| rule set subresource |
A set of rule configurations that contains the conditions. Maximum allowed items are 10. (Required)
- name
- The name of the rule. (Required)
- priority
- The priority of the rule. The priority assigned needs to be ordered in increasing order starting from 0. (Required)
- visibility-config
- The visibility configuration for the rule. (Required)
- action
- The action to perform if the rule passes. Cannot be set if
override-action is set. Valid values are ALLOW, BLOCK, COUNT, CAPTCHA or CHALLENGE.
- override-action
- The override action to perform if the rule passes. Cannot be set if
action is set. Valid values are NONE or COUNT.
- statement subresource
The statement configuration having the individual conditions.
- and-statement subresource
And statement configuration.
- statement set
- The set of statement resource associated with the AND statement. (Required)
- not-statement subresource
Not statement configuration.
- statement
- The statement resource associated with the NOT statement. (Required)
- or-statement subresource
Or statement configuration.
- statement set
- The set of statement resource associated with the OR statement. Minimum required items are
2. (Required)
- byte-match-statement subresource
Byte Match statement configuration.
- field-to-match subresource
The field setting to match the condition. (Required)
- match-type
- The field match type. Valid values are
SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
- name
- The name of the field to match. Only required if
match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
- body subresource
The body to match.
- oversize-handling
- The oversize handling for the body. Valid values are
MATCH, NO_MATCH or CONTINUE. (Required)
- headers subresource
The headers to match.
- match-pattern subresource
The match pattern for the headers. (Required)
- all
- When set to
true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-headers list
- The list of headers to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-headers list
- The list of headers to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the headers. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the headers. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- cookies subresource
The cookies to match.
- match-pattern subresource
The match pattern for the cookies. (Required)
- all
- When set to
true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-cookies list
- The list of cookies to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-cookies list
- The list of cookies to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the cookies. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the cookies. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- header-order subresource
The header order to match.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- json-body subresource
The JSON body to match.
- match-pattern subresource
The match pattern for the body. (Required)
- all
- When set to
true, the pattern will match all paths. Cannot be set if included-paths is set.
- include-paths list
- The list of paths to include in the pattern. Cannot be set if
all is set.
- match-scope
- The match scope for the body. Valid values are
ALL, KEY or VALUE. (Required)
- invalid-fallback-behavior
- The invalid fallback behavior for the body. Valid values are
MATCH, NO_MATCH or EVALUATE_AS_STRING.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- ja3-fingerprint subresource
The JA3 fingerprint to match.
- fallback-behavior
- The fallback behavior for the JA3 fingerprint. Valid values are
MATCH or NO_MATCH. (Required)
- positional-constraint
- The positional search type for the search string. Valid values are
EXACTLY, STARTS_WITH, ENDS_WITH, CONTAINS or CONTAINS_WORD. (Required)
- text-transformation set subresource
Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- search-string
- The search string you want aws to search for in the request. (Required)
- geo-match-statement subresource
Geo statement configuration.
- country-codes set
- A set of 2 character country codes based on ISO 3166 on which to filter the request. (Required)
- ip-set-reference-statement subresource
IP set reference statement configuration.
- ip-set
- The ip set resource to associate with. (Required)
- ip-set-forwarded-ip-config subresource
The forwarded IP configuration for the ip set.
- header-name
- The name of the header to use for the forwarded IP. (Required)
- fallback-behavior
- The fallback behavior for the forwarded IP. Valid values are
MATCH or NO_MATCH. (Required)
- position
- The position of the forwarded IP. Valid values are
FIRST, LAST or ANY. (Required)
- regex-pattern-set-reference-statement subresource
- Regex pattern reference statement configuration.
- regex-match-statement subresource
Regex match statement configuration.
- regex-string
- The regex pattern to match the condition. (Required)
- field-to-match subresource
The field setting to match the condition. (Required)
- match-type
- The field match type. Valid values are
SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
- name
- The name of the field to match. Only required if
match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
- body subresource
The body to match.
- oversize-handling
- The oversize handling for the body. Valid values are
MATCH, NO_MATCH or CONTINUE. (Required)
- headers subresource
The headers to match.
- match-pattern subresource
The match pattern for the headers. (Required)
- all
- When set to
true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-headers list
- The list of headers to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-headers list
- The list of headers to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the headers. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the headers. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- cookies subresource
The cookies to match.
- match-pattern subresource
The match pattern for the cookies. (Required)
- all
- When set to
true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-cookies list
- The list of cookies to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-cookies list
- The list of cookies to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the cookies. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the cookies. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- header-order subresource
The header order to match.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- json-body subresource
The JSON body to match.
- match-pattern subresource
The match pattern for the body. (Required)
- all
- When set to
true, the pattern will match all paths. Cannot be set if included-paths is set.
- include-paths list
- The list of paths to include in the pattern. Cannot be set if
all is set.
- match-scope
- The match scope for the body. Valid values are
ALL, KEY or VALUE. (Required)
- invalid-fallback-behavior
- The invalid fallback behavior for the body. Valid values are
MATCH, NO_MATCH or EVALUATE_AS_STRING.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- ja3-fingerprint subresource
The JA3 fingerprint to match.
- fallback-behavior
- The fallback behavior for the JA3 fingerprint. Valid values are
MATCH or NO_MATCH. (Required)
- text-transformation set subresource
Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- size-constraint-statement subresource
Size constraint statement configuration.
- field-to-match subresource
The field setting to match the condition. (Required)
- match-type
- The field match type. Valid values are
SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
- name
- The name of the field to match. Only required if
match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
- body subresource
The body to match.
- oversize-handling
- The oversize handling for the body. Valid values are
MATCH, NO_MATCH or CONTINUE. (Required)
- headers subresource
The headers to match.
- match-pattern subresource
The match pattern for the headers. (Required)
- all
- When set to
true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-headers list
- The list of headers to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-headers list
- The list of headers to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the headers. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the headers. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- cookies subresource
The cookies to match.
- match-pattern subresource
The match pattern for the cookies. (Required)
- all
- When set to
true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-cookies list
- The list of cookies to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-cookies list
- The list of cookies to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the cookies. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the cookies. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- header-order subresource
The header order to match.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- json-body subresource
The JSON body to match.
- match-pattern subresource
The match pattern for the body. (Required)
- all
- When set to
true, the pattern will match all paths. Cannot be set if included-paths is set.
- include-paths list
- The list of paths to include in the pattern. Cannot be set if
all is set.
- match-scope
- The match scope for the body. Valid values are
ALL, KEY or VALUE. (Required)
- invalid-fallback-behavior
- The invalid fallback behavior for the body. Valid values are
MATCH, NO_MATCH or EVALUATE_AS_STRING.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- ja3-fingerprint subresource
The JA3 fingerprint to match.
- fallback-behavior
- The fallback behavior for the JA3 fingerprint. Valid values are
MATCH or NO_MATCH. (Required)
- comparison-operator
- The comparison operator for the size specified. Valid values are
EQ, NE, LE, LT, GE or GT. (Required)
- text-transformation set subresource
Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- size
- The size in byte for the constraint to work on. (Required)
- sqli-match-statement subresource
- Sql Injection statement configuration.
- xss-match-statement subresource
Xss match statement configuration.
- field-to-match subresource
The field setting to match the condition. (Required)
- match-type
- The field match type. Valid values are
SINGLE_HEADER, SINGLE_QUERY_ARGUMENT, ALL_QUERY_ARGUMENTS, BODY, QUERY_STRING, METHOD, URI_PATH, HEADERS, COOKIES, HEADER_ORDER, JSON_BODY or JA3_FINGERPRINT. (Required)
- name
- The name of the field to match. Only required if
match-type set to SINGLE_HEADER or SINGLE_QUERY_ARGUMENT.
- body subresource
The body to match.
- oversize-handling
- The oversize handling for the body. Valid values are
MATCH, NO_MATCH or CONTINUE. (Required)
- headers subresource
The headers to match.
- match-pattern subresource
The match pattern for the headers. (Required)
- all
- When set to
true, the pattern will match all headers. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-headers list
- The list of headers to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-headers list
- The list of headers to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the headers. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the headers. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- cookies subresource
The cookies to match.
- match-pattern subresource
The match pattern for the cookies. (Required)
- all
- When set to
true, the pattern will match all cookies. Cannot be set if any of included-headers or excluded-headers is set.
- excluded-cookies list
- The list of cookies to exclude from the pattern. Cannot be set if any of
all or included-headers is set.
- included-cookies list
- The list of cookies to include in the pattern. Cannot be set if any of
all or excluded-headers is set.
- match-scope
- The match scope for the cookies. Valid values are
ALL, KEY or VALUE. (Required)
- oversize-handling
- The oversize handling for the cookies. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- header-order subresource
The header order to match.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- json-body subresource
The JSON body to match.
- match-pattern subresource
The match pattern for the body. (Required)
- all
- When set to
true, the pattern will match all paths. Cannot be set if included-paths is set.
- include-paths list
- The list of paths to include in the pattern. Cannot be set if
all is set.
- match-scope
- The match scope for the body. Valid values are
ALL, KEY or VALUE. (Required)
- invalid-fallback-behavior
- The invalid fallback behavior for the body. Valid values are
MATCH, NO_MATCH or EVALUATE_AS_STRING.
- oversize-handling
- The oversize handling for the body. Valid values are
CONTINUE, MATCH or NO_MATCH. (Required)
- ja3-fingerprint subresource
The JA3 fingerprint to match.
- fallback-behavior
- The fallback behavior for the JA3 fingerprint. Valid values are
MATCH or NO_MATCH. (Required)
- text-transformation set subresource
Text transformation configuration on the data provided before doing the check. Maximum allowed items are 10.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- label-match-statement subresource
Label match statement configuration.
- scope
- The part of the web request that you want AWS WAF to inspect. Valid values are
LABEL or NAMESPACE. (Required)
- key
- The value that you want AWS WAF to search for. (Required)
- rate-based-statement subresource
Rate based statement configuration.
- aggregate-key-type
- The aggregate key type for the rate based statement. Defaults to
IP. Valid values are IP, FORWARDED_IP, CONSTANT or CUSTOM_KEYS.
- limit
- The rate limit for the rate based statement. Minimum allowed value is
100. (Required)
- scope-down-statement
- The statement resource associated with the rate based statement.
- custom-keys set subresource
The list of custom key configs for the rate based statement. Maximum allowed items are 5.
- header subresource
The header to use for the rate limit.
- name
- The name of the header to use for the rate limit.
- text-transformation set subresource
The text transformations to apply to the header before using it for the rate limit.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- cookie subresource
The cookie to use for the rate limit.
- name
- The name of the cookie to use for the rate limit.
- text-transformation set subresource
The text transformations to apply to the cookie before using it for the rate limit.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- query-string subresource
The query string to use for the rate limit.
- text-transformation set subresource
The text transformations to apply to the query string before using it for the rate limit.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- query-argument subresource
The query argument to use for the rate limit.
- name
- The name of the query argument to use for the rate limit.
- text-transformation set subresource
The text transformations to apply to the query argument before using it for the rate limit.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- http-method subresource
- The HTTP method to use for the rate limit.
- ip subresource
- The IP to use for the rate limit.
- label-namespace subresource
The label namespace to use for the rate limit.
- namespace
- The namespace to use for the rate limit. Must be a string of 1 to 1024 characters and ends with a colon (:). The string can contain only alphanumeric characters (A-Z, a-z, 0-9), hyphen (-), underscore (_), and colon (:). The string cannot start with a colon (:). Valid values satisfy the regex:
[^(?!:)(?:[A-Za-z0-9_-]+:){1,1023}$].
- uri-path subresource
The URI path to use for the rate limit.
- text-transformation set subresource
The text transformations to apply to the URI path before using it for the rate limit.
- priority
- The priority of the text transformation. (Required)
- type
- The type of the text transformation. Valid values are
NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI or UTF8_TO_UNICODE. (Required)
- forwarded-ip subresource
- The forwarded IP to use for the rate limit.
- forwarded-ip-config subresource
The forwarded IP configuration for the rate based statement.
- fallback-behavior
- The fallback behavior for the rate limit. Valid values are
MATCH or NO_MATCH. (Required)
- header-name
- The name of the HTTP header to be used for the IP address. (Required)
- evaluation-window
- The evaluation window in sec for the rate based statement. Defaults to
300. Valid values are 60.0, 120.0, 300.0 or ``600.0`.
- managed-rule-group-statement subresource
Managed rule group statement configuration.
- excluded-rules set
- A set of rule names to be excluded that are part of the associated managed rule group.
- name
- The name of the managed rule group. (Required)
- vendor-name
- The vendor name of the managed rule group. (Required)
- rule-group-reference-statement subresource
Rule group reference statement configuration.
- rule-group
- A rule group resource to reference with. (Required)
- excluded-rules set
- A set of rule names to be excluded that are part of the referenced rule group resource.
- custom-request-handling subresource
The custom request handling configuration for the rule.
- insert-headers map
- A list of custom request handling actions to be inserted into the request header. (Required)
- captcha-config subresource
The captcha configuration for the rule.
- immunity-time
- The time in seconds that the client should be immune to captcha after failing the challenge. Minimum allowed value is
60. (Required)
- challenge-config subresource
The challenge configuration for the rule.
- immunity-time
- The time in seconds that the client should be immune to challenge after failing the challenge. Minimum allowed value is
300. (Required)
- custom-response subresource
The custom response configuration for the rule.
- custom-response-body-key
- The custom response body key.
- response-code
- The HTTP status code to define custom set of rules. (Required)
- response-headers map
- A list of custom response headers.
- action-labels set
- The action labels for the rule. The string containing the label name and optional prefix and namespaces.
|