How do I apply a rate limit on a specific request parameter or URI in AWS WAF?

Resolution

To apply a rate limit on a specific parameter or URI in AWS, complete the following steps.

Add a rate limit to a specific URI

Complete the following steps:

1. Open the AWS WAF console.
2. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
3. Select your web access control list (web ACL).
4. Under Rules, choose Add rules, and then choose Add my own rules and rule groups.
5. Add the following values to set up your rule:
   For Rule Type, choose Rule builder.
   For Name, enter your rule name.
   For Type, choose Rate-based rule.
   For Rate limit, enter a number between 100 and 20,000,000.
   For Evaluation window, enter 1, 2, 5, or 10 minutes.
   For Request aggregation, if you want to rate limit based on the client IP field, then select Source IP address. If you want to rate limit based on the IP address in the header, then select IP address in header. Note: If your traffic comes through a proxy or a content delivery network (CDN), then use IP address in header. For more information, see Forwarded IP address.
   For Scope of inspection and rate limiting, select Only consider requests that match the criteria in a rule statement.
   For If a request, select matches the statement. If you want to add multiple URI path conditions, then select matches at least one of the statements (OR).
6. For Statement details, complete the following fields:
   For Inspect, choose URI path.
   For Match type, choose Contains string.
   For String to match, enter /admin. Note: Replace /admin with your URI path.
   For Text transformation, choose None.
7. For Action, choose Block.
8. Choose Add rule.
9. For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
10. Choose Save.

Exclude specific IP addresses from rate limit rules

Complete the following steps:

1. Create an IP set that contains all the IP addresses that you don't want to rate limit.
2. Open the AWS WAF console.
3. In the navigation pane, choose AWS WAF, and then choose Web ACLs.
4. Select you web ACL.
5. Under Rules, choose Add rules, and then select Add my own rules and rule groups.
6. Add the following values to set up your rule:
   For Rule type, choose Rule builder.
   For Name, enter your rule name.
   For Type, choose Rate-based rule.
   For Rate limit, enter a number between 100 and 20,000,000.
   For Evaluation window, enter 1, 2, 5, or 10 minutes.
   For Request aggregation, if you want to rate limit based on the client IP field, then select Source IP address. If you want to rate limit based on the IP address in the header, then select IP address in header. Note: If your traffic comes through a proxy or a CDN, then use IP address in header. For more information, see Forwarded IP address.
   For Scope of inspection and rate limiting, select Only consider requests that match the criteria in a rule statement.
   Under If a request, select Doesn't match the statement (NOT).
7. For Statement details, complete the following fields:
   For Inspect, choose Originates from an IP address in.
   For IP set, select your IP set.
   For IP address to use for rate limiting, if you want to rate limit based on the client IP field, then select Source IP address. If you want to rate limit based on the IP address in the header, then select IP address in header.
8. For Action, choose Block.
9. Choose Add rule.
10. For Set Rule Priority, select your rule and then update its priority. For more information, see Processing order of rules and rule groups in a web ACL.
11. Choose Save.

Related information

Rate-based rule high-level settings