diff --git a/aws/beta.ordbok.uib.no_stack.yaml b/aws/beta.ordbok.uib.no_stack.yaml
index 4284a2fb0e759995833d9451fc17802f0dede875..ad0bfe08961ef2813cd489fedcf20aae0a314227 100644
--- a/aws/beta.ordbok.uib.no_stack.yaml
+++ b/aws/beta.ordbok.uib.no_stack.yaml
@@ -83,6 +83,16 @@ Resources:
         Value: "82.134.66.114/32"
       Name: "allowed IPs"
 
+  APImatch:
+    Type: "AWS::WAF::ByteMatchSet"
+    Properties:
+      ByteMatchTuples:
+      - FieldToMatch:
+          Type: "URI"
+        TargetString: "/api/"
+        TextTransformation: "NONE"
+        PositionalConstraint: "STARTS_WITH"
+
   ITARule:
     Type: "AWS::WAF::Rule"
     Properties:
@@ -93,6 +103,16 @@ Resources:
         Negated: false
         DataId: !Ref ITAIpSet
 
+  APIRule:
+    Type: "AWS::WAF::Rule"
+    Properties:
+      MetricName: "APIRule"
+      Name: "APIRule"
+      Predicates:
+      - Type: "ByteMatch"
+        Negated: false
+        DataId: !Ref APImatch
+
   ACL:
     Type: "AWS::WAF::WebACL"
     Properties:
@@ -105,6 +125,10 @@ Resources:
             Type: "ALLOW"
           Priority: 1
           RuleId: !Ref ITARule
+        - Action:
+            Type: "ALLOW"
+          Priority: 5
+          RuleId: !Ref APIRule
 
   Distribution:
     Type: "AWS::CloudFront::Distribution"