RateBasedRule` with a `RateKey` value other than `IP`.
+ You tried to update a `WebACL` with a `WafAction` `Type` other than `ALLOW`, `BLOCK`, or `COUNT`.
+ You tried to update a `ByteMatchSet` with a `FieldToMatch` `Type` other than HEADER, METHOD, QUERY\$1STRING, URI, or BODY.
+ You tried to update a `ByteMatchSet` with a `Field` of `HEADER` but no value for `Data`.
+ Your request references an ARN that is malformed, or corresponds to a resource with which a web ACL cannot be associated.
HTTP Status Code: 400
** WAFLimitsExceededException **
The operation exceeds a resource limit, for example, the maximum number of `WebACL` objects that you can create for an AWS account. For more information, see [AWS WAF Classic quotas](https://docs.aws.amazon.com/waf/latest/developerguide/classic-limits.html) in the * AWS WAF Developer Guide*.
HTTP Status Code: 400
** WAFNonexistentContainerException **
The operation failed because you tried to add an object to or delete an object from another object that doesn't exist. For example:
+ You tried to add a `Rule` to or delete a `Rule` from a `WebACL` that doesn't exist.
+ You tried to add a `ByteMatchSet` to or delete a `ByteMatchSet` from a `Rule` that doesn't exist.
+ You tried to add an IP address to or delete an IP address from an `IPSet` that doesn't exist.
+ You tried to add a `ByteMatchTuple` to or delete a `ByteMatchTuple` from a `ByteMatchSet` that doesn't exist.
HTTP Status Code: 400
** WAFNonexistentItemException **
The operation failed because the referenced object doesn't exist.
HTTP Status Code: 400
** WAFReferencedItemException **
The operation failed because you tried to delete an object that is still in use. For example:
+ You tried to delete a `ByteMatchSet` that is still referenced by a `Rule`.
+ You tried to delete a `Rule` that is still referenced by a `WebACL`.
HTTP Status Code: 400
** WAFStaleDataException **
The operation failed because you tried to create, update, or delete an object by using a change token that has already been used.
HTTP Status Code: 400
## See Also
For more information about using this API in one of the language-specific AWS SDKs, see the following:
+ [AWS Command Line Interface V2](https://docs.aws.amazon.com/goto/cli2/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for .NET V4](https://docs.aws.amazon.com/goto/DotNetSDKV4/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for C\$1\$1](https://docs.aws.amazon.com/goto/SdkForCpp/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for Go v2](https://docs.aws.amazon.com/goto/SdkForGoV2/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for Java V2](https://docs.aws.amazon.com/goto/SdkForJavaV2/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for JavaScript V3](https://docs.aws.amazon.com/goto/SdkForJavaScriptV3/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for Kotlin](https://docs.aws.amazon.com/goto/SdkForKotlin/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for PHP V3](https://docs.aws.amazon.com/goto/SdkForPHPV3/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for Python](https://docs.aws.amazon.com/goto/boto3/waf-2015-08-24/UpdateRateBasedRule)
+ [AWS SDK for Ruby V3](https://docs.aws.amazon.com/goto/SdkForRubyV3/waf-2015-08-24/UpdateRateBasedRule)