aws-sdk-wafv2 1.103.0 → 1.105.0

data/lib/aws-sdk-wafv2/client_api.rb

@@ -190,6 +190,7 @@ module Aws::WAFV2
     ImmunityTimeProperty = Shapes::StructureShape.new(name: 'ImmunityTimeProperty')
     InspectionLevel = Shapes::StringShape.new(name: 'InspectionLevel')
     JA3Fingerprint = Shapes::StructureShape.new(name: 'JA3Fingerprint')
+    JA4Fingerprint = Shapes::StructureShape.new(name: 'JA4Fingerprint')
     JsonBody = Shapes::StructureShape.new(name: 'JsonBody')
     JsonMatchPattern = Shapes::StructureShape.new(name: 'JsonMatchPattern')
     JsonMatchScope = Shapes::StringShape.new(name: 'JsonMatchScope')
@@ -296,6 +297,8 @@ module Aws::WAFV2
     RateLimitHTTPMethod = Shapes::StructureShape.new(name: 'RateLimitHTTPMethod')
     RateLimitHeader = Shapes::StructureShape.new(name: 'RateLimitHeader')
     RateLimitIP = Shapes::StructureShape.new(name: 'RateLimitIP')
+    RateLimitJA3Fingerprint = Shapes::StructureShape.new(name: 'RateLimitJA3Fingerprint')
+    RateLimitJA4Fingerprint = Shapes::StructureShape.new(name: 'RateLimitJA4Fingerprint')
     RateLimitLabelNamespace = Shapes::StructureShape.new(name: 'RateLimitLabelNamespace')
     RateLimitQueryArgument = Shapes::StructureShape.new(name: 'RateLimitQueryArgument')
     RateLimitQueryString = Shapes::StructureShape.new(name: 'RateLimitQueryString')
@@ -401,6 +404,7 @@ module Aws::WAFV2
     UpdateRuleGroupResponse = Shapes::StructureShape.new(name: 'UpdateRuleGroupResponse')
     UpdateWebACLRequest = Shapes::StructureShape.new(name: 'UpdateWebACLRequest')
     UpdateWebACLResponse = Shapes::StructureShape.new(name: 'UpdateWebACLResponse')
+    UriFragment = Shapes::StructureShape.new(name: 'UriFragment')
     UriPath = Shapes::StructureShape.new(name: 'UriPath')
     UsernameField = Shapes::StructureShape.new(name: 'UsernameField')
     VendorName = Shapes::StringShape.new(name: 'VendorName')
@@ -755,6 +759,8 @@ module Aws::WAFV2
     FieldToMatch.add_member(:cookies, Shapes::ShapeRef.new(shape: Cookies, location_name: "Cookies"))
     FieldToMatch.add_member(:header_order, Shapes::ShapeRef.new(shape: HeaderOrder, location_name: "HeaderOrder"))
     FieldToMatch.add_member(:ja3_fingerprint, Shapes::ShapeRef.new(shape: JA3Fingerprint, location_name: "JA3Fingerprint"))
+    FieldToMatch.add_member(:ja4_fingerprint, Shapes::ShapeRef.new(shape: JA4Fingerprint, location_name: "JA4Fingerprint"))
+    FieldToMatch.add_member(:uri_fragment, Shapes::ShapeRef.new(shape: UriFragment, location_name: "UriFragment"))
     FieldToMatch.struct_class = Types::FieldToMatch
 
     FieldToProtect.add_member(:field_type, Shapes::ShapeRef.new(shape: FieldToProtectType, required: true, location_name: "FieldType"))
@@ -966,6 +972,9 @@ module Aws::WAFV2
     JA3Fingerprint.add_member(:fallback_behavior, Shapes::ShapeRef.new(shape: FallbackBehavior, required: true, location_name: "FallbackBehavior"))
     JA3Fingerprint.struct_class = Types::JA3Fingerprint
 
+    JA4Fingerprint.add_member(:fallback_behavior, Shapes::ShapeRef.new(shape: FallbackBehavior, required: true, location_name: "FallbackBehavior"))
+    JA4Fingerprint.struct_class = Types::JA4Fingerprint
+
     JsonBody.add_member(:match_pattern, Shapes::ShapeRef.new(shape: JsonMatchPattern, required: true, location_name: "MatchPattern"))
     JsonBody.add_member(:match_scope, Shapes::ShapeRef.new(shape: JsonMatchScope, required: true, location_name: "MatchScope"))
     JsonBody.add_member(:invalid_fallback_behavior, Shapes::ShapeRef.new(shape: BodyParsingFallbackBehavior, location_name: "InvalidFallbackBehavior"))
@@ -1270,6 +1279,8 @@ module Aws::WAFV2
     RateBasedStatementCustomKey.add_member(:ip, Shapes::ShapeRef.new(shape: RateLimitIP, location_name: "IP"))
     RateBasedStatementCustomKey.add_member(:label_namespace, Shapes::ShapeRef.new(shape: RateLimitLabelNamespace, location_name: "LabelNamespace"))
     RateBasedStatementCustomKey.add_member(:uri_path, Shapes::ShapeRef.new(shape: RateLimitUriPath, location_name: "UriPath"))
+    RateBasedStatementCustomKey.add_member(:ja3_fingerprint, Shapes::ShapeRef.new(shape: RateLimitJA3Fingerprint, location_name: "JA3Fingerprint"))
+    RateBasedStatementCustomKey.add_member(:ja4_fingerprint, Shapes::ShapeRef.new(shape: RateLimitJA4Fingerprint, location_name: "JA4Fingerprint"))
     RateBasedStatementCustomKey.struct_class = Types::RateBasedStatementCustomKey
 
     RateBasedStatementCustomKeys.member = Shapes::ShapeRef.new(shape: RateBasedStatementCustomKey)
@@ -1292,6 +1303,12 @@ module Aws::WAFV2
 
     RateLimitIP.struct_class = Types::RateLimitIP
 
+    RateLimitJA3Fingerprint.add_member(:fallback_behavior, Shapes::ShapeRef.new(shape: FallbackBehavior, required: true, location_name: "FallbackBehavior"))
+    RateLimitJA3Fingerprint.struct_class = Types::RateLimitJA3Fingerprint
+
+    RateLimitJA4Fingerprint.add_member(:fallback_behavior, Shapes::ShapeRef.new(shape: FallbackBehavior, required: true, location_name: "FallbackBehavior"))
+    RateLimitJA4Fingerprint.struct_class = Types::RateLimitJA4Fingerprint
+
     RateLimitLabelNamespace.add_member(:namespace, Shapes::ShapeRef.new(shape: LabelNamespace, required: true, location_name: "Namespace"))
     RateLimitLabelNamespace.struct_class = Types::RateLimitLabelNamespace
 
@@ -1618,6 +1635,9 @@ module Aws::WAFV2
     UpdateWebACLResponse.add_member(:next_lock_token, Shapes::ShapeRef.new(shape: LockToken, location_name: "NextLockToken"))
     UpdateWebACLResponse.struct_class = Types::UpdateWebACLResponse
 
+    UriFragment.add_member(:fallback_behavior, Shapes::ShapeRef.new(shape: FallbackBehavior, location_name: "FallbackBehavior"))
+    UriFragment.struct_class = Types::UriFragment
+
     UriPath.struct_class = Types::UriPath
 
     UsernameField.add_member(:identifier, Shapes::ShapeRef.new(shape: FieldIdentifier, required: true, location_name: "Identifier"))

data/lib/aws-sdk-wafv2/types.rb

@@ -1413,16 +1413,15 @@ module Aws::WAFV2
     #   @return [Types::VisibilityConfig]
     #
     # @!attribute [rw] data_protection_config
-    #   Specifies data protection to apply to the web request data that WAF
-    #   stores for the web ACL. This is a web ACL level data protection
-    #   option.
+    #   Specifies data protection to apply to the web request data for the
+    #   web ACL. This is a web ACL level data protection option.
     #
     #   The data protection that you configure for the web ACL alters the
     #   data that's available for any other data collection activity,
-    #   including WAF logging, web ACL request sampling, Amazon Web Services
-    #   Managed Rules, and Amazon Security Lake data collection and
-    #   management. Your other option for data protection is in the logging
-    #   configuration, which only affects logging.
+    #   including your WAF logging destinations, web ACL request sampling,
+    #   and Amazon Security Lake data collection and management. Your other
+    #   option for data protection is in the logging configuration, which
+    #   only affects logging.
     #   @return [Types::DataProtectionConfig]
     #
     # @!attribute [rw] tags
@@ -1707,11 +1706,11 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] exclude_rule_match_details
-    #   Specifies whether to also protect any rule match details from the
-    #   web ACL logs when applying data protection this field type and keys.
-    #   WAF logs these details for non-terminating matching rules and for
-    #   the terminating matching rule. For additional information, see [Log
-    #   fields for web ACL traffic][1] in the *WAF Developer Guide*.
+    #   Specifies whether to also exclude any rule match details from the
+    #   data protection you have enabled for a given field. WAF logs these
+    #   details for non-terminating matching rules and for the terminating
+    #   matching rule. For additional information, see [Log fields for web
+    #   ACL traffic][1] in the *WAF Developer Guide*.
     #
     #   Default: `FALSE`
     #
@@ -1721,9 +1720,10 @@ module Aws::WAFV2
     #   @return [Boolean]
     #
     # @!attribute [rw] exclude_rate_based_details
-    #   Specifies whether to also protect any rate-based rule details from
-    #   the web ACL logs when applying data protection for this field type
-    #   and keys. For additional information, see the log field
+    #   Specifies whether to also exclude any rate-based rule details from
+    #   the data protection you have enabled for a given field. If you
+    #   specify this exception, RateBasedDetails will show the value of the
+    #   field. For additional information, see the log field
     #   `rateBasedRuleList` at [Log fields for web ACL traffic][1] in the
     #   *WAF Developer Guide*.
     #
@@ -1745,16 +1745,15 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
-    # Specifies data protection to apply to the web request data that WAF
-    # stores for the web ACL. This is a web ACL level data protection
-    # option.
+    # Specifies data protection to apply to the web request data for the web
+    # ACL. This is a web ACL level data protection option.
     #
     # The data protection that you configure for the web ACL alters the data
     # that's available for any other data collection activity, including
-    # WAF logging, web ACL request sampling, Amazon Web Services Managed
-    # Rules, and Amazon Security Lake data collection and management. Your
-    # other option for data protection is in the logging configuration,
-    # which only affects logging.
+    # your WAF logging destinations, web ACL request sampling, and Amazon
+    # Security Lake data collection and management. Your other option for
+    # data protection is in the logging configuration, which only affects
+    # logging.
     #
     # This is part of the data protection configuration for a web ACL.
     #
@@ -2619,6 +2618,49 @@ module Aws::WAFV2
     #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html
     #   @return [Types::JA3Fingerprint]
     #
+    # @!attribute [rw] ja4_fingerprint
+    #   Available for use with Amazon CloudFront distributions and
+    #   Application Load Balancers. Match against the request's JA4
+    #   fingerprint. The JA4 fingerprint is a 36-character hash derived from
+    #   the TLS Client Hello of an incoming request. This fingerprint serves
+    #   as a unique identifier for the client's TLS configuration. WAF
+    #   calculates and logs this fingerprint for each request that has
+    #   enough TLS Client Hello information for the calculation. Almost all
+    #   web requests include this information.
+    #
+    #   <note markdown="1"> You can use this choice only with a string match
+    #   `ByteMatchStatement` with the `PositionalConstraint` set to
+    #   `EXACTLY`.
+    #
+    #    </note>
+    #
+    #   You can obtain the JA4 fingerprint for client requests from the web
+    #   ACL logs. If WAF is able to calculate the fingerprint, it includes
+    #   it in the logs. For information about the logging fields, see [Log
+    #   fields][1] in the *WAF Developer Guide*.
+    #
+    #   Provide the JA4 fingerprint string from the logs in your string
+    #   match statement specification, to match with any future requests
+    #   that have the same TLS configuration.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html
+    #   @return [Types::JA4Fingerprint]
+    #
+    # @!attribute [rw] uri_fragment
+    #   Inspect fragments of the request URI. You must configure scope and
+    #   pattern matching filters in the `UriFragment` object, to define the
+    #   fragment of a URI that WAF inspects.
+    #
+    #   Only the first 8 KB (8192 bytes) of a request's URI fragments and
+    #   only the first 200 URI fragments are forwarded to WAF for inspection
+    #   by the underlying host service. You must configure how to handle any
+    #   oversize URI fragment content in the `UriFragment` object. WAF
+    #   applies the pattern matching filters to the cookies that it receives
+    #   from the underlying host service.
+    #   @return [Types::UriFragment]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FieldToMatch AWS API Documentation
     #
     class FieldToMatch < Struct.new(
@@ -2633,7 +2675,9 @@ module Aws::WAFV2
       :headers,
       :cookies,
       :header_order,
-      :ja3_fingerprint)
+      :ja3_fingerprint,
+      :ja4_fingerprint,
+      :uri_fragment)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4123,6 +4167,54 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # Available for use with Amazon CloudFront distributions and Application
+    # Load Balancers. Match against the request's JA4 fingerprint. The JA4
+    # fingerprint is a 36-character hash derived from the TLS Client Hello
+    # of an incoming request. This fingerprint serves as a unique identifier
+    # for the client's TLS configuration. WAF calculates and logs this
+    # fingerprint for each request that has enough TLS Client Hello
+    # information for the calculation. Almost all web requests include this
+    # information.
+    #
+    # <note markdown="1"> You can use this choice only with a string match `ByteMatchStatement`
+    # with the `PositionalConstraint` set to `EXACTLY`.
+    #
+    #  </note>
+    #
+    # You can obtain the JA4 fingerprint for client requests from the web
+    # ACL logs. If WAF is able to calculate the fingerprint, it includes it
+    # in the logs. For information about the logging fields, see [Log
+    # fields][1] in the *WAF Developer Guide*.
+    #
+    # Provide the JA4 fingerprint string from the logs in your string match
+    # statement specification, to match with any future requests that have
+    # the same TLS configuration.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html
+    #
+    # @!attribute [rw] fallback_behavior
+    #   The match status to assign to the web request if the request
+    #   doesn't have a JA4 fingerprint.
+    #
+    #   You can specify the following fallback behaviors:
+    #
+    #   * `MATCH` - Treat the web request as matching the rule statement.
+    #     WAF applies the rule action to the request.
+    #
+    #   * `NO_MATCH` - Treat the web request as not matching the rule
+    #     statement.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/JA4Fingerprint AWS API Documentation
+    #
+    class JA4Fingerprint < Struct.new(
+      :fallback_behavior)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Inspect the body of the web request as JSON. The body immediately
     # follows the request headers.
     #
@@ -6588,6 +6680,18 @@ module Aws::WAFV2
     #   aggregation instance.
     #   @return [Types::RateLimitUriPath]
     #
+    # @!attribute [rw] ja3_fingerprint
+    #   Use the request's JA3 fingerprint as an aggregate key. If you use a
+    #   single JA3 fingerprint as your custom key, then each value fully
+    #   defines an aggregation instance.
+    #   @return [Types::RateLimitJA3Fingerprint]
+    #
+    # @!attribute [rw] ja4_fingerprint
+    #   Use the request's JA4 fingerprint as an aggregate key. If you use a
+    #   single JA4 fingerprint as your custom key, then each value fully
+    #   defines an aggregation instance.
+    #   @return [Types::RateLimitJA4Fingerprint]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
     #
     class RateBasedStatementCustomKey < Struct.new(
@@ -6599,7 +6703,9 @@ module Aws::WAFV2
       :forwarded_ip,
       :ip,
       :label_namespace,
-      :uri_path)
+      :uri_path,
+      :ja3_fingerprint,
+      :ja4_fingerprint)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -6757,6 +6863,60 @@ module Aws::WAFV2
     #
     class RateLimitIP < Aws::EmptyStructure; end
 
+    # Use the request's JA3 fingerprint derived from the TLS Client Hello
+    # of an incoming request as an aggregate key. If you use a single JA3
+    # fingerprint as your custom key, then each value fully defines an
+    # aggregation instance.
+    #
+    # @!attribute [rw] fallback_behavior
+    #   The match status to assign to the web request if there is
+    #   insufficient TSL Client Hello information to compute the JA3
+    #   fingerprint.
+    #
+    #   You can specify the following fallback behaviors:
+    #
+    #   * `MATCH` - Treat the web request as matching the rule statement.
+    #     WAF applies the rule action to the request.
+    #
+    #   * `NO_MATCH` - Treat the web request as not matching the rule
+    #     statement.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitJA3Fingerprint AWS API Documentation
+    #
+    class RateLimitJA3Fingerprint < Struct.new(
+      :fallback_behavior)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Use the request's JA4 fingerprint derived from the TLS Client Hello
+    # of an incoming request as an aggregate key. If you use a single JA4
+    # fingerprint as your custom key, then each value fully defines an
+    # aggregation instance.
+    #
+    # @!attribute [rw] fallback_behavior
+    #   The match status to assign to the web request if there is
+    #   insufficient TSL Client Hello information to compute the JA4
+    #   fingerprint.
+    #
+    #   You can specify the following fallback behaviors:
+    #
+    #   * `MATCH` - Treat the web request as matching the rule statement.
+    #     WAF applies the rule action to the request.
+    #
+    #   * `NO_MATCH` - Treat the web request as not matching the rule
+    #     statement.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitJA4Fingerprint AWS API Documentation
+    #
+    class RateLimitJA4Fingerprint < Struct.new(
+      :fallback_behavior)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Specifies a label namespace to use as an aggregate key for a
     # rate-based rule. Each distinct fully qualified label name that has the
     # specified label namespace contributes to the aggregation instance. If
@@ -9201,16 +9361,15 @@ module Aws::WAFV2
     #   @return [Types::VisibilityConfig]
     #
     # @!attribute [rw] data_protection_config
-    #   Specifies data protection to apply to the web request data that WAF
-    #   stores for the web ACL. This is a web ACL level data protection
-    #   option.
+    #   Specifies data protection to apply to the web request data for the
+    #   web ACL. This is a web ACL level data protection option.
     #
     #   The data protection that you configure for the web ACL alters the
     #   data that's available for any other data collection activity,
-    #   including WAF logging, web ACL request sampling, Amazon Web Services
-    #   Managed Rules, and Amazon Security Lake data collection and
-    #   management. Your other option for data protection is in the logging
-    #   configuration, which only affects logging.
+    #   including your WAF logging destinations, web ACL request sampling,
+    #   and Amazon Security Lake data collection and management. Your other
+    #   option for data protection is in the logging configuration, which
+    #   only affects logging.
     #   @return [Types::DataProtectionConfig]
     #
     # @!attribute [rw] lock_token
@@ -9333,6 +9492,55 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # Inspect fragments of the request URI. You can specify the parts of the
+    # URI fragment to inspect and you can narrow the set of URI fragments to
+    # inspect by including or excluding specific keys.
+    #
+    # This is used to indicate the web request component to inspect, in the
+    # FieldToMatch specification.
+    #
+    # Example JSON: `"UriFragment": { "MatchPattern": { "All": {} },
+    # "MatchScope": "KEY", "OversizeHandling": "MATCH" }`
+    #
+    # @!attribute [rw] fallback_behavior
+    #   What WAF should do if it fails to completely parse the JSON body.
+    #   The options are the following:
+    #
+    #   * `EVALUATE_AS_STRING` - Inspect the body as plain text. WAF applies
+    #     the text transformations and inspection criteria that you defined
+    #     for the JSON inspection to the body text string.
+    #
+    #   * `MATCH` - Treat the web request as matching the rule statement.
+    #     WAF applies the rule action to the request.
+    #
+    #   * `NO_MATCH` - Treat the web request as not matching the rule
+    #     statement.
+    #
+    #   If you don't provide this setting, WAF parses and evaluates the
+    #   content only up to the first parsing failure that it encounters.
+    #
+    #   Example JSON: `{ "UriFragment": { "FallbackBehavior": "MATCH"} }`
+    #
+    #   <note markdown="1"> WAF parsing doesn't fully validate the input JSON string, so
+    #   parsing can succeed even for invalid JSON. When parsing succeeds,
+    #   WAF doesn't apply the fallback behavior. For more information, see
+    #   [JSON body][1] in the *WAF Developer Guide*.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-fields-list.html#waf-rule-statement-request-component-json-body
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/UriFragment AWS API Documentation
+    #
+    class UriFragment < Struct.new(
+      :fallback_behavior)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Inspect the path component of the URI of the web request. This is the
     # part of the web request that identifies a resource. For example,
     # `/images/daily-ad.jpg`.
@@ -9883,16 +10091,15 @@ module Aws::WAFV2
     #   @return [Types::VisibilityConfig]
     #
     # @!attribute [rw] data_protection_config
-    #   Specifies data protection to apply to the web request data that WAF
-    #   stores for the web ACL. This is a web ACL level data protection
-    #   option.
+    #   Specifies data protection to apply to the web request data for the
+    #   web ACL. This is a web ACL level data protection option.
     #
     #   The data protection that you configure for the web ACL alters the
     #   data that's available for any other data collection activity,
-    #   including WAF logging, web ACL request sampling, Amazon Web Services
-    #   Managed Rules, and Amazon Security Lake data collection and
-    #   management. Your other option for data protection is in the logging
-    #   configuration, which only affects logging.
+    #   including your WAF logging destinations, web ACL request sampling,
+    #   and Amazon Security Lake data collection and management. Your other
+    #   option for data protection is in the logging configuration, which
+    #   only affects logging.
     #   @return [Types::DataProtectionConfig]
     #
     # @!attribute [rw] capacity

data/lib/aws-sdk-wafv2.rb

@@ -54,7 +54,7 @@ module Aws::WAFV2
   autoload :EndpointProvider, 'aws-sdk-wafv2/endpoint_provider'
   autoload :Endpoints, 'aws-sdk-wafv2/endpoints'
 
-  GEM_VERSION = '1.103.0'
+  GEM_VERSION = '1.105.0'
 
 end