How do I use AWS WAF to allow or block requests from a specific country or geolocation?

3 minute read

I want to use AWS WAF to allow or block requests from a specific country or geolocation.

Short description

To block access to your site from specific countries or allow access only to specific countries, use the Geographic match rule statement.

First, add a geographic match rule statement to allow web requests from the countries that you want to allow. Then, add a second geographic match rule statement for the countries that you want to block.

Note: If you use Amazon CloudFront geographic restriction to block a country's access to your content, then any request from that country is blocked. The requests aren't forwarded to AWS WAF. To use AWS WAF criteria to allow or block requests based on geography, use an AWS WAF geographic match rule statement instead.

Resolution

To use AWS WAF to allow or block requests from a specific country or geolocation, complete the following steps:

Open the AWS WAF console.
In the navigation pane, under AWS WAF, choose Web ACLs.
For Region, select the AWS Region where you created your web access control list (web ACL).
Note: If your web ACL is set up for CloudFront, then select Global.
Select your web ACL.
Under Rules, choose Add Rules, and then choose Add my own rules and rule groups.
For Rule Builder, enter a name for your rule.
For If a request, choose matches the statement.
For Choose an inspection option, choose Originates from a country.
For Choose country codes, choose the country that you want to allow or block.
(Optional) Choose Source IP address or IP address in header to define the request's country of origin.
Warning: When a request routes through a content delivery network (CDN) or other proxy network, the source IP address identifies the proxy. In this case, the original IP address is sent in a header. Proxies can inconsistently manage headers and modify them to bypass inspection.
For Action, choose either Allow or Block.
Note: If the default action is Block, then set the rule's action to Allow. Note that this configuration doesn't allow AWS WAF to inspect requests. If the default action is Allow, then set the rule's action to Block and add a NOT statement that specifies countries not to block.
Choose Add Rule.
(Optional) For Set Rule Priority, select your rule, and then set its priority. For more information, see Processing order of rules and rule groups in a web ACL.
Choose Save.

Topics

Security, Identity, & Compliance

Relevant content

AWS S3 - File access only allowed when coming from a specific domain
Keith
asked 2 years ago
SNS block send SMS for specific countries
AWS-User-3361211
asked 2 years ago
AWS WAF efficient rule for allowing specific IPs and Countries for specific URLs
AWS-User-0338648
asked 2 years ago
SNS block send SMS for specific countries
Alex
asked a year ago
How to block the request from a particular country using WAF
Athavan Theivendram
asked 2 months ago
How do I allow outbound dialing to specific countries in my Amazon Connect instance?
AWS OFFICIALUpdated a year ago
How do I allow requests from a bot that's blocked by an AWS WAF Bot Control rule group?
AWS OFFICIALUpdated 16 days ago
How do I configure my Network Firewall rules to block or allow specific domains?
AWS OFFICIALUpdated a year ago
How do I use AWS WAF to allow or block access to specific URI paths?
AWS OFFICIALUpdated 8 days ago
Allow Listing in AWS Security Groups
EXPERT
Rob_H
published 2 years ago