WebACL

wafv2.services.k8s.aws/v1alpha1

TypeLink
GoDocwafv2-controller/apis/v1alpha1#WebACL

Metadata

PropertyValue
ScopeNamespaced
KindWebACL
ListKindWebACLList
Pluralwebacls
Singularwebacl

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

Spec

associationConfig: 
  requestBody: {}
captchaConfig: 
  immunityTimeProperty: 
    immunityTime: integer
challengeConfig: 
  immunityTimeProperty: 
    immunityTime: integer
customResponseBodies: {}
defaultAction: 
  allow: 
    customRequestHandling: 
      insertHeaders:
      - name: string
        value: string
  block: 
    customResponse: 
      customResponseBodyKey: string
      responseCode: integer
      responseHeaders:
      - name: string
        value: string
description: string
name: string
rules:
  action: 
    allow: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    block: 
      customResponse: 
        customResponseBodyKey: string
        responseCode: integer
        responseHeaders:
        - name: string
          value: string
    captcha: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    challenge: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    count: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
  captchaConfig: 
    immunityTimeProperty: 
      immunityTime: integer
  challengeConfig: 
    immunityTimeProperty: 
      immunityTime: integer
  name: string
  overrideAction: 
    count: 
      customRequestHandling: 
        insertHeaders:
        - name: string
          value: string
    none: {}
  priority: integer
  ruleLabels:
  - name: string
  statement: 
    andStatement: string
    byteMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      positionalConstraint: string
      searchString: string
      textTransformations:
      - priority: integer
        type: string
    geoMatchStatement: 
      countryCodes:
      - string
      forwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
    ipSetReferenceStatement: 
      arn: string
      ipSetForwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
        position: string
    labelMatchStatement: 
      key: string
      scope: string
    managedRuleGroupStatement: 
      excludedRules:
      - name: string
      managedRuleGroupConfigs:
        awsManagedRulesACFPRuleSet: 
          creationPath: string
          enableRegexInPath: boolean
          registrationPagePath: string
          requestInspection: 
            addressFields:
            - identifier: string
            emailField: 
              identifier: string
            passwordField: 
              identifier: string
            payloadType: string
            phoneNumberFields:
            - identifier: string
            usernameField: 
              identifier: string
          responseInspection: 
            bodyContains: 
              failureStrings:
              - string
              successStrings:
              - string
            header: 
              failureValues:
              - string
              name: string
              successValues:
              - string
            json: 
              failureValues:
              - string
              identifier: string
              successValues:
              - string
            statusCode: 
              failureCodes:
              - integer
              successCodes:
              - integer
        awsManagedRulesATPRuleSet: 
          enableRegexInPath: boolean
          loginPath: string
          requestInspection: 
            passwordField: 
              identifier: string
            payloadType: string
            usernameField: 
              identifier: string
          responseInspection: 
            bodyContains: 
              failureStrings:
              - string
              successStrings:
              - string
            header: 
              failureValues:
              - string
              name: string
              successValues:
              - string
            json: 
              failureValues:
              - string
              identifier: string
              successValues:
              - string
            statusCode: 
              failureCodes:
              - integer
              successCodes:
              - integer
        awsManagedRulesBotControlRuleSet: 
          enableMachineLearning: boolean
          inspectionLevel: string
        loginPath: string
        passwordField: 
          identifier: string
        payloadType: string
        usernameField: 
          identifier: string
      name: string
      ruleActionOverrides:
        actionToUse: 
          allow: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          block: 
            customResponse: 
              customResponseBodyKey: string
              responseCode: integer
              responseHeaders:
              - name: string
                value: string
          captcha: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          challenge: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          count: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
        name: string
      scopeDownStatement: string
      vendorName: string
      version: string
    notStatement: string
    orStatement: string
    rateBasedStatement: 
      aggregateKeyType: string
      customKeys:
        cookie: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        forwardedIP: {}
        header: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        httpMethod: {}
        iP: {}
        labelNamespace: 
          namespace: string
        queryArgument: 
          name: string
          textTransformations:
          - priority: integer
            type: string
        queryString: 
          textTransformations:
          - priority: integer
            type: string
        uriPath: 
          textTransformations:
          - priority: integer
            type: string
      evaluationWindowSec: integer
      forwardedIPConfig: 
        fallbackBehavior: string
        headerName: string
      limit: integer
      scopeDownStatement: string
    regexMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      regexString: string
      textTransformations:
      - priority: integer
        type: string
    regexPatternSetReferenceStatement: 
      arn: string
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      textTransformations:
      - priority: integer
        type: string
    ruleGroupReferenceStatement: 
      arn: string
      excludedRules:
      - name: string
      ruleActionOverrides:
        actionToUse: 
          allow: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          block: 
            customResponse: 
              customResponseBodyKey: string
              responseCode: integer
              responseHeaders:
              - name: string
                value: string
          captcha: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          challenge: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
          count: 
            customRequestHandling: 
              insertHeaders:
              - name: string
                value: string
        name: string
    sizeConstraintStatement: 
      comparisonOperator: string
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      size: integer
      textTransformations:
      - priority: integer
        type: string
    sqliMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      sensitivityLevel: string
      textTransformations:
      - priority: integer
        type: string
    xssMatchStatement: 
      fieldToMatch: 
        allQueryArguments: {}
        body: 
          oversizeHandling: string
        cookies: 
          matchPattern: 
            all: {}
            excludedCookies:
            - string
            includedCookies:
            - string
          matchScope: string
          oversizeHandling: string
        headerOrder: 
          oversizeHandling: string
        headers: 
          matchPattern: 
            all: {}
            excludedHeaders:
            - string
            includedHeaders:
            - string
          matchScope: string
          oversizeHandling: string
        ja3Fingerprint: 
          fallbackBehavior: string
        jsonBody: 
          invalidFallbackBehavior: string
          matchPattern: 
            all: {}
            includedPaths:
            - string
          matchScope: string
          oversizeHandling: string
        method: {}
        queryString: {}
        singleHeader: 
          name: string
        singleQueryArgument: 
          name: string
        uriPath: {}
      textTransformations:
      - priority: integer
        type: string
  visibilityConfig: 
    cloudWatchMetricsEnabled: boolean
    metricName: string
    sampledRequestsEnabled: boolean
scope: string
tags:
- key: string
  value: string
tokenDomains:
- string
visibilityConfig: 
  cloudWatchMetricsEnabled: boolean
  metricName: string
  sampledRequestsEnabled: boolean
FieldDescription
associationConfig
Optional
object
Specifies custom configurations for the associations between the web ACL
and protected resources.

Use this to customize the maximum size of the request body that your protected
resources forward to WAF for inspection. You can customize this setting for
CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources.
The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body
sizes that are larger than the default. For more information, see WAF Pricing
(http://aws.amazon.com/waf/pricing/).

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192
bytes).
associationConfig.requestBody
Optional
object
captchaConfig
Optional
object
Specifies how WAF should handle CAPTCHA evaluations for rules that don’t
have their own CaptchaConfig settings. If you don’t specify this, WAF uses
its default settings for CaptchaConfig.
captchaConfig.immunityTimeProperty
Optional
object
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA
or challenge timestamp remains valid after WAF updates it for a successful
CAPTCHA or challenge response.
captchaConfig.immunityTimeProperty.immunityTime
Optional
integer
challengeConfig
Optional
object
Specifies how WAF should handle challenge evaluations for rules that don’t
have their own ChallengeConfig settings. If you don’t specify this, WAF uses
its default settings for ChallengeConfig.
challengeConfig.immunityTimeProperty
Optional
object
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA
or challenge timestamp remains valid after WAF updates it for a successful
CAPTCHA or challenge response.
challengeConfig.immunityTimeProperty.immunityTime
Optional
integer
customResponseBodies
Optional
object
A map of custom response keys and content bodies. When you create a rule
with a block action, you can send a custom response to the web request. You
define these for the web ACL, and then use them in the rules and default
actions that you define in the web ACL.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.

For information about the limits on count and size for custom request and
response settings, see WAF quotas (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html)
in the WAF Developer Guide.
defaultAction
Required
object
The action to perform if none of the Rules contained in the WebACL match.
defaultAction.allow
Optional
object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
defaultAction.allow.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
defaultAction.allow.customRequestHandling.insertHeaders
Optional
array
defaultAction.allow.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
defaultAction.allow.customRequestHandling.insertHeaders.[].value
Optional
string
defaultAction.block
Optional
object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
defaultAction.block.customResponse
Optional
object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
defaultAction.block.customResponse.customResponseBodyKey
Optional
string
defaultAction.block.customResponse.responseCode
Optional
integer
defaultAction.block.customResponse.responseHeaders
Optional
array
defaultAction.block.customResponse.responseHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
defaultAction.block.customResponse.responseHeaders.[].value
Optional
string
description
Optional
string
A description of the web ACL that helps with identification.
name
Required
string
The name of the web ACL. You cannot change the name of a web ACL after you
create it.
rules
Optional
array
The Rule statements used to identify the web requests that you want to manage.
Each rule includes one top-level statement that WAF uses to identify matching
web requests, and parameters that govern how WAF handles them.
rules.[]
Required
object
A single rule, which you can use in a WebACL or RuleGroup to identify web
requests that you want to manage in some way. Each rule includes one top-level
Statement that WAF uses to identify matching web requests, and parameters
that govern how WAF handles them.
rules.[].action.allow
Optional
object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
rules.[].action.allow.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].action.allow.customRequestHandling.insertHeaders
Optional
array
rules.[].action.allow.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].action.allow.customRequestHandling.insertHeaders.[].value
Optional
string
rules.[].action.block
Optional
object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
rules.[].action.block.customResponse
Optional
object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].action.block.customResponse.customResponseBodyKey
Optional
string
rules.[].action.block.customResponse.responseCode
Optional
integer
rules.[].action.block.customResponse.responseHeaders
Optional
array
rules.[].action.block.customResponse.responseHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].action.block.customResponse.responseHeaders.[].value
Optional
string
rules.[].action.captcha
Optional
object
Specifies that WAF should run a CAPTCHA check against the request:

* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.

You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions.
rules.[].action.captcha.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].action.captcha.customRequestHandling.insertHeaders
Optional
array
rules.[].action.captcha.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].action.captcha.customRequestHandling.insertHeaders.[].value
Optional
string
rules.[].action.challenge
Optional
object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:

* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.

You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions.
rules.[].action.challenge.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].action.challenge.customRequestHandling.insertHeaders
Optional
array
rules.[].action.challenge.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].action.challenge.customRequestHandling.insertHeaders.[].value
Optional
string
rules.[].action.count
Optional
object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
rules.[].action.count.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].action.count.customRequestHandling.insertHeaders
Optional
array
rules.[].action.count.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].action.count.customRequestHandling.insertHeaders.[].value
Optional
string
rules.[].captchaConfig
Optional
object
Specifies how WAF should handle CAPTCHA evaluations. This is available at
the web ACL level and in each rule.
rules.[].captchaConfig.immunityTimeProperty
Optional
object
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA
or challenge timestamp remains valid after WAF updates it for a successful
CAPTCHA or challenge response.
rules.[].captchaConfig.immunityTimeProperty.immunityTime
Optional
integer
rules.[].challengeConfig
Optional
object
Specifies how WAF should handle Challenge evaluations. This is available
at the web ACL level and in each rule.
rules.[].challengeConfig.immunityTimeProperty
Optional
object
Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA
or challenge timestamp remains valid after WAF updates it for a successful
CAPTCHA or challenge response.
rules.[].challengeConfig.immunityTimeProperty.immunityTime
Optional
integer
rules.[].name
Optional
string
rules.[].overrideAction
Optional
object
The action to use in the place of the action that results from the rule group
evaluation. Set the override action to none to leave the result of the rule
group alone. Set it to count to override the result to count only.

You can only use this for rule statements that reference a rule group, like
RuleGroupReferenceStatement and ManagedRuleGroupStatement.

This option is usually set to none. It does not affect how the rules in the
rule group are evaluated. If you want the rules in the rule group to only
count matches, do not use this and instead use the rule action override option,
with Count action, in your rule group reference statement settings.
rules.[].overrideAction.count
Optional
object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.
rules.[].overrideAction.count.customRequestHandling
Optional
object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide.
rules.[].overrideAction.count.customRequestHandling.insertHeaders
Optional
array
rules.[].overrideAction.count.customRequestHandling.insertHeaders.[]
Required
object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling.
rules.[].overrideAction.count.customRequestHandling.insertHeaders.[].value
Optional
string
rules.[].overrideAction.none
Optional
object
Specifies that WAF should do nothing. This is used for the OverrideAction
setting on a Rule when the rule uses a rule group reference statement.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction.

JSON specification: “None”: {}
rules.[].priority
Optional
integer
rules.[].ruleLabels
Optional
array
rules.[].ruleLabels.[]
Required
object
A single label container. This is used as an element of a label array in
multiple contexts, for example, in RuleLabels inside a Rule and in Labels
inside a SampledHTTPRequest.
rules.[].statement
Optional
object
The processing guidance for a Rule, used by WAF to determine whether a web
request matches the rule.

For example specifications, see the examples section of CreateWebACL.
rules.[].statement.andStatement
Optional
string
rules.[].statement.byteMatchStatement
Optional
object
A rule statement that defines a string match search for WAF to apply to web
requests. The byte match statement provides the bytes to search for, the
location in requests that you want WAF to search, and other settings. The
bytes to search for are typically a string that corresponds with ASCII characters.
In the WAF console and the developer guide, this is called a string match
statement.
rules.[].statement.byteMatchStatement.fieldToMatch
Optional
object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs.
rules.[].statement.byteMatchStatement.fieldToMatch.allQueryArguments
Optional
object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.body
Optional
object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
rules.[].statement.byteMatchStatement.fieldToMatch.body.oversizeHandling
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.cookies
Optional
object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” }
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern
Optional
object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] }
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional
object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional
array
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required
string
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required
string
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.headerOrder
Optional
object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer.
rules.[].statement.byteMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.headers
Optional
object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” }
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern
Optional
object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] }
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.all
Optional
object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional
array
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required
string
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required
string
rules.[].statement.byteMatchStatement.fieldToMatch.headers.oversizeHandling
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.ja3Fingerprint
Optional
object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration.
rules.[].statement.byteMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody
Optional
object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” }
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional
object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody.
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional
object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional
array
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required
string
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.method
Optional
object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.queryString
Optional
object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {}
rules.[].statement.byteMatchStatement.fieldToMatch.singleHeader
Optional
object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” }
rules.[].statement.byteMatchStatement.fieldToMatch.singleHeader.name
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.singleQueryArgument
Optional
object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
rules.[].statement.byteMatchStatement.fieldToMatch.singleQueryArgument.name
Optional
string
rules.[].statement.byteMatchStatement.fieldToMatch.uriPath
Optional
object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {}
rules.[].statement.byteMatchStatement.positionalConstraint
Optional
string
rules.[].statement.byteMatchStatement.searchString
Optional
string
rules.[].statement.byteMatchStatement.textTransformations
Optional
array
rules.[].statement.byteMatchStatement.textTransformations.[]
Required
object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection.
rules.[].statement.byteMatchStatement.textTransformations.[].type
Optional
string
rules.[].statement.geoMatchStatement
Optional
object
A rule statement that labels web requests by country and region and that
matches against web requests based on country code. A geo match rule labels
every request that it inspects regardless of whether it finds a match.

* To manage requests only by country, you can use this statement by itself
and specify the countries that you want to match against in the CountryCodes
array.

* Otherwise, configure your geo match rule with Count action so that it
only labels requests. Then, add one or more label match rules to run after
the geo match rule and configure them to match against the geographic
labels and handle the requests as needed.

WAF labels requests using the alpha-2 country and region codes from the International
Organization for Standardization (ISO) 3166 standard. WAF determines the
codes using either the IP address in the web request origin or, if you specify
it, the address in the geo match ForwardedIPConfig.

If you use the web request origin, the label formats are awswaf:clientip:geo:region:<ISO
country code>- and awswaf:clientip:geo:country:<ISO country
code>.

If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region:<ISO
country code>- and awswaf:forwardedip:geo:country:<ISO country
code>.

For additional details, see Geographic match rule statement (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html)
in the WAF Developer Guide (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html).
rules.[].statement.geoMatchStatement.countryCodes
Optional
array
rules.[].statement.geoMatchStatement.countryCodes.[]
Required
string
rules.[].statement.geoMatchStatement.forwardedIPConfig.fallbackBehavior
Optional
string
rules.[].statement.geoMatchStatement.forwardedIPConfig.headerName
Optional
string
rules.[].statement.ipSetReferenceStatement
Optional
object
A rule statement used to detect web requests coming from particular IP addresses
or address ranges. To use this, create an IPSet that specifies the addresses
you want to detect, then use the ARN of that set in this statement. To create
an IP set, see CreateIPSet.

Each IP set rule statement references an IP set. You create and maintain
the set independent of your rules. This allows you to use the single set
in multiple rules. When you update the referenced set, WAF automatically
updates all rules that reference it.
rules.[].statement.ipSetReferenceStatement.arn
Optional
string
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig
Optional
object
The configuration for inspecting IP addresses in an HTTP header that you
specify, instead of using the IP address that’s reported by the web request
origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
any header name.

If the specified header isn’t present in the request, WAF doesn’t apply the
rule to the web request at all.

This configuration is used only for IPSetReferenceStatement. For GeoMatchStatement
and RateBasedStatement, use ForwardedIPConfig instead.
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.fallbackBehavior
Optional
string
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.headerName
Optional
string
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.position
Optional
string
rules.[].statement.labelMatchStatement
Optional
object
A rule statement to match against labels that have been added to the web
request by rules that have already run in the web ACL.

The label match statement provides the label or namespace string to search
for. The label string can represent a part or all of the fully qualified
label name that had been added to the web request. Fully qualified labels
have a prefix, optional namespaces, and label name. The prefix identifies
the rule group or web ACL context of the rule that added the label. If you
do not provide the fully qualified name in your label match string, WAF performs
the search for labels that were added in the same context as the label match
statement.
rules.[].statement.labelMatchStatement.key
Optional
string
rules.[].statement.labelMatchStatement.scope
Optional
string
rules.[].statement.managedRuleGroupStatement
Optional
object
A rule statement used to run the rules that are defined in a managed rule
group. To use this, provide the vendor name and the name of the rule group
in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

You cannot nest a ManagedRuleGroupStatement, for example for use inside a
NotStatement or OrStatement. You cannot use a managed rule group inside another
rule group. You can only reference a managed rule group as a top-level statement
within a rule that you define in a web ACL.

You are charged additional fees when you use the WAF Bot Control managed
rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account
takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or
the WAF Fraud Control account creation fraud prevention (ACFP) managed rule
group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing (http://aws.amazon.com/waf/pricing/).
rules.[].statement.managedRuleGroupStatement.excludedRules
Optional
array
rules.[].statement.managedRuleGroupStatement.excludedRules.[]
Required
object
Specifies a single rule in a rule group whose action you want to override
to Count.

Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count. || rules.[].statement.managedRuleGroupStatement.excludedRules.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[]
Required | object
Additional information that’s used by a managed rule group. Many managed rule groups don’t require this.

The rule groups used for intelligent threat mitigation require additional configuration:

  • Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.

  • Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.

  • Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.

For example specifications, see the examples section of CreateWebACL. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet
Optional | object
Details for your use of the account creation fraud prevention managed rule
group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.creationPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.enableRegexInPath
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.registrationPagePath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection
Optional | object
The criteria for inspecting account creation requests, used by the ACFP rule
group to validate and track account creation attempts.

This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig.

In these settings, you specify how your application accepts account creation
attempts by providing the request payload type and the names of the fields
within the request body where the username, password, email, and primary
address and phone number fields are provided. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[]
Required | object
The name of a field in the request payload that contains part or all of your customer’s primary physical address.

This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[].identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField
Optional | object
The name of the field in the request payload that contains your customer’s
email.

This data type is used in the RequestInspectionACFP data type. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[]
Required | object
The name of a field in the request payload that contains part or all of your customer’s primary phone number.

This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[].identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.

The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.

This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.

Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet
Optional | object
Details for your use of the account takeover prevention managed rule group,
AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.enableRegexInPath
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.loginPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection
Optional | object
The criteria for inspecting login requests, used by the ATP rule group to
validate credentials usage.

This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.

In these settings, you specify how your application accepts login attempts
by providing the request payload type and the names of the fields within
the request body where the username and password are provided. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.

The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.

This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.

Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes
Optional | array
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet
Optional | object
Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet.
This configuration is used in ManagedRuleGroupConfig. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.enableMachineLearning
Optional | boolean
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.inspectionLevel
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].loginPath
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].payloadType
Optional | string
| | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.

This data type is used in the RequestInspection and RequestInspectionACFP
data types. | | rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField.identifier
Optional | string
| | rules.[].statement.managedRuleGroupStatement.name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.

You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:

* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.

You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:

* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.

You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].name
Optional | string
| | rules.[].statement.managedRuleGroupStatement.scopeDownStatement
Optional | string
| | rules.[].statement.managedRuleGroupStatement.vendorName
Optional | string
| | rules.[].statement.managedRuleGroupStatement.version
Optional | string
| | rules.[].statement.notStatement
Optional | string
| | rules.[].statement.orStatement
Optional | string
| | rules.[].statement.rateBasedStatement
Optional | object
A rate-based rule counts incoming requests and rate limits requests when
they are coming at too fast a rate. The rule categorizes requests according
to your aggregation criteria, collects them into aggregation instances, and
counts and rate limits the requests for each instance.

If you change any of these settings in a rule that’s currently in use, the
change resets the rule’s rate limiting counts. This can pause the rule’s
rate limiting activities for up to a minute.

You can specify individual aggregation keys, like IP address or HTTP method.
You can also specify aggregation key combinations, like IP address and HTTP
method, or HTTP method, query argument, and cookie.

Each unique set of values for the aggregation keys that you specify is a
separate aggregation instance, with the value from each key contributing
to the aggregation instance definition.

For example, assume the rule evaluates web requests with the following IP
address and HTTP method values:

* IP address 10.1.1.1, HTTP method POST

* IP address 10.1.1.1, HTTP method GET

* IP address 127.0.0.0, HTTP method POST

* IP address 10.1.1.1, HTTP method GET

The rule would create different aggregation instances according to your aggregation
criteria, for example:

* If the aggregation criteria is just the IP address, then each individual
address is an aggregation instance, and WAF counts requests separately
for each. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1: count 3 IP address 127.0.0.0:
count 1

* If the aggregation criteria is HTTP method, then each individual HTTP
method is an aggregation instance. The aggregation instances and request
counts for our example would be the following: HTTP method POST: count
2 HTTP method GET: count 2

* If the aggregation criteria is IP address and HTTP method, then each
IP address and each HTTP method would contribute to the combined aggregation
instance. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1, HTTP method POST: count 1
IP address 10.1.1.1, HTTP method GET: count 2 IP address 127.0.0.0, HTTP
method POST: count 1

For any n-tuple of aggregation keys, each unique combination of values for
the keys defines a separate aggregation instance, which WAF counts and rate-limits
individually.

You can optionally nest another statement inside the rate-based statement,
to narrow the scope of the rule so that it only counts and rate limits requests
that match the nested statement. You can use this nested scope-down statement
in conjunction with your aggregation key specifications or you can just count
and rate limit all requests that match the scope-down statement, without
additional aggregation. When you choose to just manage all requests that
match a scope-down statement, the aggregation instance is singular for the
rule.

You cannot nest a RateBasedStatement inside another statement, for example
inside a NotStatement or OrStatement. You can define a RateBasedStatement
inside a web ACL and inside a rule group.

For additional information about the options, see Rate limiting web requests
using rate-based rules (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html)
in the WAF Developer Guide.

If you only aggregate on the individual IP address or forwarded IP address,
you can retrieve the list of IP addresses that WAF is currently rate limiting
for a rule through the API call GetRateBasedStatementManagedKeys. This option
is not available for other aggregation configurations.

WAF tracks and manages web requests separately for each instance of a rate-based
rule that you use. For example, if you provide the same rate-based rule settings
in two web ACLs, each of the two rule statements represents a separate instance
of the rate-based rule and gets its own tracking and management by WAF. If
you define a rate-based rule inside a rule group, and then use that rule
group in multiple places, each use creates a separate instance of the rate-based
rule that gets its own tracking and management by WAF. | | rules.[].statement.rateBasedStatement.aggregateKeyType
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[]
Required | object
Specifies a single custom aggregate key for a rate-base rule.

Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. || rules.[].statement.rateBasedStatement.customKeys.[].cookie
Optional | object
Specifies a cookie as an aggregate key for a rate-based rule. Each distinct
value in the cookie contributes to the aggregation instance. If you use a
single cookie as your custom key, then each value fully defines an aggregation
instance. | | rules.[].statement.rateBasedStatement.customKeys.[].cookie.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].forwardedIP
Optional | object
Specifies the first IP address in an HTTP header as an aggregate key for
a rate-based rule. Each distinct forwarded IP address contributes to the
aggregation instance.

This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. When you specify an IP or forwarded IP in
the custom key settings, you must also specify at least one other key to
use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP
in your rate-based statement’s AggregateKeyType.

This data type supports using the forwarded IP address in the web request
aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON
specification for using the forwarded IP address doesn’t explicitly use this
data type.

JSON specification: “ForwardedIP”: {}

When you use this specification, you must also configure the forwarded IP
address in the rate-based statement’s ForwardedIPConfig. | | rules.[].statement.rateBasedStatement.customKeys.[].header
Optional | object
Specifies a header as an aggregate key for a rate-based rule. Each distinct
value in the header contributes to the aggregation instance. If you use a
single header as your custom key, then each value fully defines an aggregation
instance. | | rules.[].statement.rateBasedStatement.customKeys.[].header.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].httpMethod
Optional | object
Specifies the request’s HTTP method as an aggregate key for a rate-based
rule. Each distinct HTTP method contributes to the aggregation instance.
If you use just the HTTP method as your custom key, then each method fully
defines an aggregation instance.

JSON specification: “RateLimitHTTPMethod”: {} | | rules.[].statement.rateBasedStatement.customKeys.[].iP
Optional | object
Specifies the IP address in the web request as an aggregate key for a rate-based
rule. Each distinct IP address contributes to the aggregation instance.

This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. To use this in the custom key settings, you
must specify at least one other key to use, along with the IP address. To
aggregate on only the IP address, in your rate-based statement’s AggregateKeyType,
specify IP.

JSON specification: “RateLimitIP”: {} | | rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace
Optional | object
Specifies a label namespace to use as an aggregate key for a rate-based rule.
Each distinct fully qualified label name that has the specified label namespace
contributes to the aggregation instance. If you use just one label namespace
as your custom key, then each label name fully defines an aggregation instance.

This uses only labels that have been added to the request by rules that are
evaluated before this rate-based rule in the web ACL.

For information about label namespaces and names, see Label syntax and naming
requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html)
in the WAF Developer Guide. | | rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace.namespace
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument
Optional | object
Specifies a query argument in the request as an aggregate key for a rate-based
rule. Each distinct value for the named query argument contributes to the
aggregation instance. If you use a single query argument as your custom key,
then each value fully defines an aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.name
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString
Optional | object
Specifies the request’s query string as an aggregate key for a rate-based
rule. Each distinct string contributes to the aggregation instance. If you
use just the query string as your custom key, then each string fully defines
an aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath
Optional | object
Specifies the request’s URI path as an aggregate key for a rate-based rule.
Each distinct URI path contributes to the aggregation instance. If you use
just the URI path as your custom key, then each URI path fully defines an
aggregation instance. | | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations
Optional | array
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].priority
Optional | integer
| | rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].type
Optional | string
| | rules.[].statement.rateBasedStatement.evaluationWindowSec
Optional | integer
| | rules.[].statement.rateBasedStatement.forwardedIPConfig
Optional | object
The configuration for inspecting IP addresses in an HTTP header that you
specify, instead of using the IP address that’s reported by the web request
origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
any header name.

If the specified header isn’t present in the request, WAF doesn’t apply the
rule to the web request at all.

This configuration is used for GeoMatchStatement and RateBasedStatement.
For IPSetReferenceStatement, use IPSetForwardedIPConfig instead.

WAF only evaluates the first IP address found in the specified HTTP header. | | rules.[].statement.rateBasedStatement.forwardedIPConfig.fallbackBehavior
Optional | string
| | rules.[].statement.rateBasedStatement.forwardedIPConfig.headerName
Optional | string
| | rules.[].statement.rateBasedStatement.limit
Optional | integer
| | rules.[].statement.rateBasedStatement.scopeDownStatement
Optional | string
| | rules.[].statement.regexMatchStatement
Optional | object
A rule statement used to search web request components for a match against
a single regular expression. | | rules.[].statement.regexMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.regexMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.regexMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {} | | rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.regexMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {} | | rules.[].statement.regexMatchStatement.regexString
Optional | string
| | rules.[].statement.regexMatchStatement.textTransformations
Optional | array
| | rules.[].statement.regexMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.regexMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.regexMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement
Optional | object
A rule statement used to search web request components for matches with regular
expressions. To use this, create a RegexPatternSet that specifies the expressions
that you want to detect, then use the ARN of that set in this statement.
A web request matches the pattern set rule statement if the request component
matches any of the patterns in the set. To create a regex pattern set, see
CreateRegexPatternSet.

Each regex pattern set rule statement references a regex pattern set. You
create and maintain the set independent of your rules. This allows you to
use the single set in multiple rules. When you update the referenced set,
WAF automatically updates all rules that reference it. | | rules.[].statement.regexPatternSetReferenceStatement.arn
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {} | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {} | | rules.[].statement.regexPatternSetReferenceStatement.textTransformations
Optional | array
| | rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement
Optional | object
A rule statement used to run the rules that are defined in a RuleGroup. To
use this, create a rule group with your rules, then provide the ARN of the
rule group in this statement.

You cannot nest a RuleGroupReferenceStatement, for example for use inside
a NotStatement or OrStatement. You cannot use a rule group reference statement
inside another rule group. You can only reference a rule group as a top-level
statement within a rule that you define in a web ACL. | | rules.[].statement.ruleGroupReferenceStatement.arn
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.excludedRules
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.excludedRules.[]
Required | object
Specifies a single rule in a rule group whose action you want to override to Count.

Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count. || rules.[].statement.ruleGroupReferenceStatement.excludedRules.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.

You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:

* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.

You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:

* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.

* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.

You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.

This action option is available for rules. It isn’t available for web ACL
default actions. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.

This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.

For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. | | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
| | rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].name
Optional | string
| | rules.[].statement.sizeConstraintStatement
Optional | object
A rule statement that compares a number of bytes against the size of a request
component, using a comparison operator, such as greater than (>) or less
than (<). For example, you can use a size constraint statement to look for
query strings that are longer than 100 bytes.

If you configure WAF to inspect the request body, WAF inspects only the number
of bytes in the body up to the limit for the web ACL and protected resource
type. If you know that the request body for your web requests should never
exceed the inspection limit, you can use a size constraint statement to block
requests that have a larger request body size. For more information about
the inspection limits, see Body and JsonBody settings for the FieldToMatch
data type.

If you choose URI for the value of Part of the request to filter on, the
slash (/) in the URI counts as one character. For example, the URI /logo.jpg
is nine characters long. | | rules.[].statement.sizeConstraintStatement.comparisonOperator
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {} | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.sizeConstraintStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {} | | rules.[].statement.sizeConstraintStatement.size
Optional | integer
| | rules.[].statement.sizeConstraintStatement.textTransformations
Optional | array
| | rules.[].statement.sizeConstraintStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.sizeConstraintStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.sizeConstraintStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.sqliMatchStatement
Optional | object
A rule statement that inspects for malicious SQL code. Attackers insert malicious
SQL code into web requests to do things like modify your database or extract
data from it. | | rules.[].statement.sqliMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.sqliMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.sqliMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {} | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.sqliMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {} | | rules.[].statement.sqliMatchStatement.sensitivityLevel
Optional | string
| | rules.[].statement.sqliMatchStatement.textTransformations
Optional | array
| | rules.[].statement.sqliMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.sqliMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.sqliMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].statement.xssMatchStatement
Optional | object
A rule statement that inspects for cross-site scripting (XSS) attacks. In
XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle
to inject malicious client-site scripts into other legitimate web browsers. | | rules.[].statement.xssMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.

* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }

* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. | | rules.[].statement.xssMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “AllQueryArguments”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification. | | rules.[].statement.xssMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. | | rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.

Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.

You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.

You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.

You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.

Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. | | rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.

Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “All”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “Method”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “QueryString”: {} | | rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.

You can filter and inspect all headers with the FieldToMatch setting Headers.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleHeader”: { “Name”: “haystack” } | | rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader.name
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.

This is used to indicate the web request component to inspect, in the FieldToMatch
specification.

Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } | | rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
| | rules.[].statement.xssMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used in the FieldToMatch specification for some web request component
types.

JSON specification: “UriPath”: {} | | rules.[].statement.xssMatchStatement.textTransformations
Optional | array
| | rules.[].statement.xssMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. || rules.[].statement.xssMatchStatement.textTransformations.[].priority
Optional | integer
| | rules.[].statement.xssMatchStatement.textTransformations.[].type
Optional | string
| | rules.[].visibilityConfig
Optional | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. | | rules.[].visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
| | rules.[].visibilityConfig.metricName
Optional | string
| | rules.[].visibilityConfig.sampledRequestsEnabled
Optional | boolean
| | scope
Required | string
Specifies whether this is for an Amazon CloudFront distribution or for a
regional application. A regional application can be an Application Load Balancer
(ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
Cognito user pool, an App Runner service, or an Amazon Web Services Verified
Access instance.

To work with CloudFront, you must also specify the Region US East (N. Virginia)
as follows:

* CLI - Specify the Region when you use the CloudFront scope: –scope=CLOUDFRONT
–region=us-east-1.

* API and SDKs - For all calls, use the Region endpoint us-east-1. | | tags
Optional | array
An array of key:value pairs to associate with the resource. | | tags.[]
Required | object
A tag associated with an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as “environment”, and the tag value represents a specific value within that category, such as “test,” “development,” or “production”. Or you might set the tag key to “customer” and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.

You can tag the Amazon Web Services resources that you manage through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. You can’t manage or view tags through the WAF console. || tags.[].key
Optional | string
| | tags.[].value
Optional | string
| | tokenDomains
Optional | array
Specifies the domains that WAF should accept in a web request token. This
enables the use of tokens across multiple protected websites. When WAF provides
a token, it uses the domain of the Amazon Web Services resource that the
web ACL is protecting. If you don’t specify a list of token domains, WAF
accepts tokens only for the domain of the protected resource. With a token
domain list, WAF accepts the resource’s host domain plus all domains in the
token domain list, including their prefixed subdomains.

Example JSON: “TokenDomains”: { “mywebsite.com”, “myotherwebsite.com” }

Public suffixes aren’t allowed. For example, you can’t use gov.au or co.uk
as token domains. | | tokenDomains.[]
Required | string
|| visibilityConfig
Required | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. | | visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
| | visibilityConfig.metricName
Optional | string
| | visibilityConfig.sampledRequestsEnabled
Optional | boolean
|

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
id: string
lockToken: string
FieldDescription
ackResourceMetadata
Optional
object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional
string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required
string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required
string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional
array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required
object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional
string
A human readable message indicating details about the transition.
conditions.[].reason
Optional
string
The reason for the condition’s last transition.
conditions.[].status
Optional
string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional
string
Type is the type of the Condition
id
Optional
string
The unique identifier for the web ACL. This ID is returned in the responses
to create and list commands. You provide it to operations like update and
delete.
lockToken
Optional
string
A token used for optimistic locking. WAF returns a token to your get and
list requests, to mark the state of the entity at the time of the request.
To make changes to the entity associated with the token, you provide the
token to operations like update and delete. WAF uses the token to ensure
that no changes have been made to the entity since you last retrieved it.
If a change has been made, the update fails with a WAFOptimisticLockException.
If this happens, perform another get, and use the new token returned by that
operation.