Module aws_sdk_wafv2::types
source · Expand description
Data structures used by operation inputs/outputs.
Modules§
- Builders
- Error types that AWS WAFV2 can respond with.
Structs§
A single action condition for a
Condition
in a logging filter.The name of a field in the request payload that contains part or all of your customer's primary physical address.
Inspect all of the elements that WAF has parsed and extracted from the web request component that you've identified in your
FieldToMatch
specifications.Inspect all query arguments of the web request.
Specifies that WAF should allow the request and optionally defines additional custom handling for the request.
A logical rule statement used to combine other rule statements with AND logic. You provide more than one
Statement
within theAndStatement
.Information for a single API key.
Specifies custom configurations for the associations between the web ACL and protected resources.
Details for your use of the account creation fraud prevention managed rule group,
AWSManagedRulesACFPRuleSet
. This configuration is used inManagedRuleGroupConfig
.Details for your use of the account takeover prevention managed rule group,
AWSManagedRulesATPRuleSet
. This configuration is used inManagedRuleGroupConfig
.Details for your use of the Bot Control managed rule group,
AWSManagedRulesBotControlRuleSet
. This configuration is used inManagedRuleGroupConfig
.Specifies that WAF should block the request and optionally defines additional custom handling for the response to the web request.
Inspect the body of the web request. The body immediately follows the request headers.
A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is called a string match statement.
Specifies that WAF should run a
CAPTCHA
check against the request:Specifies how WAF should handle
CAPTCHA
evaluations. This is available at the web ACL level and in each rule.The result from the inspection of the web request for a valid
CAPTCHA
token.Specifies that WAF should run a
Challenge
check against the request to verify that the request is coming from a legitimate client session:Specifies how WAF should handle
Challenge
evaluations. This is available at the web ACL level and in each rule.The result from the inspection of the web request for a valid challenge token.
A single match condition for a
Filter
.The filter to use to identify the subset of cookies to inspect in a web request.
Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys.
Specifies that WAF should count the request. Optionally defines additional custom handling for the request.
A custom header for custom request and response handling. This is used in
CustomResponse
andCustomRequestHandling
.Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn't block the request. For example,
CaptchaAction
for requests with valid t okens, andAllowAction
.A custom response to send to the client. You can define a custom response for rule actions and default web ACL actions that are set to
BlockAction
.The response body to use in a custom response to a web request. This is referenced by key from
CustomResponse
CustomResponseBodyKey
.In a
WebACL
, this is the action that you want WAF to perform when a web request doesn't match any of the rules in theWebACL
. The default action must be a terminating action.The name of the field in the request payload that contains your customer's email.
Specifies a single rule in a rule group whose action you want to override to
Count
.Specifies a web request component to be used in a rule match statement or in a logging configuration.
A single logging filter, used in
LoggingFilter
.A rule group that's defined for an Firewall Manager WAF policy.
The processing guidance for an Firewall Manager rule. This is like a regular rule
Statement
, but it can only contain a single rule group reference.The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.
A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.
The filter to use to identify the subset of headers to inspect in a web request.
Inspect a string containing the list of the request's header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example
host:user-agent:accept:authorization:referer
.Inspect all headers in the web request. You can specify the parts of the headers to inspect and you can narrow the set of headers to inspect by including or excluding specific keys.
Part of the response from
GetSampledRequests
. This is a complex type that appears asHeaders
in the response syntax.HTTPHeader
contains the names and values of all of the headers that appear in one of the web requests.Part of the response from
GetSampledRequests
. This is a complex type that appears asRequest
in the response syntax.HTTPRequest
contains information about one of the web requests.Used for CAPTCHA and challenge token settings. Determines how long a
CAPTCHA
or challenge timestamp remains valid after WAF updates it for a successfulCAPTCHA
or challenge response.Contains zero or more IP addresses or blocks of IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0. For information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.
The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.
A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an
IPSet
that specifies the addresses you want to detect, then use the ARN of that set in this statement. To create an IP set, seeCreateIPSet
.High-level information about an
IPSet
, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage anIPSet
, and the ARN, that you provide to theIPSetReferenceStatement
to use the address set in aRule
.Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
Inspect the body of the web request as JSON. The body immediately follows the request headers.
The patterns to look for in the JSON body. WAF inspects the results of these pattern matches against the rule inspection criteria. This is used with the
FieldToMatch
optionJsonBody
.A single label container. This is used as an element of a label array in multiple contexts, for example, in
RuleLabels
inside aRule
and inLabels
inside aSampledHTTPRequest
.A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.
A single label name condition for a
Condition
in a logging filter.List of labels used by one or more of the rules of a
RuleGroup
. This summary object is used for the following rule group lists:Defines an association between logging destinations and a web ACL resource, for logging from WAF. As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.
Filtering that specifies which web requests are kept in the logs and which are dropped, defined for a web ACL's
LoggingConfiguration
.The properties of a managed product, such as an Amazon Web Services Managed Rules rule group or an Amazon Web Services Marketplace managed rule group.
Additional information that's used by a managed rule group. Many managed rule groups don't require this.
A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling
ListAvailableManagedRuleGroups
.High-level information about a managed rule group, returned by
ListAvailableManagedRuleGroups
. This provides information like the name and vendor name, that you provide when you add aManagedRuleGroupStatement
to a web ACL. Managed rule groups include Amazon Web Services Managed Rules rule groups and Amazon Web Services Marketplace managed rule groups. To use any Amazon Web Services Marketplace managed rule group, first subscribe to the rule group through Amazon Web Services Marketplace.Describes a single version of a managed rule group.
A set of rules that is managed by Amazon Web Services and Amazon Web Services Marketplace sellers to provide versioned managed rule groups for customers of WAF.
High-level information for a managed rule set.
Information for a single version of a managed rule set.
Inspect the HTTP method of the web request. The method indicates the type of operation that the request is asking the origin to perform.
Information for a release of the mobile SDK, including release notes and tags.
Specifies that WAF should do nothing. This is used for the
OverrideAction
setting on aRule
when the rule uses a rule group reference statement.A logical rule statement used to negate the results of another rule statement. You provide one
Statement
within theNotStatement
.A logical rule statement used to combine other rule statements with OR logic. You provide more than one
Statement
within theOrStatement
.The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.
The name of the field in the request payload that contains your customer's password.
The name of a field in the request payload that contains part or all of your customer's primary phone number.
Inspect the query string of the web request. This is the part of a URL that appears after a
?
character, if any.A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.
Specifies a single custom aggregate key for a rate-base rule.
The set of IP addresses that are currently blocked for a
RateBasedStatement
. This is only available for rate-based rules that aggregate on just the IP address, with theAggregateKeyType
set toIP
orFORWARDED_IP
.Specifies a cookie as an aggregate key for a rate-based rule. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.
Specifies the first IP address in an HTTP header as an aggregate key for a rate-based rule. Each distinct forwarded IP address contributes to the aggregation instance.
Specifies a header as an aggregate key for a rate-based rule. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.
Specifies the request's HTTP method as an aggregate key for a rate-based rule. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.
Specifies the IP address in the web request as an aggregate key for a rate-based rule. Each distinct IP address contributes to the aggregation instance.
Specifies a label namespace to use as an aggregate key for a rate-based rule. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.
Specifies a query argument in the request as an aggregate key for a rate-based rule. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.
Specifies the request's query string as an aggregate key for a rate-based rule. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.
Specifies the request's URI path as an aggregate key for a rate-based rule. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.
A single regular expression. This is used in a
RegexPatternSet
.A rule statement used to search web request components for a match against a single regular expression.
Contains one or more regular expressions.
A rule statement used to search web request components for matches with regular expressions. To use this, create a
RegexPatternSet
that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. To create a regex pattern set, seeCreateRegexPatternSet
.High-level information about a
RegexPatternSet
, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage aRegexPatternSet
, and the ARN, that you provide to theRegexPatternSetReferenceStatement
to use the pattern set in aRule
.High level information for an SDK release.
Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.
The criteria for inspecting responses to login requests and account creation requests, used by the ATP and ACFP rule groups to track login and account creation success and failure rates.
Configures inspection of the response body. WAF can inspect the first 65,536 bytes (64 KB) of the response body. This is part of the
ResponseInspection
configuration forAWSManagedRulesATPRuleSet
andAWSManagedRulesACFPRuleSet
.Configures inspection of the response header. This is part of the
ResponseInspection
configuration forAWSManagedRulesATPRuleSet
andAWSManagedRulesACFPRuleSet
.Configures inspection of the response JSON. WAF can inspect the first 65,536 bytes (64 KB) of the response JSON. This is part of the
ResponseInspection
configuration forAWSManagedRulesATPRuleSet
andAWSManagedRulesACFPRuleSet
.Configures inspection of the response status code. This is part of the
ResponseInspection
configuration forAWSManagedRulesATPRuleSet
andAWSManagedRulesACFPRuleSet
.A single rule, which you can use in a
WebACL
orRuleGroup
to identify web requests that you want to manage in some way. Each rule includes one top-levelStatement
that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.The action that WAF should take on a web request when it matches a rule's statement. Settings at the web ACL level can override the rule action setting.
Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.
A rule group defines a collection of rules to inspect and control web requests that you can use in a
WebACL
. When you create a rule group, you define an immutable capacity limit. If you update a rule group, you must stay within the capacity. This allows others to reuse the rule group with confidence in its capacity requirements.A rule statement used to run the rules that are defined in a
RuleGroup
. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.High-level information about a
RuleGroup
, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage aRuleGroup
, and the ARN, that you provide to theRuleGroupReferenceStatement
to use the rule group in aRule
.High-level information about a
Rule
, returned by operations likeDescribeManagedRuleGroup
. This provides information like the ID, that you can use to retrieve and manage aRuleGroup
, and the ARN, that you provide to theRuleGroupReferenceStatement
to use the rule group in aRule
.Represents a single sampled web request. The response from
GetSampledRequests
includes aSampledHTTPRequests
complex type that appears asSampledRequests
in the response syntax.SampledHTTPRequests
contains an array ofSampledHTTPRequest
objects.Inspect one of the headers in the web request, identified by name, for example,
User-Agent
orReferer
. The name isn't case sensitive.Inspect one query argument in the web request, identified by name, for example UserName or SalesRegion. The name isn't case sensitive.
A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.
The processing guidance for a
Rule
, used by WAF to determine whether a web request matches the rule.A tag associated with an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.
The collection of tagging definitions for an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.
In a
GetSampledRequests
request, theStartTime
andEndTime
objects specify the time range for which you want WAF to return a sample of web requests.Inspect the path component of the URI of the web request. This is the part of the web request that identifies a resource. For example,
/images/daily-ad.jpg
.The name of the field in the request payload that contains your customer's username.
A version of the named managed rule group, that the rule group's vendor publishes for use by customers.
Defines and enables Amazon CloudWatch metrics and web request sample collection.
A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types
Rule
,RuleGroup
, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.High-level information about a
WebACL
, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage aWebACL
, and the ARN, that you provide to operations likeAssociateWebACL
.A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.
Enums§
- When writing a match expression against
ActionValue
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
AssociatedResourceType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
BodyParsingFallbackBehavior
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
ComparisonOperator
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
CountryCode
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
FailureReason
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
FallbackBehavior
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
FilterBehavior
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
FilterRequirement
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
ForwardedIpPosition
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
InspectionLevel
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
IpAddressVersion
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
JsonMatchScope
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
LabelMatchScope
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
MapMatchScope
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
OversizeHandling
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
ParameterExceptionField
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
PayloadType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
Platform
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
PositionalConstraint
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
RateBasedStatementAggregateKeyType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
ResourceType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
ResponseContentType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
Scope
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
SensitivityLevel
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
SizeInspectionLimit
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature. - When writing a match expression against
TextTransformationType
, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.