WebACL

wafv2.services.k8s.aws/v1alpha1

Metadata#

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

Spec#

associationConfig: 
  requestBody: {}
captchaConfig: 
  immunityTimeProperty: 
    immunityTime: integer
challengeConfig: 
  immunityTimeProperty: 
    immunityTime: integer
customResponseBodies: {}
defaultAction: 
  allow: 
    customRequestHandling: 
      insertHeaders:
      - name: string
        value: string
  block: 
    customResponse: 
      customResponseBodyKey: string
      responseCode: integer
      responseHeaders:
      - name: string
        value: string
description: string
name: string
rules:
  action: 
    allow: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    block: 
      customResponse: 
        customResponseBodyKey: string
        responseCode: integer
        responseHeaders:
        - name: string
          value: string
    captcha: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    challenge: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    count: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
  captchaConfig: 
    immunityTimeProperty: 
      immunityTime: integer
  challengeConfig: 
    immunityTimeProperty: 
      immunityTime: integer
  name: string
  overrideAction: 
    count: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    none: {}
  priority: integer
  ruleLabels:
  - name: string
  statement: 
    andStatement: string
    byteMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      positionalConstraint: string
      searchString: string
      textTransformations:
      - priority: integer
        type: string
    geoMatchStatement: 
      countryCodes:
      - string
      forwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
    ipSetReferenceStatement: 
      arn: string
      ipSetForwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
        position: string
    labelMatchStatement: 
      key: string
      scope: string
    managedRuleGroupStatement: 
      excludedRules:
      - name: string
      managedRuleGroupConfigs:
        awsManagedRulesACFPRuleSet: 
          creationPath: string
          enableRegexInPath: boolean
          registrationPagePath: string
          requestInspection: 
            addressFields:
            - identifier: string
            emailField: 
              identifier: string
            passwordField: 
              identifier: string
            payloadType: string
            phoneNumberFields:
            - identifier: string
            usernameField: 
              identifier: string
          responseInspection: 
            bodyContains: 
              failureStrings:
              - string
              successStrings:
              - string
            header: 
              failureValues:
              - string
              name: string
              successValues:
              - string
            json: 
              failureValues:
              - string
              identifier: string
              successValues:
              - string
            statusCode: 
              failureCodes:
              - integer
              successCodes:
              - integer
        awsManagedRulesATPRuleSet: 
          enableRegexInPath: boolean
          loginPath: string
          requestInspection: 
            passwordField: 
              identifier: string
            payloadType: string
            usernameField: 
              identifier: string
          responseInspection: 
            bodyContains: 
              failureStrings:
              - string
              successStrings:
              - string
            header: 
              failureValues:
              - string
              name: string
              successValues:
              - string
            json: 
              failureValues:
              - string
              identifier: string
              successValues:
              - string
            statusCode: 
              failureCodes:
              - integer
              successCodes:
              - integer
        awsManagedRulesBotControlRuleSet: 
          enableMachineLearning: boolean
          inspectionLevel: string
        loginPath: string
        passwordField: 
          identifier: string
        payloadType: string
        usernameField: 
          identifier: string
      name: string
      ruleActionOverrides:
        actionToUse: 
          allow: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          block: 
            customResponse: 
              customResponseBodyKey: string
              responseCode: integer
              responseHeaders:
              - name: string
                value: string
          captcha: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          challenge: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          count: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
        name: string
      scopeDownStatement: string
      vendorName: string
      version: string
    notStatement: string
    orStatement: string
    rateBasedStatement: 
      aggregateKeyType: string
      customKeys:
        cookie: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        forwardedIP: {}
        header: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        httpMethod: {}
        iP: {}
        labelNamespace: 
          namespace: string
        queryArgument: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        queryString: 
          textTransformations:
          - priority: integer
            type: string
        uriPath: 
          textTransformations:
          - priority: integer
            type: string
      evaluationWindowSec: integer
      forwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
      limit: integer
      scopeDownStatement: string
    regexMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      regexString: string
      textTransformations:
      - priority: integer
        type: string
    regexPatternSetReferenceStatement: 
      arn: string
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      textTransformations:
      - priority: integer
        type: string
    ruleGroupReferenceStatement: 
      arn: string
      excludedRules:
      - name: string
      ruleActionOverrides:
        actionToUse: 
          allow: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          block: 
            customResponse: 
              customResponseBodyKey: string
              responseCode: integer
              responseHeaders:
              - name: string
                value: string
          captcha: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          challenge: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          count: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
        name: string
    sizeConstraintStatement: 
      comparisonOperator: string
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      size: integer
      textTransformations:
      - priority: integer
        type: string
    sqliMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      sensitivityLevel: string
      textTransformations:
      - priority: integer
        type: string
    xssMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      textTransformations:
      - priority: integer
        type: string
  visibilityConfig: 
    cloudWatchMetricsEnabled: boolean
    metricName: string
    sampledRequestsEnabled: boolean
scope: string
tags:
- key: string
  value: string
tokenDomains:
- string
visibilityConfig: 
  cloudWatchMetricsEnabled: boolean
  metricName: string
  sampledRequestsEnabled: boolean

Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count. || rules.[].statement.managedRuleGroupStatement.excludedRules.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[]
Required | object
Additional information that’s used by a managed rule group. Many managed rule groups don’t require this.

The rule groups used for intelligent threat mitigation require additional configuration:

• Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.

• Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.

• Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.

For example specifications, see the examples section of CreateWebACL. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet
Optional | object
Details for your use of the account creation fraud prevention managed rule
group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.creationPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.enableRegexInPath
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.registrationPagePath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection
Optional | object
The criteria for inspecting account creation requests, used by the ACFP rule
group to validate and track account creation attempts.


This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig.


In these settings, you specify how your application accepts account creation
attempts by providing the request payload type and the names of the fields
within the request body where the username, password, email, and primary
address and phone number fields are provided. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[]
Required | object
The name of a field in the request payload that contains part or all of your customer’s primary physical address.

This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[].identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField
Optional | object
The name of the field in the request payload that contains your customer’s
email.


This data type is used in the RequestInspectionACFP data type. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[]
Required | object
The name of a field in the request payload that contains part or all of your customer’s primary phone number.

This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[].identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.


The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.


This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.


Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet
Optional | object
Details for your use of the account takeover prevention managed rule group,
AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.enableRegexInPath
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.loginPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection
Optional | object
The criteria for inspecting login requests, used by the ATP rule group to
validate credentials usage.


This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.


In these settings, you specify how your application accepts login attempts
by providing the request payload type and the names of the fields within
the request body where the username and password are provided. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.


The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.


This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.


Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.


Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet
Optional | object
Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet.
This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.enableMachineLearning
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.inspectionLevel
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].loginPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.


This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.

You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:


* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.


* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.


You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.


This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:


* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.


* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.


You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.


This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.scopeDownStatement
Optional | string
| | rules.[].statement.managedRuleGroupStatement.vendorName
Optional | string
| | rules.[].statement.managedRuleGroupStatement.version
Optional | string
| | rules.[].statement.notStatement
Optional | string
| | rules.[].statement.orStatement
Optional | string
| | rules.[].statement.rateBasedStatement
Optional | object
A rate-based rule counts incoming requests and rate limits requests when
they are coming at too fast a rate. The rule categorizes requests according
to your aggregation criteria, collects them into aggregation instances, and
counts and rate limits the requests for each instance.


If you change any of these settings in a rule that’s currently in use, the
change resets the rule’s rate limiting counts. This can pause the rule’s
rate limiting activities for up to a minute.


You can specify individual aggregation keys, like IP address or HTTP method.
You can also specify aggregation key combinations, like IP address and HTTP
method, or HTTP method, query argument, and cookie.


Each unique set of values for the aggregation keys that you specify is a
separate aggregation instance, with the value from each key contributing
to the aggregation instance definition.


For example, assume the rule evaluates web requests with the following IP
address and HTTP method values:


* IP address 10.1.1.1, HTTP method POST


* IP address 10.1.1.1, HTTP method GET


* IP address 127.0.0.0, HTTP method POST


* IP address 10.1.1.1, HTTP method GET


The rule would create different aggregation instances according to your aggregation
criteria, for example:


* If the aggregation criteria is just the IP address, then each individual
address is an aggregation instance, and WAF counts requests separately
for each. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1: count 3 IP address 127.0.0.0:
count 1


* If the aggregation criteria is HTTP method, then each individual HTTP
method is an aggregation instance. The aggregation instances and request
counts for our example would be the following: HTTP method POST: count
2 HTTP method GET: count 2


* If the aggregation criteria is IP address and HTTP method, then each
IP address and each HTTP method would contribute to the combined aggregation
instance. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1, HTTP method POST: count 1
IP address 10.1.1.1, HTTP method GET: count 2 IP address 127.0.0.0, HTTP
method POST: count 1


For any n-tuple of aggregation keys, each unique combination of values for
the keys defines a separate aggregation instance, which WAF counts and rate-limits
individually.


You can optionally nest another statement inside the rate-based statement,
to narrow the scope of the rule so that it only counts and rate limits requests
that match the nested statement. You can use this nested scope-down statement
in conjunction with your aggregation key specifications or you can just count
and rate limit all requests that match the scope-down statement, without
additional aggregation. When you choose to just manage all requests that
match a scope-down statement, the aggregation instance is singular for the
rule.


You cannot nest a RateBasedStatement inside another statement, for example
inside a NotStatement or OrStatement. You can define a RateBasedStatement
inside a web ACL and inside a rule group.


For additional information about the options, see Rate limiting web requests
using rate-based rules (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html)
in the WAF Developer Guide.


If you only aggregate on the individual IP address or forwarded IP address,
you can retrieve the list of IP addresses that WAF is currently rate limiting
for a rule through the API call GetRateBasedStatementManagedKeys. This option
is not available for other aggregation configurations.


WAF tracks and manages web requests separately for each instance of a rate-based
rule that you use. For example, if you provide the same rate-based rule settings
in two web ACLs, each of the two rule statements represents a separate instance
of the rate-based rule and gets its own tracking and management by WAF. If
you define a rate-based rule inside a rule group, and then use that rule
group in multiple places, each use creates a separate instance of the rate-based
rule that gets its own tracking and management by WAF. | | rules.[].statement.rateBasedStatement.aggregateKeyType
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[]
Required | object
Specifies a single custom aggregate key for a rate-base rule.

Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. || rules.[].statement.rateBasedStatement.customKeys.[].cookie
Optional | object
Specifies a cookie as an aggregate key for a rate-based rule. Each distinct
value in the cookie contributes to the aggregation instance. If you use a
single cookie as your custom key, then each value fully defines an aggregation
instance. | | rules.[].statement.rateBasedStatement.customKeys.[].cookie.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].forwardedIP
Optional | object
Specifies the first IP address in an HTTP header as an aggregate key for
a rate-based rule. Each distinct forwarded IP address contributes to the
aggregation instance.


This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. When you specify an IP or forwarded IP in
the custom key settings, you must also specify at least one other key to
use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP
in your rate-based statement’s AggregateKeyType.


This data type supports using the forwarded IP address in the web request
aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON
specification for using the forwarded IP address doesn’t explicitly use this
data type.


JSON specification: “ForwardedIP”: {}


When you use this specification, you must also configure the forwarded IP
address in the rate-based statement’s ForwardedIPConfig. | | rules.[].statement.rateBasedStatement.customKeys.[].header
Optional | object
Specifies a header as an aggregate key for a rate-based rule. Each distinct
value in the header contributes to the aggregation instance. If you use a
single header as your custom key, then each value fully defines an aggregation
instance. | | rules.[].statement.rateBasedStatement.customKeys.[].header.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].httpMethod
Optional | object
Specifies the request’s HTTP method as an aggregate key for a rate-based
rule. Each distinct HTTP method contributes to the aggregation instance.
If you use just the HTTP method as your custom key, then each method fully
defines an aggregation instance.


JSON specification: “RateLimitHTTPMethod”: {} | | rules.[].statement.rateBasedStatement.customKeys.[].iP
Optional | object
Specifies the IP address in the web request as an aggregate key for a rate-based
rule. Each distinct IP address contributes to the aggregation instance.


This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. To use this in the custom key settings, you
must specify at least one other key to use, along with the IP address. To
aggregate on only the IP address, in your rate-based statement’s AggregateKeyType,
specify IP.


JSON specification: “RateLimitIP”: {} | | rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace
Optional | object
Specifies a label namespace to use as an aggregate key for a rate-based rule.
Each distinct fully qualified label name that has the specified label namespace
contributes to the aggregation instance. If you use just one label namespace
as your custom key, then each label name fully defines an aggregation instance.


This uses only labels that have been added to the request by rules that are
evaluated before this rate-based rule in the web ACL.


For information about label namespaces and names, see Label syntax and naming
requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html)
in the WAF Developer Guide. | | rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace.namespace
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument
Optional | object
Specifies a query argument in the request as an aggregate key for a rate-based
rule. Each distinct value for the named query argument contributes to the
aggregation instance. If you use a single query argument as your custom key,
then each value fully defines an aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString
Optional | object
Specifies the request’s query string as an aggregate key for a rate-based
rule. Each distinct string contributes to the aggregation instance. If you
use just the query string as your custom key, then each string fully defines
an aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath
Optional | object
Specifies the request’s URI path as an aggregate key for a rate-based rule.
Each distinct URI path contributes to the aggregation instance. If you use
just the URI path as your custom key, then each URI path fully defines an
aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.evaluationWindowSec
Optional | integer
| | rules.[].statement.rateBasedStatement.forwardedIPConfig
Optional | object
The configuration for inspecting IP addresses in an HTTP header that you
specify, instead of using the IP address that’s reported by the web request
origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
any header name.


If the specified header isn’t present in the request, WAF doesn’t apply the
rule to the web request at all.


This configuration is used for GeoMatchStatement and RateBasedStatement.
For IPSetReferenceStatement, use IPSetForwardedIPConfig instead.


WAF only evaluates the first IP address found in the specified HTTP header. | | rules.[].statement.rateBasedStatement.forwardedIPConfig.fallbackBehavior
Optional | string
| | rules.[].statement.rateBasedStatement.forwardedIPConfig.headerName
Optional | string
| | rules.[].statement.rateBasedStatement.limit
Optional | integer
| | rules.[].statement.rateBasedStatement.scopeDownStatement
Optional | string
| | rules.[].statement.regexMatchStatement
Optional | object
A rule statement used to search web request components for a match against
a single regular expression. | | rules.[].statement.regexMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.


* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }


* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.regexMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “AllQueryArguments”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.regexMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.


You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.


Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.


Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.


You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.


Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.


You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.


You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.


Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.


Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “Method”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “QueryString”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.


You can filter and inspect all headers with the FieldToMatch setting Headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “UriPath”: {} | | rules.[].statement.regexMatchStatement.regexString
Optional | string
| | rules.[].statement.regexMatchStatement.textTransformations
Optional | array
| | rules.[].statement.regexMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.regexMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.regexMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement
Optional | object
A rule statement used to search web request components for matches with regular
expressions. To use this, create a RegexPatternSet that specifies the expressions
that you want to detect, then use the ARN of that set in this statement.
A web request matches the pattern set rule statement if the request component
matches any of the patterns in the set. To create a regex pattern set, see
CreateRegexPatternSet.


Each regex pattern set rule statement references a regex pattern set. You
create and maintain the set independent of your rules. This allows you to
use the single set in multiple rules. When you update the referenced set,
WAF automatically updates all rules that reference it. | | rules.[].statement.regexPatternSetReferenceStatement.arn
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.


* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }


* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “AllQueryArguments”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.


You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.


Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.


Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.


You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.


Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.


You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.


You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.


Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.


Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “Method”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “QueryString”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.


You can filter and inspect all headers with the FieldToMatch setting Headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “UriPath”: {} | | rules.[].statement.regexPatternSetReferenceStatement.textTransformations
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement
Optional | object
A rule statement used to run the rules that are defined in a RuleGroup. To
use this, create a rule group with your rules, then provide the ARN of the
rule group in this statement.


You cannot nest a RuleGroupReferenceStatement, for example for use inside
a NotStatement or OrStatement. You cannot use a rule group reference statement
inside another rule group. You can only reference a rule group as a top-level
statement within a rule that you define in a web ACL. | | rules.[].statement.ruleGroupReferenceStatement.arn
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.excludedRules
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.excludedRules.[]
Required | object
Specifies a single rule in a rule group whose action you want to override to Count.

Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count. || rules.[].statement.ruleGroupReferenceStatement.excludedRules.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.

You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:


* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.


* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.


You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.


This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:


* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.


* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.


You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.


This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.


This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.


For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].name
Optional | string
| | rules.[].statement.sizeConstraintStatement
Optional | object
A rule statement that compares a number of bytes against the size of a request
component, using a comparison operator, such as greater than (>) or less
than (<). For example, you can use a size constraint statement to look for
query strings that are longer than 100 bytes.


If you configure WAF to inspect the request body, WAF inspects only the number
of bytes in the body up to the limit for the web ACL and protected resource
type. If you know that the request body for your web requests should never
exceed the inspection limit, you can use a size constraint statement to block
requests that have a larger request body size. For more information about
the inspection limits, see Body and JsonBody settings for the FieldToMatch
data type.


If you choose URI for the value of Part of the request to filter on, the
slash (/) in the URI counts as one character. For example, the URI /logo.jpg
is nine characters long. | | rules.[].statement.sizeConstraintStatement.comparisonOperator
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.


* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }


* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “AllQueryArguments”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.


You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.


Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.


Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.


You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.


Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.


You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.


You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.


Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.


Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “Method”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “QueryString”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.


You can filter and inspect all headers with the FieldToMatch setting Headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “UriPath”: {} | | rules.[].statement.sizeConstraintStatement.size
Optional | integer
| | rules.[].statement.sizeConstraintStatement.textTransformations
Optional | array
| | rules.[].statement.sizeConstraintStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.sizeConstraintStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.sizeConstraintStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.sqliMatchStatement
Optional | object
A rule statement that inspects for malicious SQL code. Attackers insert malicious
SQL code into web requests to do things like modify your database or extract
data from it. | | rules.[].statement.sqliMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.


* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }


* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.sqliMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “AllQueryArguments”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.sqliMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.


You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.


Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.


Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.


You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.


Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.


You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.


You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.


Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.


Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “Method”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “QueryString”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.


You can filter and inspect all headers with the FieldToMatch setting Headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “UriPath”: {} | | rules.[].statement.sqliMatchStatement.sensitivityLevel
Optional | string
| | rules.[].statement.sqliMatchStatement.textTransformations
Optional | array
| | rules.[].statement.sqliMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.sqliMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.sqliMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.xssMatchStatement
Optional | object
A rule statement that inspects for cross-site scripting (XSS) attacks. In
XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle
to inject malicious client-site scripts into other legitimate web browsers. | | rules.[].statement.xssMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.


* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }


* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.xssMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “AllQueryArguments”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.xssMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.


You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.


Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.


Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.


You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.


Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.


You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.


You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.


Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.


Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “Method”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “QueryString”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.


You can filter and inspect all headers with the FieldToMatch setting Headers.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.


This is used to indicate the web request component to inspect, in the FieldToMatch
specification.


Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.


This is used in the FieldToMatch specification for some web request component
types.


JSON specification: “UriPath”: {} | | rules.[].statement.xssMatchStatement.textTransformations
Optional | array
| | rules.[].statement.xssMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.xssMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.xssMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].visibilityConfig
Optional | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. | | rules.[].visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
| | rules.[].visibilityConfig.metricName
Optional | string
| | rules.[].visibilityConfig.sampledRequestsEnabled
Optional | boolean
| | scope
Required | string
Specifies whether this is for an Amazon CloudFront distribution or for a
regional application. A regional application can be an Application Load Balancer
(ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
Cognito user pool, an App Runner service, or an Amazon Web Services Verified
Access instance.


To work with CloudFront, you must also specify the Region US East (N. Virginia)
as follows:


* CLI - Specify the Region when you use the CloudFront scope: –scope=CLOUDFRONT
–region=us-east-1.


* API and SDKs - For all calls, use the Region endpoint us-east-1. | | tags
Optional | array
An array of key:value pairs to associate with the resource. | | tags.[]
Required | object
A tag associated with an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as “environment”, and the tag value represents a specific value within that category, such as “test,” “development,” or “production”. Or you might set the tag key to “customer” and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.

You can tag the Amazon Web Services resources that you manage through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. You can’t manage or view tags through the WAF console. || tags.[].key
Optional | string
| | tags.[].value
Optional | string
| | tokenDomains
Optional | array
Specifies the domains that WAF should accept in a web request token. This
enables the use of tokens across multiple protected websites. When WAF provides
a token, it uses the domain of the Amazon Web Services resource that the
web ACL is protecting. If you don’t specify a list of token domains, WAF
accepts tokens only for the domain of the protected resource. With a token
domain list, WAF accepts the resource’s host domain plus all domains in the
token domain list, including their prefixed subdomains.


Example JSON: “TokenDomains”: { “mywebsite.com”, “myotherwebsite.com” }


Public suffixes aren’t allowed. For example, you can’t use gov.au or co.uk
as token domains. | | tokenDomains.[]
Required | string
|| visibilityConfig
Required | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. | | visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
| | visibilityConfig.metricName
Optional | string
| | visibilityConfig.sampledRequestsEnabled
Optional | boolean
|

Status#

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
id: string
lockToken: string