How do I use an aggregation key to configure a rate limit rule in AWS WAF?

4 minute read

I want to use aggregation key features to configure a rule that tracks and limits the rate of customer requests in AWS WAF.

Resolution

Use cookies to set a rate limit

For a cookie with a single name and a dynamic value, complete the following steps:

Open the AWS WAF console.
In the navigation pane, under AWS WAF, choose Web ACLs.
For Region, select the AWS Region where you created your web access control list (web ACL).
Note: If your web ACL is set up for Amazon CloudFront, then select Global.
Select your web ACL.
Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
Enter the following values to set up your rule:
For Rule type, choose Rule Builder.
For Name, enter a name to identify this rule.
For Type, choose Rate-based rule.
For Rate limit, enter a number between 100 and 20,000,000.
For Evaluation window, select 1, 2, 5, or 10 minutes.
For Request aggregation, choose Custom keys.
(Optional) Choose a text transformation or choose None.
For If a Request, choose Consider all requests.
For Action, choose Block.
For Cookie Name, enter your cookie name.
Choose Add Rule.
Choose Save.

Use a managed label namespace to set a rate limit

For requests that contain the label CategoryHTTPLibrary, complete the following steps.

Set the specific managed rule group to count mode

Complete the following steps:

Open the AWS WAF console.
Go to AWS WAF, and then choose Web ACLs.
For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global.
Select your web ACL.
Under Rules, and choose Add Rules, and then choose Add managed rule groups.
Choose AWS managed rule groups.
Under Paid rule groups, for the Bot Control rule set, toggle on Add to web ACL.
Choose Edit.
For Inspection level, select Common.
From the list of rules, for HTTP library, select Count.
Choose Add Rule.
For Set Rule Priority, select your rule, and then update it to a lower priority than the Bot Control rule set.
Choose Save.

Add a custom rule to the web ACL

Complete the following steps:

Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
Enter the following values to set up your rule:
For Rule type, choose Rule Builder.
For Name, enter a name to identify this rule.
For Type, choose Rate-based rule.
For Rate limit, enter a number between 100 and 20,000,000.
For Evaluation window, select 1, 2, 5, or 10 minutes.
For Request aggregation, choose Custom keys.
For Label namespace, enter awswaf:managed:aws:bot-control:bot:category:
For Scope of inspection and rate limiting, choose Consider all requests.
For Action, choose Block.
Choose Add Rule.
For Set Rule Priority, update the rule priority for your custom rule so that it's lower than the priority for your managed rule. For more information, see Processing order of rules and rule groups in a web ACL.
Choose Save.

Use IP to set a rate limit

Note: You can use IP to set a rate limit only if the traffic comes with a specific host header. If the traffic doesn't have a header, then AWS WAF doesn't apply the rate limit.

For requests that contain a specific host header, such as example.com, complete the following steps:

Open the AWS WAF console.
Go to AWS WAF, and then choose Web ACLs.
For Region, select the Region where you created your web ACL.
Note: If your web ACL is set up for CloudFront, then select Global.
Select your web ACL.
Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
Enter the following values to set up your rule:
For Rule type, choose Rule Builder.
For Name, enter a name to identify this rule.
For Type, choose Rate-based rule.
For Rate limit, enter a number between 100 and 20,000,000.
For Evaluation window, select 1, 2, 5, or 10 minutes.
For Request aggregation, choose Source IP Address.
For Scope of inspection and rate limiting, choose Only consider requests that match the criteria in a rule statement.
For If a request, choose Matches the statement.
For Inspect, choose Single header.
For Header field name, enter Host.
For Match type, choose Exactly matching String.
For String to match, enter example.com. Note: Replace example.com with your web address.
(Optional) Choose a text transformation or choose None.
For Action, choose Block.
Choose Add rule.
Choose Save.

Topics

Security, Identity, & Compliance

Relevant content

How to add a rate limit rule by URL
AniBC
asked 8 months ago
AWS WAF rate based rule
Accepted Answer
Ravi Shanker
asked 9 months ago
How to set rate limit and burst in a usage plan in api gateway?
clouduser
asked 2 years ago
How to improve the cache hit rate for a distribution?
Accepted Answer
meallhour
asked a year ago
WAF blocking requests because of the ELB cookie values
Pedro
asked 2 years ago
How do I configure a CAPTCHA rule for a specific URL in AWS WAF?
AWS OFFICIALUpdated 2 months ago
How do I apply a rate limit on a specific request parameter or URI in AWS WAF?
AWS OFFICIALUpdated 2 months ago
How do I configure a custom rule to allow a specific host name in AWS WAF?
AWS OFFICIALUpdated 2 months ago
How do I troubleshoot issues related to a signed URL or signed cookies in CloudFront?
AWS OFFICIALUpdated 6 months ago
How to use AWS WAF labels to fine tune webACL?
EXPERT
Lei Pei
published 5 days ago