All cheat sheets
Networkingcheat sheet

AWS WAF Rule Optimization

One rule per blocked IP or bot signature is how teams hit WAF's 1,500-WCU ceiling and a $1/rule/month bill. IP Sets, Regex Pattern Sets, and combined conditions collapse 50 rules into 10 — same protection, 60%+ less capacity and cost.

Last reviewed: July 11, 2026

TL;DR: WAF has two walls: a 1,500-WCU capacity ceiling per web ACL and $1/month per rule. Teams hit both the same way — adding one rule per bad IP, per bot user-agent, per blocked path. The fix is structural: an IP Set (10k addresses, one rule), a Regex Pattern Set (all your patterns, one rule), and combined AND/OR conditions. Same security posture; typical audits recover 50–70% of WCUs and rule fees.

The numbers

  • Fees: $5/month per web ACL + $1/month per rule + $0.60/M requests. Fifty hand-rolled rules = $50/month forever, per ACL, per environment.
  • WCU weights: single IP match or geo-block ≈ 1; a regex rule can be 10+; managed groups are heavy — Core Rule Set ~700, Known Bad Inputs ~200, SQL Database ~200.
  • Field examples: an API team at 1,480/1,500 WCUs consolidated down to 620 in a weekend (rule fees −60%); an e-commerce site replaced 80 bot-user-agent rules ($80/month) with one Pattern Set rule ($1/month).

Do this

  1. Audit the shape of your rules: any set differing only by a literal IP, path, or user-agent string is one Set + one rule in disguise.

  2. Collapse IPs into an IP Set (up to 10,000 CIDRs), referenced by a single rule; update the Set from Terraform or a threat-feed Lambda without ever touching the rule again.

  3. Collapse string matches into a Regex Pattern Set — the biggest win on bot-fighting workloads accumulating per-signature rules.

  4. Merge same-intent conditions: "block /admin from outside the US" is one combined rule, not two. Litmus test: if the intent fits one English sentence, it's one rule.

  5. Prune managed rule groups to your actual stack — a JSON API doesn't need the WordPress rules; each unneeded group burns 25–700 WCUs.

  6. Test consolidations in count mode for a day or two before flipping to block; compare CloudWatch match counts against the old rules to catch too-broad or too-narrow regexes.

  7. Quarterly: delete dead rules — anything with zero matches in 90 days, after confirmation.

Gotchas

  • Don't over-consolidate. Rules with different actions (block vs count vs rate-limit), different logging/labeling needs, or genuinely different intent stay separate — merging them obscures what fired and why.
  • Managed groups count against your 1,500 WCUs — stacking three popular ones spends half the ceiling before your first custom rule.
  • Regex is the WCU hog: if you're near the ceiling, audit regex rules first.
  • WAF logs can quietly become your biggest log stream — pair this cleanup with CloudWatch Logs retention.

Skip this if

  • You run under ~10 custom rules that are already Set-backed — you're healthy; keep the discipline.
  • Your only WAF content is managed rule groups — then the lever is which groups, not consolidation.
  • The spend concern is CloudFront+WAF fees overall — that's the Security Savings Bundle on top of (not instead of) clean rules.

Run this audit with your AI assistant

Paste this into Claude, ChatGPT, or any agent that can run the AWS CLI with read-only credentials. It audits your account for exactly the waste this sheet describes — and changes nothing.

You are auditing AWS WAF web ACLs for rule sprawl, WCU pressure, and
cost. Use the AWS CLI with READ-ONLY credentials. Do not create,
modify, or delete anything.

1. Inventory: aws wafv2 list-web-acls (both --scope REGIONAL per
   region and --scope CLOUDFRONT via us-east-1), then get-web-acl for
   each: rule count, per-rule statements, consumed Capacity (WCUs) vs
   the 1,500 ceiling, and managed rule groups in use.
2. Sprawl patterns to flag:
   a. Multiple rules that differ only by a literal IP/CIDR → one
      IP Set (up to 10k entries) + one rule.
   b. Multiple rules matching different strings/paths/user-agents on
      the same field → one Regex Pattern Set + one rule.
   c. Rule pairs that only make sense together → one combined
      AND/OR/NOT statement. (Do NOT merge rules with different
      actions — block vs count vs rate-limit stay separate.)
   d. Managed rule groups that don't match the stack (e.g., WordPress
      rules on a JSON API) — each burns 25–700 WCUs.
3. Dead rules: CloudWatch per-rule metrics — rules with zero matches
   in 90 days are deletion candidates.
4. Cost math: $1/month per rule per web ACL (+$5/ACL, $0.60/M
   requests). Show current rule fees vs post-consolidation, per ACL
   and total across ACLs/environments.

Report: per-ACL table (rules | WCUs used/1500 | managed groups |
est. rule fees), consolidation plan grouped by pattern with projected
WCU and $ reductions, dead-rule list, and a reminder to test every
consolidated rule in COUNT mode before switching to BLOCK. Change
nothing.
Works with any assistant that can run shell commands.

Want the guided version?

The AWS WAF Rule Optimization walkthrough covers this topic interactively — it asks about your setup, branches to what’s relevant, and quizzes you on the tricky parts. Free and anonymous.

Start the walkthrough