This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::WAF::Rule **Note** This is **AWS WAF Classic** documentation. For more information, see [AWS WAF Classic](https://docs.aws.amazon.com/waf/latest/developerguide/classic-waf-chapter.html) in the developer guide. **For the latest version of AWS WAF**, use the AWS WAFV2 API and see the [AWS WAF Developer Guide](https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). With the latest version, AWS WAF has a single set of endpoints for regional and global use. A combination of `ByteMatchSet`, `IPSet`, and/or `SqlInjectionMatchSet` objects that identify the web requests that you want to allow, block, or count. For example, you might create a `Rule` that includes the following predicates: + An `IPSet` that causes AWS WAF to search for web requests that originate from the IP address `192.0.2.44` + A `ByteMatchSet` that causes AWS WAF to search for web requests for which the value of the `User-Agent` header is `BadBot`. To match the settings in this `Rule`, a request must originate from `192.0.2.44` AND include a `User-Agent` header for which the value is `BadBot`. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::WAF::Rule", "Properties" : { "[MetricName](#cfn-waf-rule-metricname)" : String, "[Name](#cfn-waf-rule-name)" : String, "[Predicates](#cfn-waf-rule-predicates)" : [ Predicate, ... ] } } ``` ### YAML ``` Type: AWS::WAF::Rule Properties: [MetricName](#cfn-waf-rule-metricname): String [Name](#cfn-waf-rule-name): String [Predicates](#cfn-waf-rule-predicates): - Predicate ``` ## Properties `MetricName` The name of the metrics for this `Rule`. The name can contain only alphanumeric characters (A-Z, a-z, 0-9), with maximum length 128 and minimum length one. It can't contain whitespace or metric names reserved for AWS WAF, including "All" and "Default\$1Action." You can't change `MetricName` after you create the `Rule`. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Name` The friendly name or description for the `Rule`. You can't change the name of a `Rule` after you create it. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Predicates` The `Predicates` object contains one `Predicate` element for each `ByteMatchSet`, `IPSet`, or `SqlInjectionMatchSet` object that you want to include in a `Rule`. *Required*: No *Type*: Array of [Predicate](aws-properties-waf-rule-predicate.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt ## Examples ### Associate an IPSet with a Web ACL Rule The following example associates the `MyIPSetDenylist``IPSet` object with a web ACL rule. #### JSON ``` "MyIPSetRule" : { "Type": "AWS::WAF::Rule", "Properties": { "Name": "MyIPSetRule", "MetricName" : "MyIPSetRule", "Predicates": [ { "DataId" : { "Ref" : "MyIPSetDenylist" }, "Negated" : false, "Type" : "IPMatch" } ] } } ``` #### YAML ``` MyIPSetRule: Type: "AWS::WAF::Rule" Properties: Name: "MyIPSetRule" MetricName: "MyIPSetRule" Predicates: - DataId: Ref: "MyIPSetDenylist" Negated: false Type: "IPMatch" ``` # AWS::WAF::Rule Predicate Specifies the `ByteMatchSet`, `IPSet`, `SqlInjectionMatchSet`, `XssMatchSet`, `RegexMatchSet`, `GeoMatchSet`, and `SizeConstraintSet` objects that you want to add to a `Rule` and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "[DataId](#cfn-waf-rule-predicate-dataid)" : String, "[Negated](#cfn-waf-rule-predicate-negated)" : Boolean, "[Type](#cfn-waf-rule-predicate-type)" : String } ``` ### YAML ``` [DataId](#cfn-waf-rule-predicate-dataid): String [Negated](#cfn-waf-rule-predicate-negated): Boolean [Type](#cfn-waf-rule-predicate-type): String ``` ## Properties `DataId` A unique identifier for a predicate in a `Rule`, such as `ByteMatchSetId` or `IPSetId`. The ID is returned by the corresponding `Create` or `List` command. *Required*: Yes *Type*: String *Pattern*: `.*\S.*` *Minimum*: `1` *Maximum*: `128` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Negated` Set `Negated` to `False` if you want AWS WAF to allow, block, or count requests based on the settings in the specified `ByteMatchSet`, `IPSet`, `SqlInjectionMatchSet`, `XssMatchSet`, `RegexMatchSet`, `GeoMatchSet`, or `SizeConstraintSet`. For example, if an `IPSet` includes the IP address `192.0.2.44`, AWS WAF will allow or block requests based on that IP address. Set `Negated` to `True` if you want AWS WAF to allow or block a request based on the negation of the settings in the `ByteMatchSet`, `IPSet`, `SqlInjectionMatchSet`, `XssMatchSet`, `RegexMatchSet`, `GeoMatchSet`, or `SizeConstraintSet`. For example, if an `IPSet` includes the IP address `192.0.2.44`, AWS WAF will allow, block, or count requests based on all IP addresses *except*`192.0.2.44`. *Required*: Yes *Type*: Boolean *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Type` The type of predicate in a `Rule`, such as `ByteMatch` or `IPSet`. *Required*: Yes *Type*: String *Allowed values*: `IPMatch | ByteMatch | SqlInjectionMatch | GeoMatch | SizeConstraint | XssMatch | RegexMatch` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt)