How do I use AWS WAF to allow or block access to specific URI paths?

4 minute read

I want to use AWS WAF to allow or block access to specific URI paths.

Resolution

To allow or block access to specific URI paths by IP address, HTTP header, or geolocation, use a match rule statement. The match statement compares the web request against your criteria.

To get started, complete the following steps:

Open the AWS WAF console.
In the navigation pane, under AWS WAF, choose Web ACLs.
For Region, select the AWS Region where you created your web access control list (web ACL).
Note: If your web ACL is set up for Amazon CloudFront, then select Global.
Select your web ACL.
Choose Rules, and then choose Add Rules.
Choose Add my own rules and rule groups.

Allow or block access to a specific URI path

Complete the following steps:

For Name, enter a name for the rule, for example, Block-URI-access.
For Type, choose Regular rule.
For If a request, choose matches the statement.
For Statement, complete the following steps:
For Inspect, choose URI path.
For Match type, choose Contains string.
For String to match: enter your URI path, for example, /admin.
(Optional) For Text transformation, choose a text transformation, or choose None.
For Action, choose Allow or Block, and then choose Add rule.
(Optional) For Set Rule Priority, select your rule, and then set its priority.
Choose Save.

Block access to specific URI paths by IP address

Complete the following steps:

For Name, enter a name for the rule, for example, Allow-listed-IPs-only.
For Type, choose Regular rule.
For If a request, choose matches all the statements (AND).
For Statement 1, complete the following steps:
For Inspect, choose URI path.
For Match type, choose Contains string.
For String to match: enter your URI path, for example, /admin.
(Optional) For Text transformation, choose a text transformation, or choose None.
For Statement 2 complete the following steps:
Select Negate statement results.
For Inspect, choose Originates from an IP address in.
For IP Set, choose the IP set that contains your allow list IP addresses, for example, MyTrustedIPs.
For IP address to use as the originating address, choose Source IP address.
For Action, choose Block, and then choose Add rule.
(Optional) For Set Rule Priority, select your rule, and then set its priority.
Choose Save.

Block access to specific URI paths by HTTP header

Complete the following steps:

For Name, enter a name for the rule, for example, Allow-specific-referer-only.
For Type, choose Regular rule.
For If a request, choose matches all the statements (AND).
For Statement 1 complete the following steps:
For Inspect, choose URI path.
For Match type, chooses Contains string.
For String to match: enter your URI path, for example, /wp-login.
For Statement 2 complete the following steps:
Select Negate statement results.
For Inspect, choose Single header.
For Header field name, enter your header name, for example, Referer.
For Match type, choose Contains string.
For String to match: enter your referer value, for example, example.com.
(Optional) For Statements 1 and 2, under Text transformation, choose a text transformation, or choose None.
For Action, choose Block, and then choose Add rule.
(Optional) For Set Rule Priority, select your rule, and then set its priority.
Choose Save.

Block access to specific URI paths by geolocation

Complete the following steps:

For Name, enter a name for the rule, for example, LimitAccessByCountry.
For Type, choose Regular rule.
For If a request, choose matches all the statements (AND).
For Statement 1 complete the following steps:
For Inspect, choose URI path.
For Match type, choose Contains string.
For String to match: enter your URI path, for example, /user/profile.
(Optional) For Text transformation, choose a text transformation, or choose None.
For Statement 2 complete the following steps:
Select Negate statement results.
For Inspect, choose Originates from a country in.
For Country codes, choose the country that you want requests to be inspected for.
For IP address to use to determine the country of origin, choose Source IP address.
For Action, choose Block, and then choose Add rule.
(Optional) For Set Rule Priority, select your rule, and then set its priority.
Choose Save.

Related information

Text transformations options

Processing order of rules and rule groups in a web ACL

How do I allow or block requests from a specific country or geolocation using AWS WAF?

Topics

Security, Identity, & Compliance

Relevant content

WAF rule to allow certain http headers
Accepted Answer
Ali_Valizada
asked 2 months ago
AWS WAF URI regex don't match
AWS-User-3147005
asked 3 years ago
WAF rule that matches URI AND does NOT contain a string in a header
TreverW
asked 4 years ago
AWS WAF ALB Blocking towards a specific path
Accepted Answer
lorddct
asked a year ago
AWS WAF efficient rule for allowing specific IPs and Countries for specific URLs
AWS-User-0338648
asked 2 years ago
How do I exclude specific URIs from XSS or SQLi inspection for HTTP requests in AWS WAF?
AWS OFFICIALUpdated 4 months ago
How do I apply a rate limit on a specific request parameter or URI in AWS WAF?
AWS OFFICIALUpdated 3 months ago
How do I configure an HTTP API to allow access only to specific IP addresses?
AWS OFFICIALUpdated 9 months ago
How do I use AWS WAF to allow or block requests from a specific country or geolocation?
AWS OFFICIALUpdated 3 months ago
AWS re:Post Knowledge Center Spotlight: AWS WAF
EXPERT
Shannon Lewis
published 6 days ago