**Introducing a new console experience for AWS WAF**

You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). 

# Label syntax and naming requirements in AWS WAF
Label syntax and naming requirements

This section explains how to construct and match against an AWS WAF label.

A label is a string made up of a prefix, optional namespaces, and a name. The components of a label are delimited with a colon. Labels have the following requirements and characteristics:
+ Labels are case-sensitive. 
+ Each label namespace or label name can have up to 128 characters. 
+ You can specify up to five namespaces in a label. 
+ Components of a label are separated by colon (`:`).
+ You can't use the following reserved strings in the namespaces or name that you specify for a label: `awswaf`, `aws`, `waf`, `rulegroup`, `webacl`, `regexpatternset`, `ipset`, and `managed`.

## Label syntax


A fully qualified label has a prefix, optional namespaces, and label name. The prefix identifies the rule group or protection pack (web ACL) context of the rule that added the label. Namespaces might be used to add more context for the label. The label name provides the lowest level of detail for a label. It often indicates the specific rule that added the label to the request. 

The label prefix varies depending on its origin. 
+ **Your labels** – The following shows the full label syntax for labels that you create in your protection pack (web ACL) and rule group rules. The entity types are `rulegroup` and `webacl`.

  ```
  awswaf:<entity owner account id>:<entity type>:<entity name>:<custom namespace>:...:<label name>
  ```
  + Label namespace prefix: `awswaf:<entity owner account id>:<entity type>:<entity name>:`
  + Custom namespace additions: `<custom namespace>:…:`

  When you define a label for a rule in a rule group or protection pack (web ACL), you control the custom namespace strings and the label name. The rest is generated for you by AWS WAF. AWS WAF automatically prefixes all labels with `awswaf` and the account and protection pack (web ACL) or rule group entity settings.
+ **Managed rule group labels** – The following shows the full label syntax for labels that are created by rules in managed rule groups. 

  ```
  awswaf:managed:<vendor>:<rule group name>:<custom namespace>:...:<label name>
  ```
  + Label namespace prefix: `awswaf:managed:<vendor>:<rule group name>:`
  + Custom namespace additions: `<custom namespace>:…:`

  All AWS Managed Rules rule groups add labels. For information about managed rule groups, see [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md). 
+ **Labels from other AWS processes** – These processes are used by AWS Managed Rules rule groups, so you see them added to web requests that you evaluate using managed rule groups. The following shows the full label syntax for labels that are created by processes that are called by managed rule groups. 

  ```
  awswaf:managed:<process>:<custom namespace>:...:<label name>
  ```
  + Label namespace prefix: `awswaf:managed:<process>:`
  + Custom namespace additions: `<custom namespace>:…:`

  Labels of this type are listed for the managed rule groups that call the AWS process. For information about managed rule groups, see [Using managed rule groups in AWS WAF](waf-managed-rule-groups.md). 

## Label examples for your rules


The following example labels are defined by rules in a rule group named `testRules` that belongs to the account, 111122223333. 

```
awswaf:111122223333:rulegroup:testRules:testNS1:testNS2:LabelNameA
```

```
awswaf:111122223333:rulegroup:testRules:testNS1:LabelNameQ
```

```
awswaf:111122223333:rulegroup:testRules:LabelNameZ
```

The following listing shows an example label specification in JSON. These label names include custom namespace strings before the ending label name. 

```
Rule: {
    Name: "label_rule",
    Statement: {...}
    RuleLabels: [
        Name: "header:encoding:utf8",
        Name: "header:user_agent:firefox"
    ],
    Action: { Count: {} }
}
```

**Note**  
You can access this type of listing in the console through the rule JSON editor. 

If you run the preceding rule in the same rule group and account as the preceding label examples, the resulting, fully qualified labels would be the following: 

```
awswaf:111122223333:rulegroup:testRules:header:encoding:utf8
```

```
awswaf:111122223333:rulegroup:testRules:header:user_agent:firefox
```

## Label examples for managed rule groups


The following show example labels from AWS Managed Rules rule groups and processes that they invoke.

```
awswaf:managed:aws:core-rule-set:NoUserAgent_Header
```

```
awswaf:managed:aws:sql-database:SQLiExtendedPatterns_QueryArguments
```

```
awswaf:managed:aws:atp:aggregate:attribute:compromised_credentials
```

```
awswaf:managed:token:accepted
```