Posted On: Apr 2, 2021

AWS WAF now lets you generate labels and customize your WAF rules based on those labels. With this feature, you can configure WAF to add descriptive labels to web requests when a WAF rule matches the request, regardless of the action associated with the rule. You can also check for the presence of those labels in subsequent WAF rules and combine with other WAF rules to take action on web requests that include the label. Creating a label also generates a corresponding CloudWatch metric and adds the label to your WAF logs for improved visibility.

For example, when you use the AWS WAF Bot Control managed rule group, AWS WAF generates bot and bot-category labels. You can then allow or block traffic from specific bots by using custom WAF rules that match against those labels. You can also configure your custom WAF rules to add labels to matching requests, instead of terminating request processing, and then use other WAF rules to allow, block, rate-limit, or send a custom response back to the end user for requests that include the labels.

There is no additional cost for using labels, but standard service charges for AWS WAF still apply. This feature is available in all AWS Regions where AWS WAF is available and for each supported service, including Amazon CloudFront, Application Load Balancer, Amazon API Gateway, and AWS AppSync. To learn more, see the AWS WAF developer guide.