Why do I get a limit exceeded error when I add rules to AWS WAF?

Resolution

Error when you add a rule to an existing rule group in a web ACL

In AWS WAF, you set the capacity of a rule group when you create it. After you create the rule group, you can't change the capacity.

To add a new rule to your web ACL, you must create a new rule group. It's a best practice to configure a rule group capacity that allows you to add more rules later. For estimates of web ACL capacity units that different types of rules use, see Web ACL capacity units (WCUs) in AWS WAF.

Complete the following steps:

1. Open the AWS WAF and Shield console.
2. In the navigation pane, under AWS WAF, choose Add-on protections.
3. Select your protection pack.
4. Choose manage custom rule groups.
5. To set up your rule in the rule group, configure the following values:
   For Rule group name, enter the rule name.
   For Capacity, choose the value.
6. Choose Save.

Error when you add rules to a web ACL or rule group that references rule groups, IP sets, or regex pattern sets

AWS WAF has maximum quotas for rule groups, IP sets, and regex pattern sets. If you exceed this quota, then you receive the "AWS WAF couldn't perform the operation because you exceeded your resource limit" error. It's a best practice to avoid single-use rule groups, IP sets, or regex pattern sets.

To reduce the number of references in your web ACL, consolidate your rule groups. Each rule group can contain multiple WCUs. You can also use a single rule group within multiple web ACLs. Also, to reduce the number of references in your web ACL rules, use nesting statements. To create more sophisticated nesting statements, use the JSON rule editor. Also, consolidate your IP sets and regex pattern sets.

Related information

AWS WAF rule groups