How do I create complex custom AWS WAF JSON rules?

Last updated: 2022-07-21

How do I create complex custom AWS WAF JSON rules?

Resolution

Create complex custom rules in the Rule JSON editor when adding a custom rule for AWS WAF. Rules are created and managed in Web ACLs and Rule groups in the AWS WAF console. You can access a rule by name in the rule group or web ACL where it's defined.

If your use case requires a custom rule that needs a combination of AND, OR, or NOT logic (nested statements), then you must create the rule using the JSON editor. For more information, see AWS WAF rule statements.

Tip: You can use the Rule visual editor, located in the AWS WAF console, to create rule statements similar to your use case. Then, to view the JSON statements, choose Rule JSON editor and make necessary changes in the JSON editor.

The following examples provide a reference that you can use to create your own custom rule logic:

Example 1

This is a custom rule statement that allows a request if it is originating from United States - US and URI is /wp-admin/ or /wp-login/:

Rule logic: If a request is (from US) AND URI is ( /a OR /b ) ).

{
  "Name": "test",
  "Priority": 100,
  "Statement": {
    "AndStatement": {
      "Statements": [
        {
          "GeoMatchStatement": {
            "CountryCodes": [
              "US"
            ]
          }
        },
        {
          "OrStatement": {
            "Statements": [
              {
                "ByteMatchStatement": {
                  "SearchString": "/wp-admin/",
                  "FieldToMatch": {
                    "UriPath": {}
                  },
                  "TextTransformations": [
                    {
                      "Priority": 0,
                      "Type": "NONE"
                    }
                  ],
                  "PositionalConstraint": "CONTAINS"
                }
              },
              {
                "ByteMatchStatement": {
                  "SearchString": "/wp-login/",
                  "FieldToMatch": {
                    "UriPath": {}
                  },
                  "TextTransformations": [
                    {
                      "Priority": 0,
                      "Type": "NONE"
                    }
                  ],
                  "PositionalConstraint": "CONTAINS"
                }
              }
            ]
          }
        }
      ]
    }
  },
  "Action": {
    "Allow": {}
  },
  "VisibilityConfig": {
    "SampledRequestsEnabled": true,
    "CloudWatchMetricsEnabled": true,
    "MetricName": "test"
  }
}

Example 2

This is a custom rule statement that blocks a request if it has XSS signatures in the BODY, but excludes the URIs /test, /login, and /admin from the inspection:

Rule logic: If a request has (XSS signature in the body) AND URI is NOT ( /a OR /b, OR /c ).

{
 "Name": "XSS_Block_Allow_Uploads",
 "Priority": 100,
 "Statement": {
     "AndStatement": {
     "Statements": [
       {
         "XssMatchStatement": {
           "FieldToMatch": {
             "Body": {}
           },
           "TextTransformations": [
             {
               "Priority": 0,
               "Type": "NONE"
             }
           ]
         }
       },
   {
    "NotStatement": {
     "Statement": {
      "OrStatement": {
       "Statements": [
                 {
                   "ByteMatchStatement": {
                     "SearchString": "/test",
                     "FieldToMatch": {
                       "UriPath": {}
                     },
                     "TextTransformations": [
                       {
                         "Priority": 0,
                         "Type": "NONE"
                       }
                     ],
                     "PositionalConstraint": "EXACTLY"
                   }
                 },
                 {
                   "ByteMatchStatement": {
                     "SearchString": "/admin",
                     "FieldToMatch": {
                       "UriPath": {}
                     },
                     "TextTransformations": [
                       {
                         "Priority": 0,
                         "Type": "NONE"
                       }
                     ],
                     "PositionalConstraint": "EXACTLY"
                   }
                 },
                 {
                   "ByteMatchStatement": {
                     "SearchString": "/login",
                     "FieldToMatch": {
                       "UriPath": {}
                     },
                     "TextTransformations": [
                       {
                         "Priority": 0,
                         "Type": "NONE"
                       }
                     ],
                     "PositionalConstraint": "EXACTLY"
                   }
                 }
               ]
             }
           }
         }
       }
     ]
   }
 },
 "Action": {
   "Block": {}
 },
 "VisibilityConfig": {
   "SampledRequestsEnabled": true,
   "CloudWatchMetricsEnabled": true,
   "MetricName": "XSS_Block_Allow_Uploads"
 }
}

Example 3

This is a custom rule statement that blocks a request if, it contains a custom label internal, but the host, IP, and URI is not a specific combination:

Rule logic: If request (contains the label) AND not (URI and IP and host), then block.

{
  "Name": "Block_internal_unauthorized",
  "Priority": 100,
  "Statement": {
    "AndStatement": {
      "Statements": [
      {
          "LabelMatchStatement": {
            "Scope": "LABEL",
            "Key": "internal"
          }
        },
        {
          "NotStatement": {
            "Statement": {
              "AndStatement": {
                "Statements": [
                {
                    "ByteMatchStatement": {
                      "FieldToMatch": {
                        "UriPath": {}
                      },
                      "PositionalConstraint": "EXACTLY",
                      "SearchString": "/test",
                      "TextTransformations": [{
                        "Type": "NONE",
                        "Priority": 0
                      }]
                    }
                  },
                  {
                    "IPSetReferenceStatement": {
                      "ARN": "arn:aws:wafv2:us-east-1:xxxxxxxxxxxx:regional/ipset/internal_IPs/xxx-xx-xxx"
                    }
                  },
                  {
                    "ByteMatchStatement": {
                      "FieldToMatch": {
                        "SingleHeader": {
                          "Name": "host"
                        }
                      },
                      "PositionalConstraint": "EXACTLY",
                      "SearchString": "example.com",
                      "TextTransformations": [{
                        "Type": "NONE",
                        "Priority": 0
                      }]
                    }
                  }
                ]
              }
            }
          }
        }
      ]
    }
  },
  "Action": {
   "Block": {}
 },
 "VisibilityConfig": {
   "SampledRequestsEnabled": true,
   "CloudWatchMetricsEnabled": true,
   "MetricName": "Block_internal_unauthorized"
 }
}

Did this article help?


Do you need billing or technical support?