How do I use AWS WAF to allow or block access to specific URI paths?

4 minute read
0

I want to use AWS WAF to allow or block access to specific URI paths.

Resolution

To allow or block access to specific URI paths by IP address, HTTP header, or geolocation, use a match rule statement. The match statement compares the web request against your criteria.

To get started, complete the following steps:

  1. Open the AWS WAF console.
  2. In the navigation pane, under AWS WAF, choose Web ACLs.
  3. For Region, select the AWS Region where you created your web access control list (web ACL).
    Note: If your web ACL is set up for Amazon CloudFront, then select Global.
  4. Select your web ACL.
  5. Choose Rules, and then choose Add Rules.
  6. Choose Add my own rules and rule groups.

Allow or block access to a specific URI path

Complete the following steps:

  1. For Name, enter a name for the rule, for example, Block-URI-access.
  2. For Type, choose Regular rule.
  3. For If a request, choose matches the statement.
  4. For Statement, complete the following steps:
    For Inspect, choose URI path.
    For Match type, choose Contains string.
    For String to match: enter your URI path, for example, /admin.
    (Optional) For Text transformation, choose a text transformation, or choose None.
  5. For Action, choose Allow or Block, and then choose Add rule.
  6. (Optional) For Set Rule Priority, select your rule, and then set its priority.
  7. Choose Save.

Block access to specific URI paths by IP address

Complete the following steps:

  1. For Name, enter a name for the rule, for example, Allow-listed-IPs-only.
  2. For Type, choose Regular rule.
  3. For If a request, choose matches all the statements (AND).
  4. For Statement 1, complete the following steps:
    For Inspect, choose URI path.
    For Match type, choose Contains string.
    For String to match: enter your URI path, for example, /admin.
    (Optional) For Text transformation, choose a text transformation, or choose None.
  5. For Statement 2 complete the following steps:
    Select Negate statement results.
    For Inspect, choose Originates from an IP address in.
    For IP Set, choose the IP set that contains your allow list IP addresses, for example, MyTrustedIPs.
    For IP address to use as the originating address, choose Source IP address.
  6. For Action, choose Block, and then choose Add rule.
  7. (Optional) For Set Rule Priority, select your rule, and then set its priority.
  8. Choose Save.

Block access to specific URI paths by HTTP header

Complete the following steps:

  1. For Name, enter a name for the rule, for example, Allow-specific-referer-only.
  2. For Type, choose Regular rule.
  3. For If a request, choose matches all the statements (AND).
  4. For Statement 1 complete the following steps:
    For Inspect, choose URI path.
    For Match type, chooses Contains string.
    For String to match: enter your URI path, for example, /wp-login.
  5. For Statement 2 complete the following steps:
    Select Negate statement results.
    For Inspect, choose Single header.
    For Header field name, enter your header name, for example, Referer.
    For Match type, choose Contains string.
    For String to match: enter your referer value, for example, example.com.
  6. (Optional) For Statements 1 and 2, under Text transformation, choose a text transformation, or choose None.
  7. For Action, choose Block, and then choose Add rule.
  8. (Optional) For Set Rule Priority, select your rule, and then set its priority.
  9. Choose Save.

Block access to specific URI paths by geolocation

Complete the following steps:

  1. For Name, enter a name for the rule, for example, LimitAccessByCountry.
  2. For Type, choose Regular rule.
  3. For If a request, choose matches all the statements (AND).
  4. For Statement 1 complete the following steps:
    For Inspect, choose URI path.
    For Match type, choose Contains string.
    For String to match: enter your URI path, for example, /user/profile.
    (Optional) For Text transformation, choose a text transformation, or choose None.
  5. For Statement 2 complete the following steps:
    Select Negate statement results.
    For Inspect, choose Originates from a country in.
    For Country codes, choose the country that you want requests to be inspected for.
    For IP address to use to determine the country of origin, choose Source IP address.
  6. For Action, choose Block, and then choose Add rule.
  7. (Optional) For Set Rule Priority, select your rule, and then set its priority.
  8. Choose Save.

Related information

Text transformations options

Processing order of rules and rule groups in a web ACL

How do I allow or block requests from a specific country or geolocation using AWS WAF?

AWS OFFICIAL
AWS OFFICIALUpdated 4 months ago