AWS WAF now supports additional request parameters for rate-based rules, including cookies and other HTTP headers. Additionally, you can now create composite keys based on up to 5 request parameters, providing more granular options for managing and securing web application traffic. With these capabilities, customers can better identify and block malicious traffic patterns while minimizing the impact on legitimate users.
Source:: Amazon AWS