How to use AWS WAF labels to fine tune webACL?

AWS WAF labels provide a flexible way to tag and manage requests, Here are a few key points:

• Labels are simple string values when requests matches a specific rule within a WebACL.
• Labels are generated at the individual rule level within a Rule Group. This applies to both AWS Managed Rule Groups (AMRs) and customer rules.
• AWS WAF processes rules in priority order, from the lowest to the highest number. Labels created for a rule in lower number can be used for other rules in higher priority number within the same WebACL The most effective way to leverage labels in AWS WAF is to create labels in lower-priority rules with non-terminating actions (like "Count" or "Challenge"), and then use higher-priority rules to match against those labels and take the desired action (such as "Block").

Use Case 1: Block requests based on geolocation at the city level

When you choose Geo match statement, it will only list the countries. If you want to block at city level, for example: block requests from New York City and New Jessey, while allowing the rest of the United States, you can follow these steps:

1. Create a rule that inspects requests coming from the USA, and set the action to "Count" as a non-terminating action.

Note: AWS WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. AWS WAF continues processing the remaining rules in the web ACL.

2. Create another rule that inspects requests with the region codes "US-NJ" or "US-NY" using an OR statement. Set the action to "Block" if a request matches either of the labels: awswaf:clientip:geo:region:US-NJ or awswaf:clientip:geo:region:US-NY

3. Ensure that the rule using the Geo Match statement has a lower priority number (higher precedence) than the blocking rule.

Use Case 2: Use custom label in WAF rate limit rule

A rate-based rule aggregates and rate limits requests based on the request IP address. However, you can use "Customer Aggregation Keys" to aggregate and rate limit requests based on custom labels.

1. Create a labeling rule that inspects requests based on your desired match statement, and set the action to "Count" with a custom label (e.g., my:customer:label1).

2. In the AWS WAF logs, you will find the label in the format: awswaf:<account ID>:webacl:<your webACL name>:<custom namespace>:<label name>.

3. Create a rate-based rule, select "Custom keys" as the Request Aggregation, and enter the label from the WAF log (excluding the label name after the colon) in the Label namespace field. The correct format is: awswaf:<your account>:webacl:<webACL name>:<namespace>:. Please make sure the string ended with ':'

4. Ensure that the rate-based rule has a higher priority number (lower precedence) than the labeling rule.

Use Case 3: Mitigate any Managed Rule false positive

There are two ways to mitigate false positives caused by AWS Managed Rules:

1. Scope down statements to exclude legitimate requests from evaluations.
2. Use labeling.

Using labels is a more granular approach that allows you to modify the behavior of specific rule statements within the AWS Managed Rule Group.

1. Override the rule to "Count" as a non-terminating action.

2. Add a custom rule with the following logic:

IF Has a label from the overridden rule 
AND
Not Match <legitimate requests> 
THEN Block

By following these use cases and leveraging AWS WAF labels effectively, you can fine-tune your Web ACLs to achieve better security while reducing false positives and maintaining legitimate traffic flow.

References: https://repost.aws/knowledge-center/waf-detect-false-positives-from-amrs