- 필수 기능
- 시작하기
- Glossary
- 표준 속성
- Guides
- Agent
- 통합
- 개방형텔레메트리
- 개발자
- Administrator's Guide
- API
- Datadog Mobile App
- CoScreen
- Cloudcraft
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- APM
- Continuous Profiler
- 스팬 시각화
- 데이터 스트림 모니터링
- 데이터 작업 모니터링
- 디지털 경험
- 소프트웨어 제공
- 보안
- AI Observability
- 로그 관리
- 관리
account_id
Type: STRING
arn
Type: STRING
Provider name: ARN
Description: The Amazon Resource Name (ARN) of the entity.
available_labels
Type: UNORDERED_LIST_STRUCT
Provider name: AvailableLabels
Description: The labels that one or more rules in this rule group add to matching web requests. These labels are defined in the RuleLabels
for a Rule.
name
STRING
Name
capacity
Type: INT64
Provider name: Capacity
Description: The web ACL capacity units (WCUs) required for this rule group. When you create your own rule group, you define this, and you cannot change it after creation. When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity for a set of rules using CheckCapacity. WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) in the WAF Developer Guide.
consumed_labels
Type: UNORDERED_LIST_STRUCT
Provider name: ConsumedLabels
Description: The labels that one or more rules in this rule group match against in label match statements. These labels are defined in a LabelMatchStatement
specification, in the Statement definition of a rule.
name
STRING
Name
description
Type: STRING
Provider name: Description
Description: A description of the rule group that helps with identification.
id
Type: STRING
Provider name: Id
Description: A unique identifier for the rule group. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
label_namespace
Type: STRING
Provider name: LabelNamespace
Description: The label namespace prefix for this rule group. All labels added by rules in this rule group have this prefix.
awswaf:<account ID>:rulegroup:<rule group name>:
<label namespace>:<label from rule>
lock_token
Type: STRING
Provider name: LockToken
Description: A token used for optimistic locking. WAF returns a token to your get
and list
requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update
and delete
. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException
. If this happens, perform another get
, and use the new token returned by that operation.
name
Type: STRING
Provider name: Name
Description: The name of the rule group. You cannot change the name of a rule group after you create it.
rules
Type: UNORDERED_LIST_STRUCT
Provider name: Rules
Description: The Rule statements used to identify the web requests that you want to manage. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.
action
STRUCT
Action
RuleGroupReferenceStatement
and ManagedRuleGroupStatement
. You must specify either this Action
setting or the rule OverrideAction
setting, but not both:allow
STRUCT
Allow
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
block
STRUCT
Block
custom_response
STRUCT
CustomResponse
custom_response_body_key
STRING
CustomResponseBodyKey
CustomResponseBodies
setting for the WebACL or RuleGroup where you want to use it. Then, in the rule action or web ACL default action BlockAction
setting, you reference the response body using this key.response_code
INT32
ResponseCode
response_headers
UNORDERED_LIST_STRUCT
ResponseHeaders
content-type
. Duplicate header names are not allowed. For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
captcha
STRUCT
Captcha
CAPTCHA
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
CAPTCHA
inspection determines that the request’s token is valid and unexpired. For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
challenge
STRUCT
Challenge
Challenge
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
count
STRUCT
Count
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
captcha_config
STRUCT
CaptchaConfig
CAPTCHA
evaluations. If you don’t specify this, WAF uses the CAPTCHA
configuration that’s defined for the web ACL.immunity_time_property
STRUCT
ImmunityTimeProperty
CAPTCHA
timestamp in the token remains valid after the client successfully solves a CAPTCHA
puzzle.immunity_time
INT64
ImmunityTime
CAPTCHA
or challenge timestamp is considered valid by WAF. The default setting is 300. For the Challenge action, the minimum setting is 300.challenge_config
STRUCT
ChallengeConfig
Challenge
evaluations. If you don’t specify this, WAF uses the challenge configuration that’s defined for the web ACL.immunity_time_property
STRUCT
ImmunityTimeProperty
immunity_time
INT64
ImmunityTime
CAPTCHA
or challenge timestamp is considered valid by WAF. The default setting is 300. For the Challenge action, the minimum setting is 300.name
STRING
Name
Rule
after you create it and you want the rule’s metric name to reflect the change, update the metric name in the rule’s VisibilityConfig
settings. WAF doesn’t automatically update the metric name when you update the rule name.override_action
STRUCT
OverrideAction
RuleGroupReferenceStatement
and ManagedRuleGroupStatement
. Count
action, in your rule group reference statement settings.count
STRUCT
Count
Count
action, in your rule group reference statement settings.custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
none
STRUCT
None
priority
INT32
Priority
Rule
in a WebACL
, WAF evaluates each request against the Rules
in order based on the value of Priority
. WAF processes rules with lower priority first. The priorities don’t need to be consecutive, but they must all be different.rule_labels
UNORDERED_LIST_STRUCT
RuleLabels
LabelMatchStatement
. For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines:aws
, waf
, managed
, rulegroup
, webacl
, regexpatternset
, or ipset
.myLabelName
or nameSpace1:nameSpace2:myLabelName
.name
STRING
Name
statement
STRUCT
Statement
byte_match_statement
STRUCT
ByteMatchStatement
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
positional_constraint
STRING
PositionalConstraint
SearchString
. Valid values include the following: CONTAINS The specified part of the web request must include the value of SearchString
, but the location doesn’t matter. CONTAINS_WORD The specified part of the web request must include the value of SearchString
, and SearchString
must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or ). In addition, SearchString
must be a word, which means that both of the following are true:SearchString
is at the beginning of the specified part of the web request or is preceded by a character other than an alphanumeric character or underscore (;BadBot
.SearchString
is at the end of the specified part of the web request or is followed by a character other than an alphanumeric character or underscore (_), for example, BadBot;
and -BadBot;
.SearchString
. STARTS_WITH The value of SearchString
must appear at the beginning of the specified part of the web request. ENDS_WITH The value of SearchString
must appear at the end of the specified part of the web request.text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
geo_match_statement
STRUCT
GeoMatchStatement
CountryCodes
array.ForwardedIPConfig
. If you use the web request origin, the label formats are awswaf:clientip:geo:region:<ISO country code>-<ISO region code>
and awswaf:clientip:geo:country:<ISO country code>
. If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region:<ISO country code>-<ISO region code>
and awswaf:forwardedip:geo:country:<ISO country code>
. For additional details, see Geographic match rule statement in the WAF Developer Guide.country_codes
UNORDERED_LIST_STRING
CountryCodes
[ “US”, “CN” ]
, from the alpha-2 country ISO codes of the ISO 3166 international standard. When you use a geo match statement just for the region and country labels that it adds to requests, you still have to supply a country code for the rule to evaluate. In this case, you configure the rule to only count matching requests, but it will still generate logging and count metrics for any matches. You can reduce the logging and metrics that the rule produces by specifying a country that’s unlikely to be a source of traffic to your site.forwarded_ip_config
STRUCT
ForwardedIPConfig
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_name
STRING
HeaderName
X-Forwarded-For
. ip_set_reference_statement
STRUCT
IPSetReferenceStatement
arn
STRING
ARN
ip_set_forwarded_ip_config
STRUCT
IPSetForwardedIPConfig
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_name
STRING
HeaderName
X-Forwarded-For
. position
STRING
Position
10.1.1.1, 127.0.0.0, 10.10.10.10
where the first IP address identifies the original client and the rest identify proxies that the request went through. The options for this setting are the following:label_match_statement
STRUCT
LabelMatchStatement
key
STRING
Key
Scope
setting:Scope
indicates LABEL
, then this specification must include the name and can include any number of preceding namespace specifications and prefix up to providing the fully qualified label name.Scope
indicates NAMESPACE
, then this specification can include any number of contiguous namespace strings, and can include the entire label namespace prefix from the rule group or web ACL where the label originates.NS1:NS2:name
.scope
STRING
Scope
managed_rule_group_statement
STRUCT
ManagedRuleGroupStatement
ManagedRuleGroupStatement
, for example for use inside a NotStatement
or OrStatement
. You cannot use a managed rule group inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL. AWSManagedRulesBotControlRuleSet
, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet
, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet
. For more information, see WAF Pricing.excluded_rules
UNORDERED_LIST_STRUCT
ExcludedRules
Count
. RuleActionOverrides
. It accepts any valid action setting, including Count
.name
STRING
Name
Count
.managed_rule_group_configs
UNORDERED_LIST_STRUCT
ManagedRuleGroupConfigs
AWSManagedRulesACFPRuleSet
configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.AWSManagedRulesATPRuleSet
configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.AWSManagedRulesBotControlRuleSet
configuration object to configure the protection level that you want the Bot Control rule group to use.aws_managed_rules_acfp_rule_set
STRUCT
AWSManagedRulesACFPRuleSet
AWSManagedRulesACFPRuleSet
. Use this to provide account creation request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to account creation requests. For information about using the ACFP managed rule group, see WAF Fraud Control account creation fraud prevention (ACFP) rule group and WAF Fraud Control account creation fraud prevention (ACFP) in the WAF Developer Guide.creation_path
STRING
CreationPath
POST
requests. For example, for the URL https://example.com/web/newaccount
, you would provide the path /web/newaccount
. Account creation page paths that start with the path that you provide are considered a match. For example /web/newaccount
matches the account creation paths /web/newaccount
, /web/newaccount/
, /web/newaccountPage
, and /web/newaccount/thisPage
, but doesn’t match the path /home/web/newaccount
or /website/newaccount
.enable_regex_in_path
BOOLEAN
EnableRegexInPath
registration_page_path
STRING
RegistrationPagePath
GET
text/html requests. https://example.com/web/registration
, you would provide the path /web/registration
. Registration page paths that start with the path that you provide are considered a match. For example /web/registration
matches the registration paths /web/registration
, /web/registration/
, /web/registrationPage
, and /web/registration/thisPage
, but doesn’t match the path /home/web/registration
or /website/registration
.request_inspection
STRUCT
RequestInspection
address_fields
UNORDERED_LIST_STRUCT
AddressFields
{ “form”: { “primaryaddressline1”: “THE_ADDRESS1”, “primaryaddressline2”: “THE_ADDRESS2”, “primaryaddressline3”: “THE_ADDRESS3” } }
, the address field idenfiers are /form/primaryaddressline1
, /form/primaryaddressline2
, and /form/primaryaddressline3
.primaryaddressline1
, primaryaddressline2
, and primaryaddressline3
, the address fields identifiers are primaryaddressline1
, primaryaddressline2
, and primaryaddressline3
.identifier
STRING
Identifier
{ “form”: { “primaryaddressline1”: “THE_ADDRESS1”, “primaryaddressline2”: “THE_ADDRESS2”, “primaryaddressline3”: “THE_ADDRESS3” } }
, the address field idenfiers are /form/primaryaddressline1
, /form/primaryaddressline2
, and /form/primaryaddressline3
.primaryaddressline1
, primaryaddressline2
, and primaryaddressline3
, the address fields identifiers are primaryaddressline1
, primaryaddressline2
, and primaryaddressline3
.email_field
STRUCT
EmailField
{ “form”: { “email”: “THE_EMAIL” } }
, the email field specification is /form/email
.email1
, the email field specification is email1
.identifier
STRING
Identifier
{ “form”: { “email”: “THE_EMAIL” } }
, the email field specification is /form/email
.email1
, the email field specification is email1
.password_field
STRUCT
PasswordField
{ “form”: { “password”: “THE_PASSWORD” } }
, the password field specification is /form/password
.password1
, the password field specification is password1
.identifier
STRING
Identifier
{ “form”: { “password”: “THE_PASSWORD” } }
, the password field specification is /form/password
.password1
, the password field specification is password1
.payload_type
STRING
PayloadType
phone_number_fields
UNORDERED_LIST_STRUCT
PhoneNumberFields
{ “form”: { “primaryphoneline1”: “THE_PHONE1”, “primaryphoneline2”: “THE_PHONE2”, “primaryphoneline3”: “THE_PHONE3” } }
, the phone number field identifiers are /form/primaryphoneline1
, /form/primaryphoneline2
, and /form/primaryphoneline3
.primaryphoneline1
, primaryphoneline2
, and primaryphoneline3
, the phone number field identifiers are primaryphoneline1
, primaryphoneline2
, and primaryphoneline3
.identifier
STRING
Identifier
{ “form”: { “primaryphoneline1”: “THE_PHONE1”, “primaryphoneline2”: “THE_PHONE2”, “primaryphoneline3”: “THE_PHONE3” } }
, the phone number field identifiers are /form/primaryphoneline1
, /form/primaryphoneline2
, and /form/primaryphoneline3
.primaryphoneline1
, primaryphoneline2
, and primaryphoneline3
, the phone number field identifiers are primaryphoneline1
, primaryphoneline2
, and primaryphoneline3
.username_field
STRUCT
UsernameField
{ “form”: { “username”: “THE_USERNAME” } }
, the username field specification is /form/username
.username1
, the username field specification is username1
identifier
STRING
Identifier
{ “form”: { “username”: “THE_USERNAME” } }
, the username field specification is /form/username
.username1
, the username field specification is username1
response_inspection
STRUCT
ResponseInspection
body_contains
STRUCT
BodyContains
failure_strings
UNORDERED_LIST_STRING
FailureStrings
“FailureStrings”: [ “Request failed” ]
success_strings
UNORDERED_LIST_STRING
SuccessStrings
“SuccessStrings”: [ “Login successful” ]
and “SuccessStrings”: [ “Account creation successful”, “Welcome to our site!” ]
header
STRUCT
Header
failure_values
UNORDERED_LIST_STRING
FailureValues
“FailureValues”: [ “LoginFailed”, “Failed login” ]
and “FailureValues”: [ “AccountCreationFailed” ]
name
STRING
Name
“Name”: [ “RequestResult” ]
success_values
UNORDERED_LIST_STRING
SuccessValues
“SuccessValues”: [ “LoginPassed”, “Successful login” ]
and “SuccessValues”: [ “AccountCreated”, “Successful account creation” ]
json
STRUCT
Json
failure_values
UNORDERED_LIST_STRING
FailureValues
“FailureValues”: [ “False”, “Failed” ]
identifier
STRING
Identifier
“Identifier”: [ “/login/success” ]
and “Identifier”: [ “/sign-up/success” ]
success_values
UNORDERED_LIST_STRING
SuccessValues
“SuccessValues”: [ “True”, “Succeeded” ]
status_code
STRUCT
StatusCode
failure_codes
UNORDERED_LIST_INT32
FailureCodes
“FailureCodes”: [ 400, 404 ]
success_codes
UNORDERED_LIST_INT32
SuccessCodes
“SuccessCodes”: [ 200, 201 ]
aws_managed_rules_atp_rule_set
STRUCT
AWSManagedRulesATPRuleSet
AWSManagedRulesATPRuleSet
. Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests. This configuration replaces the individual configuration fields in ManagedRuleGroupConfig
and provides additional feature configuration. For information about using the ATP managed rule group, see WAF Fraud Control account takeover prevention (ATP) rule group and WAF Fraud Control account takeover prevention (ATP) in the WAF Developer Guide.enable_regex_in_path
BOOLEAN
EnableRegexInPath
login_path
STRING
LoginPath
https://example.com/web/login
, you would provide the path /web/login
. Login paths that start with the path that you provide are considered a match. For example /web/login
matches the login paths /web/login
, /web/login/
, /web/loginPage
, and /web/login/thisPage
, but doesn’t match the login path /home/web/login
or /website/login
. The rule group inspects only HTTP POST
requests to your specified login endpoint.request_inspection
STRUCT
RequestInspection
password_field
STRUCT
PasswordField
{ “form”: { “password”: “THE_PASSWORD” } }
, the password field specification is /form/password
.password1
, the password field specification is password1
.identifier
STRING
Identifier
{ “form”: { “password”: “THE_PASSWORD” } }
, the password field specification is /form/password
.password1
, the password field specification is password1
.payload_type
STRING
PayloadType
username_field
STRUCT
UsernameField
{ “form”: { “username”: “THE_USERNAME” } }
, the username field specification is /form/username
.username1
, the username field specification is username1
identifier
STRING
Identifier
{ “form”: { “username”: “THE_USERNAME” } }
, the username field specification is /form/username
.username1
, the username field specification is username1
response_inspection
STRUCT
ResponseInspection
body_contains
STRUCT
BodyContains
failure_strings
UNORDERED_LIST_STRING
FailureStrings
“FailureStrings”: [ “Request failed” ]
success_strings
UNORDERED_LIST_STRING
SuccessStrings
“SuccessStrings”: [ “Login successful” ]
and “SuccessStrings”: [ “Account creation successful”, “Welcome to our site!” ]
header
STRUCT
Header
failure_values
UNORDERED_LIST_STRING
FailureValues
“FailureValues”: [ “LoginFailed”, “Failed login” ]
and “FailureValues”: [ “AccountCreationFailed” ]
name
STRING
Name
“Name”: [ “RequestResult” ]
success_values
UNORDERED_LIST_STRING
SuccessValues
“SuccessValues”: [ “LoginPassed”, “Successful login” ]
and “SuccessValues”: [ “AccountCreated”, “Successful account creation” ]
json
STRUCT
Json
failure_values
UNORDERED_LIST_STRING
FailureValues
“FailureValues”: [ “False”, “Failed” ]
identifier
STRING
Identifier
“Identifier”: [ “/login/success” ]
and “Identifier”: [ “/sign-up/success” ]
success_values
UNORDERED_LIST_STRING
SuccessValues
“SuccessValues”: [ “True”, “Succeeded” ]
status_code
STRUCT
StatusCode
failure_codes
UNORDERED_LIST_INT32
FailureCodes
“FailureCodes”: [ 400, 404 ]
success_codes
UNORDERED_LIST_INT32
SuccessCodes
“SuccessCodes”: [ 200, 201 ]
aws_managed_rules_bot_control_rule_set
STRUCT
AWSManagedRulesBotControlRuleSet
enable_machine_learning
BOOLEAN
EnableMachineLearning
TGT_ML_CoordinatedActivityLow
and TGT_ML_CoordinatedActivityMedium
, which inspect for anomalous behavior that might indicate distributed, coordinated bot activity. For more information about this choice, see the listing for these rules in the table at Bot Control rules listing in the WAF Developer Guide.TRUE
inspection_level
STRING
InspectionLevel
login_path
STRING
LoginPath
AWSManagedRulesATPRuleSet
.password_field
STRUCT
PasswordField
AWSManagedRulesATPRuleSet
or AWSManagedRulesACFPRuleSet
.identifier
STRING
Identifier
{ “form”: { “password”: “THE_PASSWORD” } }
, the password field specification is /form/password
.password1
, the password field specification is password1
.payload_type
STRING
PayloadType
AWSManagedRulesATPRuleSet
or AWSManagedRulesACFPRuleSet
.username_field
STRUCT
UsernameField
AWSManagedRulesATPRuleSet
or AWSManagedRulesACFPRuleSet
.identifier
STRING
Identifier
{ “form”: { “username”: “THE_USERNAME” } }
, the username field specification is /form/username
.username1
, the username field specification is username1
name
STRING
Name
rule_action_overrides
UNORDERED_LIST_STRUCT
RuleActionOverrides
Count
and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.action_to_use
STRUCT
ActionToUse
allow
STRUCT
Allow
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
block
STRUCT
Block
custom_response
STRUCT
CustomResponse
custom_response_body_key
STRING
CustomResponseBodyKey
CustomResponseBodies
setting for the WebACL or RuleGroup where you want to use it. Then, in the rule action or web ACL default action BlockAction
setting, you reference the response body using this key.response_code
INT32
ResponseCode
response_headers
UNORDERED_LIST_STRUCT
ResponseHeaders
content-type
. Duplicate header names are not allowed. For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
captcha
STRUCT
Captcha
CAPTCHA
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
CAPTCHA
inspection determines that the request’s token is valid and unexpired. For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
challenge
STRUCT
Challenge
Challenge
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
count
STRUCT
Count
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
name
STRING
Name
vendor_name
STRING
VendorName
version
STRING
Version
regex_match_statement
STRUCT
RegexMatchStatement
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
regex_string
STRING
RegexString
text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
regex_pattern_set_reference_statement
STRUCT
RegexPatternSetReferenceStatement
arn
STRING
ARN
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
rule_group_reference_statement
STRUCT
RuleGroupReferenceStatement
RuleGroupReferenceStatement
, for example for use inside a NotStatement
or OrStatement
. You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.arn
STRING
ARN
excluded_rules
UNORDERED_LIST_STRUCT
ExcludedRules
Count
. RuleActionOverrides
. It accepts any valid action setting, including Count
.name
STRING
Name
Count
.rule_action_overrides
UNORDERED_LIST_STRUCT
RuleActionOverrides
Count
and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.action_to_use
STRUCT
ActionToUse
allow
STRUCT
Allow
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
block
STRUCT
Block
custom_response
STRUCT
CustomResponse
custom_response_body_key
STRING
CustomResponseBodyKey
CustomResponseBodies
setting for the WebACL or RuleGroup where you want to use it. Then, in the rule action or web ACL default action BlockAction
setting, you reference the response body using this key.response_code
INT32
ResponseCode
response_headers
UNORDERED_LIST_STRUCT
ResponseHeaders
content-type
. Duplicate header names are not allowed. For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
captcha
STRUCT
Captcha
CAPTCHA
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
CAPTCHA
inspection determines that the request’s token is valid and unexpired. For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
challenge
STRUCT
Challenge
Challenge
check against the web request.custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
count
STRUCT
Count
custom_request_handling
STRUCT
CustomRequestHandling
insert_headers
UNORDERED_LIST_STRUCT
InsertHeaders
name
STRING
Name
x-amzn-waf-
, to avoid confusion with the headers that are already in the request. For example, for the header name sample
, WAF inserts the header x-amzn-waf-sample
.value
STRING
Value
name
STRING
Name
size_constraint_statement
STRUCT
SizeConstraintStatement
Body
and JsonBody
settings for the FieldToMatch
data type. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg
is nine characters long.comparison_operator
STRING
ComparisonOperator
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
size
INT64
Size
text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
sqli_match_statement
STRUCT
SqliMatchStatement
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
sensitivity_level
STRING
SensitivityLevel
HIGH
detects more attacks, but might generate more false positives, especially if your web requests frequently contain unusual strings. For information about identifying and mitigating false positives, see Testing and tuning in the WAF Developer Guide. LOW
is generally a better choice for resources that already have other protections against SQL injection attacks or that have a low tolerance for false positives.LOW
text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
xss_match_statement
STRUCT
XssMatchStatement
field_to_match
STRUCT
FieldToMatch
all_query_arguments
Type: STRUCT
Provider name: AllQueryArguments
Description: Inspect all query arguments.
body
Type: STRUCT
Provider name: Body
Description: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.Body
object configuration.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
cookies
Type: STRUCT
Provider name: Cookies
Description: Inspect the request cookies. You must configure scope and pattern matching filters in the Cookies
object, to define the set of cookies and the parts of the cookies that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s cookies and only the first 200 cookies are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the Cookies
object. WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedCookies
, or ExcludedCookies
. Example JSON: “MatchPattern”: { “IncludedCookies”: [ “session-id-time”, “session-id” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all cookies.
excluded_cookies
Type: UNORDERED_LIST_STRING
Provider name: ExcludedCookies
Description: Inspect only the cookies whose keys don’t match any of the strings specified here.
included_cookies
Type: UNORDERED_LIST_STRING
Provider name: IncludedCookies
Description: Inspect only the cookies that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available cookies normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.header_order
Type: STRUCT
Provider name: HeaderOrder
Description: Inspect a string containing the list of the request’s header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer
.
oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.headers
Type: STRUCT
Provider name: Headers
Description: Inspect the request headers. You must configure scope and pattern matching filters in the Headers
object, to define the set of headers to and the parts of the headers that WAF inspects. Only the first 8 KB (8192 bytes) of a request’s headers and only the first 200 headers are forwarded to WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the Headers
object. WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
match_pattern
STRUCT
MatchPattern
All
, IncludedHeaders
, or ExcludedHeaders
. Example JSON: “MatchPattern”: { “ExcludedHeaders”: [ “KeyToExclude1”, “KeyToExclude2” ] }
all
Type: STRUCT
Provider name: All
Description: Inspect all headers.
excluded_headers
Type: UNORDERED_LIST_STRING
Provider name: ExcludedHeaders
Description: Inspect only the headers whose keys don’t match any of the strings specified here.
included_headers
Type: UNORDERED_LIST_STRING
Provider name: IncludedHeaders
Description: Inspect only the headers that have a key that matches one of the strings specified here.
match_scope
STRING
MatchScope
ALL
, WAF inspects both keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
CONTINUE
- Inspect the available headers normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.ja3_fingerprint
Type: STRUCT
Provider name: JA3Fingerprint
Description: Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request’s JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client’s TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. ByteMatchStatement
with the PositionalConstraint
set to EXACTLY
.
fallback_behavior
STRING
FallbackBehavior
MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.json_body
Type: STRUCT
Provider name: JsonBody
Description: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.
AssociationConfig
, for additional processing fees.JsonBody
object configuration.invalid_fallback_behavior
STRING
InvalidFallbackBehavior
EVALUATE_AS_STRING
- Inspect the body as plain text. WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.match_pattern
STRUCT
MatchPattern
all
Type: STRUCT
Provider name: All
Description: Match all of the elements. See also MatchScope
in JsonBody. You must specify either this setting or the IncludedPaths
setting, but not both.
included_paths
Type: UNORDERED_LIST_STRING
Provider name: IncludedPaths
Description: Match only the specified include paths. See also MatchScope
in JsonBody. Provide the include paths using JSON Pointer syntax. For example, “IncludedPaths”: ["/dogs/0/name", “/dogs/1/name”]
. For information about this syntax, see the Internet Engineering Task Force (IETF) documentation JavaScript Object Notation (JSON) Pointer. You must specify either this setting or the All
setting, but not both. All
setting.
match_scope
STRING
MatchScope
MatchPattern
. If you specify ALL
, WAF matches against keys and values. All
does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical AND
statement to combine two match rules, one that inspects the keys and another that inspects the values.oversize_handling
STRING
OversizeHandling
AssociationConfig
, for additional processing fees.CONTINUE
- Inspect the available body contents normally, according to the rule inspection criteria.MATCH
- Treat the web request as matching the rule statement. WAF applies the rule action to the request.NO_MATCH
- Treat the web request as not matching the rule statement.MATCH
or NO_MATCH
settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.CONTINUE
method
Type: STRUCT
Provider name: Method
Description: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
query_string
Type: STRUCT
Provider name: QueryString
Description: Inspect the query string. This is the part of a URL that appears after a ?
character, if any.
single_header
Type: STRUCT
Provider name: SingleHeader
Description: Inspect a single header. Provide the name of the header to inspect, for example, User-Agent
or Referer
. This setting isn’t case sensitive. Example JSON: “SingleHeader”: { “Name”: “haystack” }
Alternately, you can filter and inspect all headers with the Headers
FieldToMatch
setting.
name
STRING
Name
single_query_argument
Type: STRUCT
Provider name: SingleQueryArgument
Description: Inspect a single query argument. Provide the name of the query argument to inspect, such as UserName or SalesRegion. The name can be up to 30 characters long and isn’t case sensitive. Example JSON: “SingleQueryArgument”: { “Name”: “myArgument” }
name
STRING
Name
uri_path
Type: STRUCT
Provider name: UriPath
Description: Inspect the request URI path. This is the part of the web request that identifies a resource, for example, /images/daily-ad.jpg
.
text_transformations
UNORDERED_LIST_STRUCT
TextTransformations
FieldToMatch
request component before inspecting it, and they’re used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.priority
INT32
Priority
type
STRING
Type
visibility_config
STRUCT
VisibilityConfig
Rule
after you create it and you want the rule’s metric name to reflect the change, update the metric name as well. WAF doesn’t automatically update the metric name.cloud_watch_metrics_enabled
BOOLEAN
CloudWatchMetricsEnabled
metric_name
STRING
MetricName
All
and Default_Action
.sampled_requests_enabled
BOOLEAN
SampledRequestsEnabled
tags
Type: UNORDERED_LIST_STRING
visibility_config
Type: STRUCT
Provider name: VisibilityConfig
Description: Defines and enables Amazon CloudWatch metrics and web request sample collection.
cloud_watch_metrics_enabled
BOOLEAN
CloudWatchMetricsEnabled
metric_name
STRING
MetricName
All
and Default_Action
.sampled_requests_enabled
BOOLEAN
SampledRequestsEnabled