Posted On: Nov 2, 2022

Starting today, the AWS WAF geographic match statement adds labels to each request, to indicate ISO 3166 country and region codes. Customers have asked for more control of geographic regions within a country, such as a specific state in the United States. With the updated geographic match rule statements, customers can control access at the region level. The geographic match rule statement now automatically annotates a request from Texas, USA with the label awswaf:clientip:geo:region:US-TX, and a request from Queensland, Australia with the label awswaf:clientip:geo:region:AU-QLD. Customers can add label matching rules to capture region labels and block specific regions, without blocking the entire country.

Getting started with the updated geographic match rule statements is easy. The geographic match rule adds geographic region and country labels to every request that it evaluates, enabling customers to write label match statements according to the regions they wish to block or allow. Geographic match rule statements can be combined with other AWS WAF rules to build sophisticated filtering policies. Customers who want to block certain geographies while still allowing certain developer IP addresses from those locations can combine geo and IP match conditions to allow only authorized users. Other customers who want to prioritize users in their primary geography to optimize resource consumption can combine geo match conditions with AWS WAF rate-based Rules. These customers can set a higher rate limit for end users in preferred countries or regions while setting a lower rate limit for others.

There is no additional cost for using this feature. It is available in all AWS Regions where AWS WAF is available and for each supported service, including Amazon CloudFront, Application Load Balancer, Amazon API Gateway, AWS AppSync, and Amazon Cognito. To learn more, see the AWS WAF developer guide.