WebACL
wafv2.services.k8s.aws/v1alpha1
Type | Link |
---|---|
GoDoc | wafv2-controller/apis/v1alpha1#WebACL |
Metadata
Property | Value |
---|---|
Scope | Namespaced |
Kind | WebACL |
ListKind | WebACLList |
Plural | webacls |
Singular | webacl |
A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.
Spec
associationConfig:
requestBody: {}
captchaConfig:
immunityTimeProperty:
immunityTime: integer
challengeConfig:
immunityTimeProperty:
immunityTime: integer
customResponseBodies: {}
defaultAction:
allow:
customRequestHandling:
insertHeaders:
- name: string
value: string
block:
customResponse:
customResponseBodyKey: string
responseCode: integer
responseHeaders:
- name: string
value: string
description: string
name: string
rules:
action:
allow:
customRequestHandling:
insertHeaders:
- name: string
value: string
block:
customResponse:
customResponseBodyKey: string
responseCode: integer
responseHeaders:
- name: string
value: string
captcha:
customRequestHandling:
insertHeaders:
- name: string
value: string
challenge:
customRequestHandling:
insertHeaders:
- name: string
value: string
count:
customRequestHandling:
insertHeaders:
- name: string
value: string
captchaConfig:
immunityTimeProperty:
immunityTime: integer
challengeConfig:
immunityTimeProperty:
immunityTime: integer
name: string
overrideAction:
count:
customRequestHandling:
insertHeaders:
- name: string
value: string
none: {}
priority: integer
ruleLabels:
- name: string
statement:
andStatement: string
byteMatchStatement:
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
positionalConstraint: string
searchString: string
textTransformations:
- priority: integer
type: string
geoMatchStatement:
countryCodes:
- string
forwardedIPConfig:
fallbackBehavior: string
headerName: string
ipSetReferenceStatement:
arn: string
ipSetForwardedIPConfig:
fallbackBehavior: string
headerName: string
position: string
labelMatchStatement:
key: string
scope: string
managedRuleGroupStatement:
excludedRules:
- name: string
managedRuleGroupConfigs:
awsManagedRulesACFPRuleSet:
creationPath: string
enableRegexInPath: boolean
registrationPagePath: string
requestInspection:
addressFields:
- identifier: string
emailField:
identifier: string
passwordField:
identifier: string
payloadType: string
phoneNumberFields:
- identifier: string
usernameField:
identifier: string
responseInspection:
bodyContains:
failureStrings:
- string
successStrings:
- string
header:
failureValues:
- string
name: string
successValues:
- string
json:
failureValues:
- string
identifier: string
successValues:
- string
statusCode:
failureCodes:
- integer
successCodes:
- integer
awsManagedRulesATPRuleSet:
enableRegexInPath: boolean
loginPath: string
requestInspection:
passwordField:
identifier: string
payloadType: string
usernameField:
identifier: string
responseInspection:
bodyContains:
failureStrings:
- string
successStrings:
- string
header:
failureValues:
- string
name: string
successValues:
- string
json:
failureValues:
- string
identifier: string
successValues:
- string
statusCode:
failureCodes:
- integer
successCodes:
- integer
awsManagedRulesBotControlRuleSet:
enableMachineLearning: boolean
inspectionLevel: string
loginPath: string
passwordField:
identifier: string
payloadType: string
usernameField:
identifier: string
name: string
ruleActionOverrides:
actionToUse:
allow:
customRequestHandling:
insertHeaders:
- name: string
value: string
block:
customResponse:
customResponseBodyKey: string
responseCode: integer
responseHeaders:
- name: string
value: string
captcha:
customRequestHandling:
insertHeaders:
- name: string
value: string
challenge:
customRequestHandling:
insertHeaders:
- name: string
value: string
count:
customRequestHandling:
insertHeaders:
- name: string
value: string
name: string
scopeDownStatement: string
vendorName: string
version: string
notStatement: string
orStatement: string
rateBasedStatement:
aggregateKeyType: string
customKeys:
cookie:
name: string
textTransformations:
- priority: integer
type: string
forwardedIP: {}
header:
name: string
textTransformations:
- priority: integer
type: string
httpMethod: {}
iP: {}
labelNamespace:
namespace: string
queryArgument:
name: string
textTransformations:
- priority: integer
type: string
queryString:
textTransformations:
- priority: integer
type: string
uriPath:
textTransformations:
- priority: integer
type: string
evaluationWindowSec: integer
forwardedIPConfig:
fallbackBehavior: string
headerName: string
limit: integer
scopeDownStatement: string
regexMatchStatement:
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
regexString: string
textTransformations:
- priority: integer
type: string
regexPatternSetReferenceStatement:
arn: string
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
textTransformations:
- priority: integer
type: string
ruleGroupReferenceStatement:
arn: string
excludedRules:
- name: string
ruleActionOverrides:
actionToUse:
allow:
customRequestHandling:
insertHeaders:
- name: string
value: string
block:
customResponse:
customResponseBodyKey: string
responseCode: integer
responseHeaders:
- name: string
value: string
captcha:
customRequestHandling:
insertHeaders:
- name: string
value: string
challenge:
customRequestHandling:
insertHeaders:
- name: string
value: string
count:
customRequestHandling:
insertHeaders:
- name: string
value: string
name: string
sizeConstraintStatement:
comparisonOperator: string
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
size: integer
textTransformations:
- priority: integer
type: string
sqliMatchStatement:
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
sensitivityLevel: string
textTransformations:
- priority: integer
type: string
xssMatchStatement:
fieldToMatch:
allQueryArguments: {}
body:
oversizeHandling: string
cookies:
matchPattern:
all: {}
excludedCookies:
- string
includedCookies:
- string
matchScope: string
oversizeHandling: string
headerOrder:
oversizeHandling: string
headers:
matchPattern:
all: {}
excludedHeaders:
- string
includedHeaders:
- string
matchScope: string
oversizeHandling: string
ja3Fingerprint:
fallbackBehavior: string
jsonBody:
invalidFallbackBehavior: string
matchPattern:
all: {}
includedPaths:
- string
matchScope: string
oversizeHandling: string
method: {}
queryString: {}
singleHeader:
name: string
singleQueryArgument:
name: string
uriPath: {}
textTransformations:
- priority: integer
type: string
visibilityConfig:
cloudWatchMetricsEnabled: boolean
metricName: string
sampledRequestsEnabled: boolean
scope: string
tags:
- key: string
value: string
tokenDomains:
- string
visibilityConfig:
cloudWatchMetricsEnabled: boolean
metricName: string
sampledRequestsEnabled: boolean
Field | Description |
---|---|
associationConfig Optional | object Specifies custom configurations for the associations between the web ACL and protected resources. Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes). You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing (http://aws.amazon.com/waf/pricing/). For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes). |
associationConfig.requestBody Optional | object |
captchaConfig Optional | object Specifies how WAF should handle CAPTCHA evaluations for rules that don’t have their own CaptchaConfig settings. If you don’t specify this, WAF uses its default settings for CaptchaConfig. |
captchaConfig.immunityTimeProperty Optional | object Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response. |
captchaConfig.immunityTimeProperty.immunityTime Optional | integer |
challengeConfig Optional | object Specifies how WAF should handle challenge evaluations for rules that don’t have their own ChallengeConfig settings. If you don’t specify this, WAF uses its default settings for ChallengeConfig. |
challengeConfig.immunityTimeProperty Optional | object Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response. |
challengeConfig.immunityTimeProperty.immunityTime Optional | integer |
customResponseBodies Optional | object A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. For information about the limits on count and size for custom request and response settings, see WAF quotas (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) in the WAF Developer Guide. |
defaultAction Required | object The action to perform if none of the Rules contained in the WebACL match. |
defaultAction.allow Optional | object Specifies that WAF should allow the request and optionally defines additional custom handling for the request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
defaultAction.allow.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
defaultAction.allow.customRequestHandling.insertHeaders Optional | array |
defaultAction.allow.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
defaultAction.allow.customRequestHandling.insertHeaders.[].value Optional | string |
defaultAction.block Optional | object Specifies that WAF should block the request and optionally defines additional custom handling for the response to the web request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
defaultAction.block.customResponse Optional | object A custom response to send to the client. You can define a custom response for rule actions and default web ACL actions that are set to BlockAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
defaultAction.block.customResponse.customResponseBodyKey Optional | string |
defaultAction.block.customResponse.responseCode Optional | integer |
defaultAction.block.customResponse.responseHeaders Optional | array |
defaultAction.block.customResponse.responseHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
defaultAction.block.customResponse.responseHeaders.[].value Optional | string |
description Optional | string A description of the web ACL that helps with identification. |
name Required | string The name of the web ACL. You cannot change the name of a web ACL after you create it. |
rules Optional | array The Rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them. |
rules.[] Required | object A single rule, which you can use in a WebACL or RuleGroup to identify web |
requests that you want to manage in some way. Each rule includes one top-level | |
Statement that WAF uses to identify matching web requests, and parameters | |
that govern how WAF handles them. | |
rules.[].action.allow Optional | object Specifies that WAF should allow the request and optionally defines additional custom handling for the request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
rules.[].action.allow.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].action.allow.customRequestHandling.insertHeaders Optional | array |
rules.[].action.allow.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].action.allow.customRequestHandling.insertHeaders.[].value Optional | string |
rules.[].action.block Optional | object Specifies that WAF should block the request and optionally defines additional custom handling for the response to the web request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
rules.[].action.block.customResponse Optional | object A custom response to send to the client. You can define a custom response for rule actions and default web ACL actions that are set to BlockAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].action.block.customResponse.customResponseBodyKey Optional | string |
rules.[].action.block.customResponse.responseCode Optional | integer |
rules.[].action.block.customResponse.responseHeaders Optional | array |
rules.[].action.block.customResponse.responseHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].action.block.customResponse.responseHeaders.[].value Optional | string |
rules.[].action.captcha Optional | object Specifies that WAF should run a CAPTCHA check against the request: * If the request includes a valid, unexpired CAPTCHA token, WAF applies any custom request handling and labels that you’ve configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction. * If the request doesn’t include a valid, unexpired token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination. WAF generates a response that it sends back to the client, which includes the following: The header x-amzn-waf-action with a value of captcha. The HTTP status code 405 Method Not Allowed. If the request contains an Accept header with a value of text/html, the response includes a CAPTCHA JavaScript page interstitial. You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting. This action option is available for rules. It isn’t available for web ACL default actions. |
rules.[].action.captcha.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].action.captcha.customRequestHandling.insertHeaders Optional | array |
rules.[].action.captcha.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].action.captcha.customRequestHandling.insertHeaders.[].value Optional | string |
rules.[].action.challenge Optional | object Specifies that WAF should run a Challenge check against the request to verify that the request is coming from a legitimate client session: * If the request includes a valid, unexpired challenge token, WAF applies any custom request handling and labels that you’ve configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction. * If the request doesn’t include a valid, unexpired challenge token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination. WAF then generates a challenge response that it sends back to the client, which includes the following: The header x-amzn-waf-action with a value of challenge. The HTTP status code 202 Request Accepted. If the request contains an Accept header with a value of text/html, the response includes a JavaScript page interstitial with a challenge script. Challenges run silent browser interrogations in the background, and don’t generally affect the end user experience. A challenge enforces token acquisition using an interstitial JavaScript challenge that inspects the client session for legitimate behavior. The challenge blocks bots or at least increases the cost of operating sophisticated bots. After the client session successfully responds to the challenge, it receives a new token from WAF, which the challenge script uses to resubmit the original request. You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting. This action option is available for rules. It isn’t available for web ACL default actions. |
rules.[].action.challenge.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].action.challenge.customRequestHandling.insertHeaders Optional | array |
rules.[].action.challenge.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].action.challenge.customRequestHandling.insertHeaders.[].value Optional | string |
rules.[].action.count Optional | object Specifies that WAF should count the request. Optionally defines additional custom handling for the request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
rules.[].action.count.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].action.count.customRequestHandling.insertHeaders Optional | array |
rules.[].action.count.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].action.count.customRequestHandling.insertHeaders.[].value Optional | string |
rules.[].captchaConfig Optional | object Specifies how WAF should handle CAPTCHA evaluations. This is available at the web ACL level and in each rule. |
rules.[].captchaConfig.immunityTimeProperty Optional | object Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response. |
rules.[].captchaConfig.immunityTimeProperty.immunityTime Optional | integer |
rules.[].challengeConfig Optional | object Specifies how WAF should handle Challenge evaluations. This is available at the web ACL level and in each rule. |
rules.[].challengeConfig.immunityTimeProperty Optional | object Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response. |
rules.[].challengeConfig.immunityTimeProperty.immunityTime Optional | integer |
rules.[].name Optional | string |
rules.[].overrideAction Optional | object The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only. You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement. This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings. |
rules.[].overrideAction.count Optional | object Specifies that WAF should count the request. Optionally defines additional custom handling for the request. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. |
rules.[].overrideAction.count.customRequestHandling Optional | object Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn’t block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction. For information about customizing web requests and responses, see Customizing web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) in the WAF Developer Guide. |
rules.[].overrideAction.count.customRequestHandling.insertHeaders Optional | array |
rules.[].overrideAction.count.customRequestHandling.insertHeaders.[] Required | object A custom header for custom request and response handling. This is used in |
CustomResponse and CustomRequestHandling. | |
rules.[].overrideAction.count.customRequestHandling.insertHeaders.[].value Optional | string |
rules.[].overrideAction.none Optional | object Specifies that WAF should do nothing. This is used for the OverrideAction setting on a Rule when the rule uses a rule group reference statement. This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction. JSON specification: “None”: {} |
rules.[].priority Optional | integer |
rules.[].ruleLabels Optional | array |
rules.[].ruleLabels.[] Required | object A single label container. This is used as an element of a label array in |
multiple contexts, for example, in RuleLabels inside a Rule and in Labels | |
inside a SampledHTTPRequest. | |
rules.[].statement Optional | object The processing guidance for a Rule, used by WAF to determine whether a web request matches the rule. For example specifications, see the examples section of CreateWebACL. |
rules.[].statement.andStatement Optional | string |
rules.[].statement.byteMatchStatement Optional | object A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is called a string match statement. |
rules.[].statement.byteMatchStatement.fieldToMatch Optional | object Specifies a web request component to be used in a rule match statement or in a logging configuration. * In a rule statement, this is the part of the web request that you want WAF to inspect. Include the single FieldToMatch type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in FieldToMatch for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component. Example JSON for a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example JSON for a Method field to match specification: “FieldToMatch”: { “Method”: { “Name”: “DELETE” } } * In a logging configuration, this is used in the RedactedFields property to specify a field to redact from the logging records. For this use case, note the following: Even though all FieldToMatch settings are available, the only valid settings for field redaction are UriPath, QueryString, SingleHeader, and Method. In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. |
rules.[].statement.byteMatchStatement.fieldToMatch.allQueryArguments Optional | object Inspect all query arguments of the web request. This is used in the FieldToMatch specification for some web request component types. JSON specification: “AllQueryArguments”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.body Optional | object Inspect the body of the web request. The body immediately follows the request headers. This is used to indicate the web request component to inspect, in the FieldToMatch specification. |
rules.[].statement.byteMatchStatement.fieldToMatch.body.oversizeHandling Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies Optional | object Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the FieldToMatch specification. Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”, “OversizeHandling”: “MATCH” } |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern Optional | object The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] } |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.all Optional | object Inspect all of the elements that WAF has parsed and extracted from the web request component that you’ve identified in your FieldToMatch specifications. This is used in the FieldToMatch specification for some web request component types. JSON specification: “All”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies Optional | array |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[] Required | string |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[] Required | string |
rules.[].statement.byteMatchStatement.fieldToMatch.cookies.oversizeHandling Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.headerOrder Optional | object Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer. |
rules.[].statement.byteMatchStatement.fieldToMatch.headerOrder.oversizeHandling Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.headers Optional | object Inspect all headers in the web request. You can specify the parts of the headers to inspect and you can narrow the set of headers to inspect by including or excluding specific keys. This is used to indicate the web request component to inspect, in the FieldToMatch specification. If you want to inspect just the value of a single header, use the SingleHeader FieldToMatch setting instead. Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”, “OversizeHandling”: “MATCH” } |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern Optional | object The filter to use to identify the subset of headers to inspect in a web request. You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] } |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.all Optional | object Inspect all of the elements that WAF has parsed and extracted from the web request component that you’ve identified in your FieldToMatch specifications. This is used in the FieldToMatch specification for some web request component types. JSON specification: “All”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders Optional | array |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[] Required | string |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[] Required | string |
rules.[].statement.byteMatchStatement.fieldToMatch.headers.oversizeHandling Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.ja3Fingerprint Optional | object Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to EXACTLY. You can obtain the JA3 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the WAF Developer Guide. Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration. |
rules.[].statement.byteMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody Optional | object Inspect the body of the web request as JSON. The body immediately follows the request headers. This is used to indicate the web request component to inspect, in the FieldToMatch specification. Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule’s inspection criteria. WAF inspects only the parts of the JSON that result from the matches that you indicate. Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “ALL” } |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern Optional | object The patterns to look for in the JSON body. WAF inspects the results of these pattern matches against the rule inspection criteria. This is used with the FieldToMatch option JsonBody. |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.all Optional | object Inspect all of the elements that WAF has parsed and extracted from the web request component that you’ve identified in your FieldToMatch specifications. This is used in the FieldToMatch specification for some web request component types. JSON specification: “All”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths Optional | array |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[] Required | string |
rules.[].statement.byteMatchStatement.fieldToMatch.jsonBody.oversizeHandling Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.method Optional | object Inspect the HTTP method of the web request. The method indicates the type of operation that the request is asking the origin to perform. This is used in the FieldToMatch specification for some web request component types. JSON specification: “Method”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.queryString Optional | object Inspect the query string of the web request. This is the part of a URL that appears after a ? character, if any. This is used in the FieldToMatch specification for some web request component types. JSON specification: “QueryString”: {} |
rules.[].statement.byteMatchStatement.fieldToMatch.singleHeader Optional | object Inspect one of the headers in the web request, identified by name, for example, User-Agent or Referer. The name isn’t case sensitive. You can filter and inspect all headers with the FieldToMatch setting Headers. This is used to indicate the web request component to inspect, in the FieldToMatch specification. Example JSON: “SingleHeader”: { “Name”: “haystack” } |
rules.[].statement.byteMatchStatement.fieldToMatch.singleHeader.name Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.singleQueryArgument Optional | object Inspect one query argument in the web request, identified by name, for example UserName or SalesRegion. The name isn’t case sensitive. This is used to indicate the web request component to inspect, in the FieldToMatch specification. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
rules.[].statement.byteMatchStatement.fieldToMatch.singleQueryArgument.name Optional | string |
rules.[].statement.byteMatchStatement.fieldToMatch.uriPath Optional | object Inspect the path component of the URI of the web request. This is the part of the web request that identifies a resource. For example, /images/daily-ad.jpg. This is used in the FieldToMatch specification for some web request component types. JSON specification: “UriPath”: {} |
rules.[].statement.byteMatchStatement.positionalConstraint Optional | string |
rules.[].statement.byteMatchStatement.searchString Optional | string |
rules.[].statement.byteMatchStatement.textTransformations Optional | array |
rules.[].statement.byteMatchStatement.textTransformations.[] Required | object Text transformations eliminate some of the unusual formatting that attackers |
use in web requests in an effort to bypass detection. | |
rules.[].statement.byteMatchStatement.textTransformations.[].type Optional | string |
rules.[].statement.geoMatchStatement Optional | object A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match. * To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the CountryCodes array. * Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed. WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match ForwardedIPConfig. If you use the web request origin, the label formats are awswaf:clientip:geo:region:<ISO country code>- code>. If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region:<ISO country code>- code>. For additional details, see Geographic match rule statement (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) in the WAF Developer Guide (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). |
rules.[].statement.geoMatchStatement.countryCodes Optional | array |
rules.[].statement.geoMatchStatement.countryCodes.[] Required | string |
rules.[].statement.geoMatchStatement.forwardedIPConfig.fallbackBehavior Optional | string |
rules.[].statement.geoMatchStatement.forwardedIPConfig.headerName Optional | string |
rules.[].statement.ipSetReferenceStatement Optional | object A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an IPSet that specifies the addresses you want to detect, then use the ARN of that set in this statement. To create an IP set, see CreateIPSet. Each IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, WAF automatically updates all rules that reference it. |
rules.[].statement.ipSetReferenceStatement.arn Optional | string |
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig Optional | object The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that’s reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. If the specified header isn’t present in the request, WAF doesn’t apply the rule to the web request at all. This configuration is used only for IPSetReferenceStatement. For GeoMatchStatement and RateBasedStatement, use ForwardedIPConfig instead. |
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.fallbackBehavior Optional | string |
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.headerName Optional | string |
rules.[].statement.ipSetReferenceStatement.ipSetForwardedIPConfig.position Optional | string |
rules.[].statement.labelMatchStatement Optional | object A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL. The label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, WAF performs the search for labels that were added in the same context as the label match statement. |
rules.[].statement.labelMatchStatement.key Optional | string |
rules.[].statement.labelMatchStatement.scope Optional | string |
rules.[].statement.managedRuleGroupStatement Optional | object A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups. You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL. You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing (http://aws.amazon.com/waf/pricing/). |
rules.[].statement.managedRuleGroupStatement.excludedRules Optional | array |
rules.[].statement.managedRuleGroupStatement.excludedRules.[] Required | object Specifies a single rule in a rule group whose action you want to override |
to Count. |
Instead of this option, use RuleActionOverrides. It accepts any valid action
setting, including Count. || rules.[].statement.managedRuleGroupStatement.excludedRules.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[]
Required | object
Additional information that’s used by a managed rule group. Many managed
rule groups don’t require this.
The rule groups used for intelligent threat mitigation require additional configuration:
Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.
Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.
For example specifications, see the examples section of CreateWebACL. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet
Optional | object
Details for your use of the account creation fraud prevention managed rule
group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.creationPath
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.enableRegexInPath
Optional | boolean
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.registrationPagePath
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection
Optional | object
The criteria for inspecting account creation requests, used by the ACFP rule
group to validate and track account creation attempts.
This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig.
In these settings, you specify how your application accepts account creation
attempts by providing the request payload type and the names of the fields
within the request body where the username, password, email, and primary
address and phone number fields are provided. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[]
Required | object
The name of a field in the request payload that contains part or all of your
customer’s primary physical address.
This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.addressFields.[].identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField
Optional | object
The name of the field in the request payload that contains your customer’s
email.
This data type is used in the RequestInspectionACFP data type. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.emailField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.passwordField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.payloadType
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[]
Required | object
The name of a field in the request payload that contains part or all of your
customer’s primary phone number.
This data type is used in the RequestInspectionACFP data type. || rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.phoneNumberFields.[].identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.requestInspection.usernameField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.
The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.
This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.
Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesACFPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet
Optional | object
Details for your use of the account takeover prevention managed rule group,
AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.enableRegexInPath
Optional | boolean
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.loginPath
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection
Optional | object
The criteria for inspecting login requests, used by the ATP rule group to
validate credentials usage.
This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.
In these settings, you specify how your application accepts login attempts
by providing the request payload type and the names of the fields within
the request body where the username and password are provided. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.passwordField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.payloadType
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.requestInspection.usernameField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection
Optional | object
The criteria for inspecting responses to login requests and account creation
requests, used by the ATP and ACFP rule groups to track login and account
creation success and failure rates.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions.
The rule groups evaluates the responses that your protected resources send
back to client login and account creation attempts, keeping count of successful
and failed attempts from each IP address and client session. Using this information,
the rule group labels and mitigates requests from client sessions and IP
addresses with too much suspicious activity in a short amount of time.
This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet
configurations in ManagedRuleGroupConfig.
Enable response inspection by configuring exactly one component of the response
to inspect, for example, Header or StatusCode. You can’t configure more than
one component for inspection. If you don’t configure any of the response
inspection options, response inspection is disabled. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains
Optional | object
Configures inspection of the response body. WAF can inspect the first 65,536
bytes (64 KB) of the response body. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.failureStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.bodyContains.successStrings.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header
Optional | object
Configures inspection of the response header. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.header.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json
Optional | object
Configures inspection of the response JSON. WAF can inspect the first 65,536
bytes (64 KB) of the response JSON. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.failureValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.json.successValues.[]
Required | string
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode
Optional | object
Configures inspection of the response status code. This is part of the ResponseInspection
configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.
Response inspection is available only in web ACLs that protect Amazon CloudFront
distributions. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.failureCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesATPRuleSet.responseInspection.statusCode.successCodes.[]
Required | integer
|| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet
Optional | object
Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet.
This configuration is used in ManagedRuleGroupConfig. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.enableMachineLearning
Optional | boolean
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].awsManagedRulesBotControlRuleSet.inspectionLevel
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].loginPath
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField
Optional | object
The name of the field in the request payload that contains your customer’s
password.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].passwordField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].payloadType
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField
Optional | object
The name of the field in the request payload that contains your customer’s
username.
This data type is used in the RequestInspection and RequestInspectionACFP
data types. |
| rules.[].statement.managedRuleGroupStatement.managedRuleGroupConfigs.[].usernameField.identifier
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside
the rule group. You specify one override for each rule whose action you want
to change.
You can use overrides for testing, for example you can override all of rule
actions to Count and then monitor the resulting count metrics to understand
how the rule group would handle your web traffic. You can also permanently
override some or all actions, to modify how the rule group manages your web
traffic. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:
* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.
* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.
You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.
This action option is available for rules. It isn’t available for web ACL
default actions. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:
* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.
* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.
You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.
This action option is available for rules. It isn’t available for web ACL
default actions. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.ruleActionOverrides.[].name
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.scopeDownStatement
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.vendorName
Optional | string
|
| rules.[].statement.managedRuleGroupStatement.version
Optional | string
|
| rules.[].statement.notStatement
Optional | string
|
| rules.[].statement.orStatement
Optional | string
|
| rules.[].statement.rateBasedStatement
Optional | object
A rate-based rule counts incoming requests and rate limits requests when
they are coming at too fast a rate. The rule categorizes requests according
to your aggregation criteria, collects them into aggregation instances, and
counts and rate limits the requests for each instance.
If you change any of these settings in a rule that’s currently in use, the
change resets the rule’s rate limiting counts. This can pause the rule’s
rate limiting activities for up to a minute.
You can specify individual aggregation keys, like IP address or HTTP method.
You can also specify aggregation key combinations, like IP address and HTTP
method, or HTTP method, query argument, and cookie.
Each unique set of values for the aggregation keys that you specify is a
separate aggregation instance, with the value from each key contributing
to the aggregation instance definition.
For example, assume the rule evaluates web requests with the following IP
address and HTTP method values:
* IP address 10.1.1.1, HTTP method POST
* IP address 10.1.1.1, HTTP method GET
* IP address 127.0.0.0, HTTP method POST
* IP address 10.1.1.1, HTTP method GET
The rule would create different aggregation instances according to your aggregation
criteria, for example:
* If the aggregation criteria is just the IP address, then each individual
address is an aggregation instance, and WAF counts requests separately
for each. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1: count 3 IP address 127.0.0.0:
count 1
* If the aggregation criteria is HTTP method, then each individual HTTP
method is an aggregation instance. The aggregation instances and request
counts for our example would be the following: HTTP method POST: count
2 HTTP method GET: count 2
* If the aggregation criteria is IP address and HTTP method, then each
IP address and each HTTP method would contribute to the combined aggregation
instance. The aggregation instances and request counts for our example
would be the following: IP address 10.1.1.1, HTTP method POST: count 1
IP address 10.1.1.1, HTTP method GET: count 2 IP address 127.0.0.0, HTTP
method POST: count 1
For any n-tuple of aggregation keys, each unique combination of values for
the keys defines a separate aggregation instance, which WAF counts and rate-limits
individually.
You can optionally nest another statement inside the rate-based statement,
to narrow the scope of the rule so that it only counts and rate limits requests
that match the nested statement. You can use this nested scope-down statement
in conjunction with your aggregation key specifications or you can just count
and rate limit all requests that match the scope-down statement, without
additional aggregation. When you choose to just manage all requests that
match a scope-down statement, the aggregation instance is singular for the
rule.
You cannot nest a RateBasedStatement inside another statement, for example
inside a NotStatement or OrStatement. You can define a RateBasedStatement
inside a web ACL and inside a rule group.
For additional information about the options, see Rate limiting web requests
using rate-based rules (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html)
in the WAF Developer Guide.
If you only aggregate on the individual IP address or forwarded IP address,
you can retrieve the list of IP addresses that WAF is currently rate limiting
for a rule through the API call GetRateBasedStatementManagedKeys. This option
is not available for other aggregation configurations.
WAF tracks and manages web requests separately for each instance of a rate-based
rule that you use. For example, if you provide the same rate-based rule settings
in two web ACLs, each of the two rule statements represents a separate instance
of the rate-based rule and gets its own tracking and management by WAF. If
you define a rate-based rule inside a rule group, and then use that rule
group in multiple places, each use creates a separate instance of the rate-based
rule that gets its own tracking and management by WAF. |
| rules.[].statement.rateBasedStatement.aggregateKeyType
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[]
Required | object
Specifies a single custom aggregate key for a rate-base rule.
Web requests that are missing any of the components specified in the aggregation
keys are omitted from the rate-based rule evaluation and handling. || rules.[].statement.rateBasedStatement.customKeys.[].cookie
Optional | object
Specifies a cookie as an aggregate key for a rate-based rule. Each distinct
value in the cookie contributes to the aggregation instance. If you use a
single cookie as your custom key, then each value fully defines an aggregation
instance. |
| rules.[].statement.rateBasedStatement.customKeys.[].cookie.name
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.rateBasedStatement.customKeys.[].cookie.textTransformations.[].type
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].forwardedIP
Optional | object
Specifies the first IP address in an HTTP header as an aggregate key for
a rate-based rule. Each distinct forwarded IP address contributes to the
aggregation instance.
This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. When you specify an IP or forwarded IP in
the custom key settings, you must also specify at least one other key to
use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP
in your rate-based statement’s AggregateKeyType.
This data type supports using the forwarded IP address in the web request
aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON
specification for using the forwarded IP address doesn’t explicitly use this
data type.
JSON specification: “ForwardedIP”: {}
When you use this specification, you must also configure the forwarded IP
address in the rate-based statement’s ForwardedIPConfig. |
| rules.[].statement.rateBasedStatement.customKeys.[].header
Optional | object
Specifies a header as an aggregate key for a rate-based rule. Each distinct
value in the header contributes to the aggregation instance. If you use a
single header as your custom key, then each value fully defines an aggregation
instance. |
| rules.[].statement.rateBasedStatement.customKeys.[].header.name
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.rateBasedStatement.customKeys.[].header.textTransformations.[].type
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].httpMethod
Optional | object
Specifies the request’s HTTP method as an aggregate key for a rate-based
rule. Each distinct HTTP method contributes to the aggregation instance.
If you use just the HTTP method as your custom key, then each method fully
defines an aggregation instance.
JSON specification: “RateLimitHTTPMethod”: {} |
| rules.[].statement.rateBasedStatement.customKeys.[].iP
Optional | object
Specifies the IP address in the web request as an aggregate key for a rate-based
rule. Each distinct IP address contributes to the aggregation instance.
This setting is used only in the RateBasedStatementCustomKey specification
of a rate-based rule statement. To use this in the custom key settings, you
must specify at least one other key to use, along with the IP address. To
aggregate on only the IP address, in your rate-based statement’s AggregateKeyType,
specify IP.
JSON specification: “RateLimitIP”: {} |
| rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace
Optional | object
Specifies a label namespace to use as an aggregate key for a rate-based rule.
Each distinct fully qualified label name that has the specified label namespace
contributes to the aggregation instance. If you use just one label namespace
as your custom key, then each label name fully defines an aggregation instance.
This uses only labels that have been added to the request by rules that are
evaluated before this rate-based rule in the web ACL.
For information about label namespaces and names, see Label syntax and naming
requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html)
in the WAF Developer Guide. |
| rules.[].statement.rateBasedStatement.customKeys.[].labelNamespace.namespace
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryArgument
Optional | object
Specifies a query argument in the request as an aggregate key for a rate-based
rule. Each distinct value for the named query argument contributes to the
aggregation instance. If you use a single query argument as your custom key,
then each value fully defines an aggregation instance. |
| rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.name
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryArgument.textTransformations.[].type
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryString
Optional | object
Specifies the request’s query string as an aggregate key for a rate-based
rule. Each distinct string contributes to the aggregation instance. If you
use just the query string as your custom key, then each string fully defines
an aggregation instance. |
| rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.rateBasedStatement.customKeys.[].queryString.textTransformations.[].type
Optional | string
|
| rules.[].statement.rateBasedStatement.customKeys.[].uriPath
Optional | object
Specifies the request’s URI path as an aggregate key for a rate-based rule.
Each distinct URI path contributes to the aggregation instance. If you use
just the URI path as your custom key, then each URI path fully defines an
aggregation instance. |
| rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations
Optional | array
|
| rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.rateBasedStatement.customKeys.[].uriPath.textTransformations.[].type
Optional | string
|
| rules.[].statement.rateBasedStatement.evaluationWindowSec
Optional | integer
|
| rules.[].statement.rateBasedStatement.forwardedIPConfig
Optional | object
The configuration for inspecting IP addresses in an HTTP header that you
specify, instead of using the IP address that’s reported by the web request
origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify
any header name.
If the specified header isn’t present in the request, WAF doesn’t apply the
rule to the web request at all.
This configuration is used for GeoMatchStatement and RateBasedStatement.
For IPSetReferenceStatement, use IPSetForwardedIPConfig instead.
WAF only evaluates the first IP address found in the specified HTTP header. |
| rules.[].statement.rateBasedStatement.forwardedIPConfig.fallbackBehavior
Optional | string
|
| rules.[].statement.rateBasedStatement.forwardedIPConfig.headerName
Optional | string
|
| rules.[].statement.rateBasedStatement.limit
Optional | integer
|
| rules.[].statement.rateBasedStatement.scopeDownStatement
Optional | string
|
| rules.[].statement.regexMatchStatement
Optional | object
A rule statement used to search web request components for a match against
a single regular expression. |
| rules.[].statement.regexMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.
* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }
* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. |
| rules.[].statement.regexMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “AllQueryArguments”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification. |
| rules.[].statement.regexMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.
You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.
Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } |
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
|
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
|
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. |
| rules.[].statement.regexMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.
Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.
You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.
Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } |
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
|
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
|
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.headers.matchScope
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.
You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.
You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.
Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. |
| rules.[].statement.regexMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.
Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } |
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. |
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
|
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “Method”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “QueryString”: {} |
| rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.
You can filter and inspect all headers with the FieldToMatch setting Headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleHeader”: { “Name”: “haystack” } |
| rules.[].statement.regexMatchStatement.fieldToMatch.singleHeader.name
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
| rules.[].statement.regexMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
|
| rules.[].statement.regexMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “UriPath”: {} |
| rules.[].statement.regexMatchStatement.regexString
Optional | string
|
| rules.[].statement.regexMatchStatement.textTransformations
Optional | array
|
| rules.[].statement.regexMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.regexMatchStatement.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.regexMatchStatement.textTransformations.[].type
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement
Optional | object
A rule statement used to search web request components for matches with regular
expressions. To use this, create a RegexPatternSet that specifies the expressions
that you want to detect, then use the ARN of that set in this statement.
A web request matches the pattern set rule statement if the request component
matches any of the patterns in the set. To create a regex pattern set, see
CreateRegexPatternSet.
Each regex pattern set rule statement references a regex pattern set. You
create and maintain the set independent of your rules. This allows you to
use the single set in multiple rules. When you update the referenced set,
WAF automatically updates all rules that reference it. |
| rules.[].statement.regexPatternSetReferenceStatement.arn
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.
* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }
* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “AllQueryArguments”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification. |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.body.oversizeHandling
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.
You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.
Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.matchScope
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.
Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.
You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.
Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.matchScope
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.headers.oversizeHandling
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.
You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.
You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.
Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.
Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.matchScope
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “Method”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “QueryString”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.
You can filter and inspect all headers with the FieldToMatch setting Headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleHeader”: { “Name”: “haystack” } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleHeader.name
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.singleQueryArgument.name
Optional | string
|
| rules.[].statement.regexPatternSetReferenceStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “UriPath”: {} |
| rules.[].statement.regexPatternSetReferenceStatement.textTransformations
Optional | array
|
| rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.regexPatternSetReferenceStatement.textTransformations.[].type
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement
Optional | object
A rule statement used to run the rules that are defined in a RuleGroup. To
use this, create a rule group with your rules, then provide the ARN of the
rule group in this statement.
You cannot nest a RuleGroupReferenceStatement, for example for use inside
a NotStatement or OrStatement. You cannot use a rule group reference statement
inside another rule group. You can only reference a rule group as a top-level
statement within a rule that you define in a web ACL. |
| rules.[].statement.ruleGroupReferenceStatement.arn
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.excludedRules
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.excludedRules.[]
Required | object
Specifies a single rule in a rule group whose action you want to override
to Count.
Instead of this option, use RuleActionOverrides. It accepts any valid action
setting, including Count. || rules.[].statement.ruleGroupReferenceStatement.excludedRules.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[]
Required | object
Action setting to use in the place of a rule action that is configured inside
the rule group. You specify one override for each rule whose action you want
to change.
You can use overrides for testing, for example you can override all of rule
actions to Count and then monitor the resulting count metrics to understand
how the rule group would handle your web traffic. You can also permanently
override some or all actions, to modify how the rule group manages your web
traffic. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse
Optional | object
The action that WAF should take on a web request when it matches a rule’s
statement. Settings at the web ACL level can override the rule action setting. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow
Optional | object
Specifies that WAF should allow the request and optionally defines additional
custom handling for the request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.allow.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block
Optional | object
Specifies that WAF should block the request and optionally defines additional
custom handling for the response to the web request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse
Optional | object
A custom response to send to the client. You can define a custom response
for rule actions and default web ACL actions that are set to BlockAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.customResponseBodyKey
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseCode
Optional | integer
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.block.customResponse.responseHeaders.[].value
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha
Optional | object
Specifies that WAF should run a CAPTCHA check against the request:
* If the request includes a valid, unexpired CAPTCHA token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.
* If the request doesn’t include a valid, unexpired token, WAF discontinues
the web ACL evaluation of the request and blocks it from going to its
intended destination. WAF generates a response that it sends back to the
client, which includes the following: The header x-amzn-waf-action with
a value of captcha. The HTTP status code 405 Method Not Allowed. If the
request contains an Accept header with a value of text/html, the response
includes a CAPTCHA JavaScript page interstitial.
You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.
This action option is available for rules. It isn’t available for web ACL
default actions. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.captcha.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge
Optional | object
Specifies that WAF should run a Challenge check against the request to verify
that the request is coming from a legitimate client session:
* If the request includes a valid, unexpired challenge token, WAF applies
any custom request handling and labels that you’ve configured and then
allows the web request inspection to proceed to the next rule, similar
to a CountAction.
* If the request doesn’t include a valid, unexpired challenge token, WAF
discontinues the web ACL evaluation of the request and blocks it from
going to its intended destination. WAF then generates a challenge response
that it sends back to the client, which includes the following: The header
x-amzn-waf-action with a value of challenge. The HTTP status code 202
Request Accepted. If the request contains an Accept header with a value
of text/html, the response includes a JavaScript page interstitial with
a challenge script. Challenges run silent browser interrogations in the
background, and don’t generally affect the end user experience. A challenge
enforces token acquisition using an interstitial JavaScript challenge
that inspects the client session for legitimate behavior. The challenge
blocks bots or at least increases the cost of operating sophisticated
bots. After the client session successfully responds to the challenge,
it receives a new token from WAF, which the challenge script uses to resubmit
the original request.
You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty
setting at the rule and web ACL level. The rule setting overrides the web
ACL setting.
This action option is available for rules. It isn’t available for web ACL
default actions. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.challenge.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count
Optional | object
Specifies that WAF should count the request. Optionally defines additional
custom handling for the request.
This is used in the context of other settings, for example to specify values
for RuleAction and web ACL DefaultAction. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling
Optional | object
Custom request handling behavior that inserts custom headers into a web request.
You can add custom request handling for WAF to use when the rule action doesn’t
block the request. For example, CaptchaAction for requests with valid t okens,
and AllowAction.
For information about customizing web requests and responses, see Customizing
web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html)
in the WAF Developer Guide. |
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders
Optional | array
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[]
Required | object
A custom header for custom request and response handling. This is used in
CustomResponse and CustomRequestHandling. || rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].name
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].actionToUse.count.customRequestHandling.insertHeaders.[].value
Optional | string
|
| rules.[].statement.ruleGroupReferenceStatement.ruleActionOverrides.[].name
Optional | string
|
| rules.[].statement.sizeConstraintStatement
Optional | object
A rule statement that compares a number of bytes against the size of a request
component, using a comparison operator, such as greater than (>) or less
than (<). For example, you can use a size constraint statement to look for
query strings that are longer than 100 bytes.
If you configure WAF to inspect the request body, WAF inspects only the number
of bytes in the body up to the limit for the web ACL and protected resource
type. If you know that the request body for your web requests should never
exceed the inspection limit, you can use a size constraint statement to block
requests that have a larger request body size. For more information about
the inspection limits, see Body and JsonBody settings for the FieldToMatch
data type.
If you choose URI for the value of Part of the request to filter on, the
slash (/) in the URI counts as one character. For example, the URI /logo.jpg
is nine characters long. |
| rules.[].statement.sizeConstraintStatement.comparisonOperator
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.
* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }
* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “AllQueryArguments”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification. |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.body.oversizeHandling
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.
You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.
Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.matchScope
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.
Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.
You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.
Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.matchScope
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.headers.oversizeHandling
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.
You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.
You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.
Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.
Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.matchScope
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “Method”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “QueryString”: {} |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.
You can filter and inspect all headers with the FieldToMatch setting Headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleHeader”: { “Name”: “haystack” } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.singleHeader.name
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
| rules.[].statement.sizeConstraintStatement.fieldToMatch.singleQueryArgument.name
Optional | string
|
| rules.[].statement.sizeConstraintStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “UriPath”: {} |
| rules.[].statement.sizeConstraintStatement.size
Optional | integer
|
| rules.[].statement.sizeConstraintStatement.textTransformations
Optional | array
|
| rules.[].statement.sizeConstraintStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.sizeConstraintStatement.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.sizeConstraintStatement.textTransformations.[].type
Optional | string
|
| rules.[].statement.sqliMatchStatement
Optional | object
A rule statement that inspects for malicious SQL code. Attackers insert malicious
SQL code into web requests to do things like modify your database or extract
data from it. |
| rules.[].statement.sqliMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.
* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }
* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. |
| rules.[].statement.sqliMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “AllQueryArguments”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification. |
| rules.[].statement.sqliMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.
You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.
Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. |
| rules.[].statement.sqliMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.
Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.
You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.
Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.matchScope
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.
You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.
You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.
Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. |
| rules.[].statement.sqliMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.
Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. |
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “Method”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “QueryString”: {} |
| rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.
You can filter and inspect all headers with the FieldToMatch setting Headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleHeader”: { “Name”: “haystack” } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.singleHeader.name
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
| rules.[].statement.sqliMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
|
| rules.[].statement.sqliMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “UriPath”: {} |
| rules.[].statement.sqliMatchStatement.sensitivityLevel
Optional | string
|
| rules.[].statement.sqliMatchStatement.textTransformations
Optional | array
|
| rules.[].statement.sqliMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.sqliMatchStatement.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.sqliMatchStatement.textTransformations.[].type
Optional | string
|
| rules.[].statement.xssMatchStatement
Optional | object
A rule statement that inspects for cross-site scripting (XSS) attacks. In
XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle
to inject malicious client-site scripts into other legitimate web browsers. |
| rules.[].statement.xssMatchStatement.fieldToMatch
Optional | object
Specifies a web request component to be used in a rule match statement or
in a logging configuration.
* In a rule statement, this is the part of the web request that you want
WAF to inspect. Include the single FieldToMatch type that you want to
inspect, with additional specifications as needed, according to the type.
You specify a single request component in FieldToMatch for each rule statement
that requires it. To inspect more than one component of the web request,
create a separate rule statement for each component. Example JSON for
a QueryString field to match: “FieldToMatch”: { “QueryString”: {} } Example
JSON for a Method field to match specification: “FieldToMatch”: { “Method”:
{ “Name”: “DELETE” } }
* In a logging configuration, this is used in the RedactedFields property
to specify a field to redact from the logging records. For this use case,
note the following: Even though all FieldToMatch settings are available,
the only valid settings for field redaction are UriPath, QueryString,
SingleHeader, and Method. In this documentation, the descriptions of the
individual fields talk about specifying the web request component to inspect,
but for field redaction, you are specifying the component type to redact
from the logs. |
| rules.[].statement.xssMatchStatement.fieldToMatch.allQueryArguments
Optional | object
Inspect all query arguments of the web request.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “AllQueryArguments”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.body
Optional | object
Inspect the body of the web request. The body immediately follows the request
headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification. |
| rules.[].statement.xssMatchStatement.fieldToMatch.body.oversizeHandling
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies
Optional | object
Inspect the cookies in the web request. You can specify the parts of the
cookies to inspect and you can narrow the set of cookies to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “Cookies”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern
Optional | object
The filter to use to identify the subset of cookies to inspect in a web request.
You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.
Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id”
] } |
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies
Optional | array
|
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.excludedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies
Optional | array
|
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchPattern.includedCookies.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.matchScope
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.cookies.oversizeHandling
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder
Optional | object
Inspect a string containing the list of the request’s header names, ordered
as they appear in the web request that WAF receives for inspection. WAF generates
the string and then uses that as the field to match component in its inspection.
WAF separates the header names in the string using colons and no added spaces,
for example host:user-agent:accept:authorization:referer. |
| rules.[].statement.xssMatchStatement.fieldToMatch.headerOrder.oversizeHandling
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.headers
Optional | object
Inspect all headers in the web request. You can specify the parts of the
headers to inspect and you can narrow the set of headers to inspect by including
or excluding specific keys.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
If you want to inspect just the value of a single header, use the SingleHeader
FieldToMatch setting instead.
Example JSON: “Headers”: { “MatchPattern”: { “All”: {} }, “MatchScope”: “KEY”,
“OversizeHandling”: “MATCH” } |
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern
Optional | object
The filter to use to identify the subset of headers to inspect in a web request.
You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.
Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2”
] } |
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders
Optional | array
|
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.excludedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders
Optional | array
|
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchPattern.includedHeaders.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.headers.matchScope
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.headers.oversizeHandling
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint
Optional | object
Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character
hash derived from the TLS Client Hello of an incoming request. This fingerprint
serves as a unique identifier for the client’s TLS configuration. WAF calculates
and logs this fingerprint for each request that has enough TLS Client Hello
information for the calculation. Almost all web requests include this information.
You can use this choice only with a string match ByteMatchStatement with
the PositionalConstraint set to EXACTLY.
You can obtain the JA3 fingerprint for client requests from the web ACL logs.
If WAF is able to calculate the fingerprint, it includes it in the logs.
For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html)
in the WAF Developer Guide.
Provide the JA3 fingerprint string from the logs in your string match statement
specification, to match with any future requests that have the same TLS configuration. |
| rules.[].statement.xssMatchStatement.fieldToMatch.ja3Fingerprint.fallbackBehavior
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody
Optional | object
Inspect the body of the web request as JSON. The body immediately follows
the request headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Use the specifications in this object to indicate which parts of the JSON
body to inspect using the rule’s inspection criteria. WAF inspects only the
parts of the JSON that result from the matches that you indicate.
Example JSON: “JsonBody”: { “MatchPattern”: { “All”: {} }, “MatchScope”:
“ALL” } |
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.invalidFallbackBehavior
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern
Optional | object
The patterns to look for in the JSON body. WAF inspects the results of these
pattern matches against the rule inspection criteria. This is used with the
FieldToMatch option JsonBody. |
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.all
Optional | object
Inspect all of the elements that WAF has parsed and extracted from the web
request component that you’ve identified in your FieldToMatch specifications.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “All”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths
Optional | array
|
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchPattern.includedPaths.[]
Required | string
|| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.matchScope
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.jsonBody.oversizeHandling
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.method
Optional | object
Inspect the HTTP method of the web request. The method indicates the type
of operation that the request is asking the origin to perform.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “Method”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.queryString
Optional | object
Inspect the query string of the web request. This is the part of a URL that
appears after a ? character, if any.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “QueryString”: {} |
| rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader
Optional | object
Inspect one of the headers in the web request, identified by name, for example,
User-Agent or Referer. The name isn’t case sensitive.
You can filter and inspect all headers with the FieldToMatch setting Headers.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleHeader”: { “Name”: “haystack” } |
| rules.[].statement.xssMatchStatement.fieldToMatch.singleHeader.name
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument
Optional | object
Inspect one query argument in the web request, identified by name, for example
UserName or SalesRegion. The name isn’t case sensitive.
This is used to indicate the web request component to inspect, in the FieldToMatch
specification.
Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” } |
| rules.[].statement.xssMatchStatement.fieldToMatch.singleQueryArgument.name
Optional | string
|
| rules.[].statement.xssMatchStatement.fieldToMatch.uriPath
Optional | object
Inspect the path component of the URI of the web request. This is the part
of the web request that identifies a resource. For example, /images/daily-ad.jpg.
This is used in the FieldToMatch specification for some web request component
types.
JSON specification: “UriPath”: {} |
| rules.[].statement.xssMatchStatement.textTransformations
Optional | array
|
| rules.[].statement.xssMatchStatement.textTransformations.[]
Required | object
Text transformations eliminate some of the unusual formatting that attackers
use in web requests in an effort to bypass detection. || rules.[].statement.xssMatchStatement.textTransformations.[].priority
Optional | integer
|
| rules.[].statement.xssMatchStatement.textTransformations.[].type
Optional | string
|
| rules.[].visibilityConfig
Optional | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. |
| rules.[].visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
|
| rules.[].visibilityConfig.metricName
Optional | string
|
| rules.[].visibilityConfig.sampledRequestsEnabled
Optional | boolean
|
| scope
Required | string
Specifies whether this is for an Amazon CloudFront distribution or for a
regional application. A regional application can be an Application Load Balancer
(ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
Cognito user pool, an App Runner service, or an Amazon Web Services Verified
Access instance.
To work with CloudFront, you must also specify the Region US East (N. Virginia)
as follows:
* CLI - Specify the Region when you use the CloudFront scope: –scope=CLOUDFRONT
–region=us-east-1.
* API and SDKs - For all calls, use the Region endpoint us-east-1. |
| tags
Optional | array
An array of key:value pairs to associate with the resource. |
| tags.[]
Required | object
A tag associated with an Amazon Web Services resource. Tags are key:value
pairs that you can use to categorize and manage your resources, for purposes
like billing or other management. Typically, the tag key represents a category,
such as “environment”, and the tag value represents a specific value within
that category, such as “test,” “development,” or “production”. Or you might
set the tag key to “customer” and the value to the customer name or ID. You
can specify one or more tags to add to each Amazon Web Services resource,
up to 50 tags for a resource.
You can tag the Amazon Web Services resources that you manage through WAF:
web ACLs, rule groups, IP sets, and regex pattern sets. You can’t manage
or view tags through the WAF console. || tags.[].key
Optional | string
|
| tags.[].value
Optional | string
|
| tokenDomains
Optional | array
Specifies the domains that WAF should accept in a web request token. This
enables the use of tokens across multiple protected websites. When WAF provides
a token, it uses the domain of the Amazon Web Services resource that the
web ACL is protecting. If you don’t specify a list of token domains, WAF
accepts tokens only for the domain of the protected resource. With a token
domain list, WAF accepts the resource’s host domain plus all domains in the
token domain list, including their prefixed subdomains.
Example JSON: “TokenDomains”: { “mywebsite.com”, “myotherwebsite.com” }
Public suffixes aren’t allowed. For example, you can’t use gov.au or co.uk
as token domains. |
| tokenDomains.[]
Required | string
|| visibilityConfig
Required | object
Defines and enables Amazon CloudWatch metrics and web request sample collection. |
| visibilityConfig.cloudWatchMetricsEnabled
Optional | boolean
|
| visibilityConfig.metricName
Optional | string
|
| visibilityConfig.sampledRequestsEnabled
Optional | boolean
|
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
id: string
lockToken: string
Field | Description |
---|---|
ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. https://github.com/aws/aws-controllers-k8s/issues/270 |
ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
conditions Optional | array All CRS managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
controllers to indicate terminal states of the CR and its backend AWS | |
service API resource | |
conditions.[].message Optional | string A human readable message indicating details about the transition. |
conditions.[].reason Optional | string The reason for the condition’s last transition. |
conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
conditions.[].type Optional | string Type is the type of the Condition |
id Optional | string The unique identifier for the web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete. |
lockToken Optional | string A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation. |