Posted On: Jun 21, 2017

Amazon Web Services (AWS) today announced Rate-based Rules for AWS WAF. This new rule type protects customer websites and APIs from threats such as web-layer DDoS attacks, brute force login attempts and bad bots. Rate Based Rules are automatically triggered when web requests from a client exceed a certain configurable threshold.

With Rated-based Rules customers can also block future requests from a client trying to send large volume of requests to certain parts of their website like the login page. Customer can also integrate this new rule with CloudWatch Alarms and AWS Lambda to take custom action on clients making unusually high calls against their API endpoints. Customers can also use Rate-Based Rules to mitigate unwanted bots by combining the Rate-based rule with a condition to identify specific malicious user agents’ associated with bad bots.

Getting started with AWS WAF Rate-based rule is easy. Simply create a new rule type called “Rate- based Rule”, enter the Rate limit value and add the rule to a WebACL. That’s it. Rate based rules come with all the benefits of other AWS WAF rules such as fast rule propagations, very low latency of execution, sample web requests and CloudWatch metrics. For more details on use cases and how to configure, please see the AWS blog post. For FAQs, visit