Posted On: May 16, 2023

AWS WAF now supports additional request parameters for rate-based rules, including cookies and other HTTP headers. Additionally, you can now create composite keys based on up to 5 request parameters, providing more granular options for managing and securing web application traffic. With these capabilities, customers can better identify and block malicious traffic patterns while minimizing the impact on legitimate users. 

Customers could already use WAF rate-based rules to automatically block requests from IP addresses that make large numbers of requests within a short period of time until the rate of requests falls below a customer-defined threshold. As attackers have become more sophisticated, they are increasingly using techniques that bypass IP-based rate limiting defenses, such as using multiple IP addresses or distributing attacks across a large number of devices. Now, WAF customers can aggregate requests by combining IP addresses with other request parameters (“keys”). Supported keys include cookies and other request headers, query strings or query arguments, cookies, label namespaces, and HTTP methods. By combining multiple request parameters into a single composite key, customers can detect and mitigate potential threats with higher accuracy. Customers can further refine rate-based rules by using WAF match conditions, allowing customers to limit the scope of inspection to specific URLs of their website or to traffic coming from specific referrers.

There is no additional cost for using this feature, however standard AWS WAF charges still apply. For more information about pricing, visit the AWS WAF Pricing page. This feature is available in all AWS regions except the AWS GovCloud (US), Zurich (Europe), Spain (Europe), Hyderabad (Asia Pacific), and Melbourne (Australia) Regions. Support for these regions is expected later. To learn more, see the AWS WAF developer guide. For more information about the service, visit the AWS WAF page.