Web ACLs
A Web Access Control List (Web ACL) contains a collection of rules that determine whether incoming web requests are allowed, blocked, or counted for monitoring. Web ACLs are attached to supported AWS resources such as ALBs, API Gateways, or CloudFront distributions.
Rule Types
- IP Set Rules
- Maintain a list of IP addresses or CIDR ranges to allow or block.
- Up to 10,000 IP addresses per set; larger lists require multiple rules.
- String Match Rules
- Inspect parts of the request such as HTTP headers, URI path, query strings, or body.
- Commonly used for detecting SQL injection or cross-site scripting (XSS) patterns.
- Size Constraint Rules
- Allow or block requests based on the size of request components like headers or body.
- Geo Match Rules
- Filter traffic based on the requester’s country of origin.
- Rate-Based Rules
- Limit the number of matching requests from a single IP within a five-minute window.
- Effective for mitigating DDoS attacks and controlling abusive traffic.
Rule Groups
- Reusable collections of rules that can be applied to multiple Web ACLs.
- Simplify management by allowing consistent protection policies across multiple applications.
- Can be AWS Managed Rule Groups or custom-created by the user.