aws-sdk-wafv2 1.55.0 → 1.57.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-wafv2/client.rb +507 -68
- data/lib/aws-sdk-wafv2/client_api.rb +53 -0
- data/lib/aws-sdk-wafv2/errors.rb +16 -0
- data/lib/aws-sdk-wafv2/types.rb +715 -203
- data/lib/aws-sdk-wafv2.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-wafv2/types.rb
CHANGED
@@ -12,6 +12,17 @@ module Aws::WAFV2
|
|
12
12
|
|
13
13
|
# Information for a single API key.
|
14
14
|
#
|
15
|
+
# API keys are required for the integration of the CAPTCHA API in your
|
16
|
+
# JavaScript client applications. The API lets you customize the
|
17
|
+
# placement and characteristics of the CAPTCHA puzzle for your end
|
18
|
+
# users. For more information about the CAPTCHA JavaScript integration,
|
19
|
+
# see [WAF client application integration][1] in the *WAF Developer
|
20
|
+
# Guide*.
|
21
|
+
#
|
22
|
+
#
|
23
|
+
#
|
24
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
25
|
+
#
|
15
26
|
# @!attribute [rw] token_domains
|
16
27
|
# The token domains that are defined in this API key.
|
17
28
|
# @return [Array<String>]
|
@@ -19,14 +30,6 @@ module Aws::WAFV2
|
|
19
30
|
# @!attribute [rw] api_key
|
20
31
|
# The generated, encrypted API key. You can copy this for use in your
|
21
32
|
# JavaScript CAPTCHA integration.
|
22
|
-
#
|
23
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
24
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
25
|
-
# Developer Guide*.
|
26
|
-
#
|
27
|
-
#
|
28
|
-
#
|
29
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
30
33
|
# @return [String]
|
31
34
|
#
|
32
35
|
# @!attribute [rw] creation_timestamp
|
@@ -238,6 +241,10 @@ module Aws::WAFV2
|
|
238
241
|
# * For an App Runner service:
|
239
242
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
240
243
|
# `
|
244
|
+
#
|
245
|
+
# * For an Amazon Web Services Verified Access instance:
|
246
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
247
|
+
# `
|
241
248
|
# @return [String]
|
242
249
|
#
|
243
250
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/AssociateWebACLRequest AWS API Documentation
|
@@ -412,11 +419,14 @@ module Aws::WAFV2
|
|
412
419
|
#
|
413
420
|
# @!attribute [rw] text_transformations
|
414
421
|
# Text transformations eliminate some of the unusual formatting that
|
415
|
-
# attackers use in web requests in an effort to bypass detection.
|
416
|
-
#
|
417
|
-
#
|
418
|
-
#
|
419
|
-
#
|
422
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
423
|
+
# transformations are used in rule match statements, to transform the
|
424
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
425
|
+
# used in rate-based rule statements, to transform request components
|
426
|
+
# before using them as custom aggregation keys. If you specify one or
|
427
|
+
# more transformations to apply, WAF performs all transformations on
|
428
|
+
# the specified content, starting from the lowest priority setting,
|
429
|
+
# and then uses the component contents.
|
420
430
|
# @return [Array<Types::TextTransformation>]
|
421
431
|
#
|
422
432
|
# @!attribute [rw] positional_constraint
|
@@ -680,8 +690,8 @@ module Aws::WAFV2
|
|
680
690
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
681
691
|
# for a regional application. A regional application can be an
|
682
692
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
683
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
684
|
-
# service.
|
693
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
694
|
+
# service, or an Amazon Web Services Verified Access instance.
|
685
695
|
#
|
686
696
|
# To work with CloudFront, you must also specify the Region US East
|
687
697
|
# (N. Virginia) as follows:
|
@@ -860,8 +870,8 @@ module Aws::WAFV2
|
|
860
870
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
861
871
|
# for a regional application. A regional application can be an
|
862
872
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
863
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
864
|
-
# service.
|
873
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
874
|
+
# service, or an Amazon Web Services Verified Access instance.
|
865
875
|
#
|
866
876
|
# To work with CloudFront, you must also specify the Region US East
|
867
877
|
# (N. Virginia) as follows:
|
@@ -875,6 +885,11 @@ module Aws::WAFV2
|
|
875
885
|
# @!attribute [rw] token_domains
|
876
886
|
# The client application domains that you want to use this API key
|
877
887
|
# for.
|
888
|
+
#
|
889
|
+
# Example JSON: `"TokenDomains": ["abc.com", "store.abc.com"]`
|
890
|
+
#
|
891
|
+
# Public suffixes aren't allowed. For example, you can't use
|
892
|
+
# `usa.gov` or `co.uk` as token domains.
|
878
893
|
# @return [Array<String>]
|
879
894
|
#
|
880
895
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyRequest AWS API Documentation
|
@@ -889,14 +904,6 @@ module Aws::WAFV2
|
|
889
904
|
# @!attribute [rw] api_key
|
890
905
|
# The generated, encrypted API key. You can copy this for use in your
|
891
906
|
# JavaScript CAPTCHA integration.
|
892
|
-
#
|
893
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
894
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
895
|
-
# Developer Guide*.
|
896
|
-
#
|
897
|
-
#
|
898
|
-
#
|
899
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
900
907
|
# @return [String]
|
901
908
|
#
|
902
909
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyResponse AWS API Documentation
|
@@ -916,8 +923,8 @@ module Aws::WAFV2
|
|
916
923
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
917
924
|
# for a regional application. A regional application can be an
|
918
925
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
919
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
920
|
-
# service.
|
926
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
927
|
+
# service, or an Amazon Web Services Verified Access instance.
|
921
928
|
#
|
922
929
|
# To work with CloudFront, you must also specify the Region US East
|
923
930
|
# (N. Virginia) as follows:
|
@@ -1023,8 +1030,8 @@ module Aws::WAFV2
|
|
1023
1030
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1024
1031
|
# for a regional application. A regional application can be an
|
1025
1032
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1026
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1027
|
-
# service.
|
1033
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1034
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1028
1035
|
#
|
1029
1036
|
# To work with CloudFront, you must also specify the Region US East
|
1030
1037
|
# (N. Virginia) as follows:
|
@@ -1084,8 +1091,8 @@ module Aws::WAFV2
|
|
1084
1091
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1085
1092
|
# for a regional application. A regional application can be an
|
1086
1093
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1087
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1088
|
-
# service.
|
1094
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1095
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1089
1096
|
#
|
1090
1097
|
# To work with CloudFront, you must also specify the Region US East
|
1091
1098
|
# (N. Virginia) as follows:
|
@@ -1199,8 +1206,8 @@ module Aws::WAFV2
|
|
1199
1206
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1200
1207
|
# for a regional application. A regional application can be an
|
1201
1208
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1202
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1203
|
-
# service.
|
1209
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1210
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1204
1211
|
#
|
1205
1212
|
# To work with CloudFront, you must also specify the Region US East
|
1206
1213
|
# (N. Virginia) as follows:
|
@@ -1563,8 +1570,8 @@ module Aws::WAFV2
|
|
1563
1570
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1564
1571
|
# for a regional application. A regional application can be an
|
1565
1572
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1566
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1567
|
-
# service.
|
1573
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1574
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1568
1575
|
#
|
1569
1576
|
# To work with CloudFront, you must also specify the Region US East
|
1570
1577
|
# (N. Virginia) as follows:
|
@@ -1653,8 +1660,8 @@ module Aws::WAFV2
|
|
1653
1660
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1654
1661
|
# for a regional application. A regional application can be an
|
1655
1662
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1656
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1657
|
-
# service.
|
1663
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1664
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1658
1665
|
#
|
1659
1666
|
# To work with CloudFront, you must also specify the Region US East
|
1660
1667
|
# (N. Virginia) as follows:
|
@@ -1707,8 +1714,8 @@ module Aws::WAFV2
|
|
1707
1714
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1708
1715
|
# for a regional application. A regional application can be an
|
1709
1716
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1710
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1711
|
-
# service.
|
1717
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1718
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1712
1719
|
#
|
1713
1720
|
# To work with CloudFront, you must also specify the Region US East
|
1714
1721
|
# (N. Virginia) as follows:
|
@@ -1761,8 +1768,8 @@ module Aws::WAFV2
|
|
1761
1768
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1762
1769
|
# for a regional application. A regional application can be an
|
1763
1770
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1764
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1765
|
-
# service.
|
1771
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1772
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1766
1773
|
#
|
1767
1774
|
# To work with CloudFront, you must also specify the Region US East
|
1768
1775
|
# (N. Virginia) as follows:
|
@@ -1820,8 +1827,8 @@ module Aws::WAFV2
|
|
1820
1827
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1821
1828
|
# for a regional application. A regional application can be an
|
1822
1829
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1823
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1824
|
-
# service.
|
1830
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1831
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1825
1832
|
#
|
1826
1833
|
# To work with CloudFront, you must also specify the Region US East
|
1827
1834
|
# (N. Virginia) as follows:
|
@@ -1955,6 +1962,10 @@ module Aws::WAFV2
|
|
1955
1962
|
# * For an App Runner service:
|
1956
1963
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
1957
1964
|
# `
|
1965
|
+
#
|
1966
|
+
# * For an Amazon Web Services Verified Access instance:
|
1967
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
1968
|
+
# `
|
1958
1969
|
# @return [String]
|
1959
1970
|
#
|
1960
1971
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DisassociateWebACLRequest AWS API Documentation
|
@@ -2388,8 +2399,8 @@ module Aws::WAFV2
|
|
2388
2399
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2389
2400
|
# for a regional application. A regional application can be an
|
2390
2401
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2391
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2392
|
-
# service.
|
2402
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2403
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2393
2404
|
#
|
2394
2405
|
# To work with CloudFront, you must also specify the Region US East
|
2395
2406
|
# (N. Virginia) as follows:
|
@@ -2439,8 +2450,8 @@ module Aws::WAFV2
|
|
2439
2450
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2440
2451
|
# for a regional application. A regional application can be an
|
2441
2452
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2442
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2443
|
-
# service.
|
2453
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2454
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2444
2455
|
#
|
2445
2456
|
# To work with CloudFront, you must also specify the Region US East
|
2446
2457
|
# (N. Virginia) as follows:
|
@@ -2528,8 +2539,8 @@ module Aws::WAFV2
|
|
2528
2539
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2529
2540
|
# for a regional application. A regional application can be an
|
2530
2541
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2531
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2532
|
-
# service.
|
2542
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2543
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2533
2544
|
#
|
2534
2545
|
# To work with CloudFront, you must also specify the Region US East
|
2535
2546
|
# (N. Virginia) as follows:
|
@@ -2641,8 +2652,8 @@ module Aws::WAFV2
|
|
2641
2652
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2642
2653
|
# for a regional application. A regional application can be an
|
2643
2654
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2644
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2645
|
-
# service.
|
2655
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2656
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2646
2657
|
#
|
2647
2658
|
# To work with CloudFront, you must also specify the Region US East
|
2648
2659
|
# (N. Virginia) as follows:
|
@@ -2715,8 +2726,8 @@ module Aws::WAFV2
|
|
2715
2726
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2716
2727
|
# for a regional application. A regional application can be an
|
2717
2728
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2718
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2719
|
-
# service.
|
2729
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2730
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2720
2731
|
#
|
2721
2732
|
# To work with CloudFront, you must also specify the Region US East
|
2722
2733
|
# (N. Virginia) as follows:
|
@@ -2776,8 +2787,8 @@ module Aws::WAFV2
|
|
2776
2787
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2777
2788
|
# for a regional application. A regional application can be an
|
2778
2789
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2779
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2780
|
-
# service.
|
2790
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2791
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2781
2792
|
#
|
2782
2793
|
# To work with CloudFront, you must also specify the Region US East
|
2783
2794
|
# (N. Virginia) as follows:
|
@@ -2847,8 +2858,8 @@ module Aws::WAFV2
|
|
2847
2858
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2848
2859
|
# for a regional application. A regional application can be an
|
2849
2860
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2850
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2851
|
-
# service.
|
2861
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2862
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2852
2863
|
#
|
2853
2864
|
# To work with CloudFront, you must also specify the Region US East
|
2854
2865
|
# (N. Virginia) as follows:
|
@@ -2944,6 +2955,10 @@ module Aws::WAFV2
|
|
2944
2955
|
# * For an App Runner service:
|
2945
2956
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
2946
2957
|
# `
|
2958
|
+
#
|
2959
|
+
# * For an Amazon Web Services Verified Access instance:
|
2960
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
2961
|
+
# `
|
2947
2962
|
# @return [String]
|
2948
2963
|
#
|
2949
2964
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetWebACLForResourceRequest AWS API Documentation
|
@@ -2976,8 +2991,8 @@ module Aws::WAFV2
|
|
2976
2991
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2977
2992
|
# for a regional application. A regional application can be an
|
2978
2993
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2979
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2980
|
-
# service.
|
2994
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2995
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2981
2996
|
#
|
2982
2997
|
# To work with CloudFront, you must also specify the Region US East
|
2983
2998
|
# (N. Virginia) as follows:
|
@@ -3731,8 +3746,8 @@ module Aws::WAFV2
|
|
3731
3746
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3732
3747
|
# for a regional application. A regional application can be an
|
3733
3748
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3734
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3735
|
-
# service.
|
3749
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3750
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3736
3751
|
#
|
3737
3752
|
# To work with CloudFront, you must also specify the Region US East
|
3738
3753
|
# (N. Virginia) as follows:
|
@@ -3784,14 +3799,6 @@ module Aws::WAFV2
|
|
3784
3799
|
# @!attribute [rw] application_integration_url
|
3785
3800
|
# The CAPTCHA application integration URL, for use in your JavaScript
|
3786
3801
|
# implementation.
|
3787
|
-
#
|
3788
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
3789
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
3790
|
-
# Developer Guide*.
|
3791
|
-
#
|
3792
|
-
#
|
3793
|
-
#
|
3794
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
3795
3802
|
# @return [String]
|
3796
3803
|
#
|
3797
3804
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/ListAPIKeysResponse AWS API Documentation
|
@@ -3818,8 +3825,8 @@ module Aws::WAFV2
|
|
3818
3825
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3819
3826
|
# for a regional application. A regional application can be an
|
3820
3827
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3821
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3822
|
-
# service.
|
3828
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3829
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3823
3830
|
#
|
3824
3831
|
# To work with CloudFront, you must also specify the Region US East
|
3825
3832
|
# (N. Virginia) as follows:
|
@@ -3889,8 +3896,8 @@ module Aws::WAFV2
|
|
3889
3896
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3890
3897
|
# for a regional application. A regional application can be an
|
3891
3898
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3892
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3893
|
-
# service.
|
3899
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3900
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3894
3901
|
#
|
3895
3902
|
# To work with CloudFront, you must also specify the Region US East
|
3896
3903
|
# (N. Virginia) as follows:
|
@@ -3952,8 +3959,8 @@ module Aws::WAFV2
|
|
3952
3959
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3953
3960
|
# for a regional application. A regional application can be an
|
3954
3961
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3955
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3956
|
-
# service.
|
3962
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3963
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3957
3964
|
#
|
3958
3965
|
# To work with CloudFront, you must also specify the Region US East
|
3959
3966
|
# (N. Virginia) as follows:
|
@@ -4015,8 +4022,8 @@ module Aws::WAFV2
|
|
4015
4022
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4016
4023
|
# for a regional application. A regional application can be an
|
4017
4024
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4018
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4019
|
-
# service.
|
4025
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4026
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4020
4027
|
#
|
4021
4028
|
# To work with CloudFront, you must also specify the Region US East
|
4022
4029
|
# (N. Virginia) as follows:
|
@@ -4078,8 +4085,8 @@ module Aws::WAFV2
|
|
4078
4085
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4079
4086
|
# for a regional application. A regional application can be an
|
4080
4087
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4081
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4082
|
-
# service.
|
4088
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4089
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4083
4090
|
#
|
4084
4091
|
# To work with CloudFront, you must also specify the Region US East
|
4085
4092
|
# (N. Virginia) as follows:
|
@@ -4193,8 +4200,8 @@ module Aws::WAFV2
|
|
4193
4200
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4194
4201
|
# for a regional application. A regional application can be an
|
4195
4202
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4196
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4197
|
-
# service.
|
4203
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4204
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4198
4205
|
#
|
4199
4206
|
# To work with CloudFront, you must also specify the Region US East
|
4200
4207
|
# (N. Virginia) as follows:
|
@@ -4260,7 +4267,8 @@ module Aws::WAFV2
|
|
4260
4267
|
# Used for web ACLs that are scoped for regional applications. A
|
4261
4268
|
# regional application can be an Application Load Balancer (ALB), an
|
4262
4269
|
# Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
|
4263
|
-
# Cognito user pool,
|
4270
|
+
# Cognito user pool, an App Runner service, or an Amazon Web Services
|
4271
|
+
# Verified Access instance.
|
4264
4272
|
#
|
4265
4273
|
# <note markdown="1"> If you don't provide a resource type, the call uses the resource
|
4266
4274
|
# type `APPLICATION_LOAD_BALANCER`.
|
@@ -4296,8 +4304,8 @@ module Aws::WAFV2
|
|
4296
4304
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4297
4305
|
# for a regional application. A regional application can be an
|
4298
4306
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4299
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4300
|
-
# service.
|
4307
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4308
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4301
4309
|
#
|
4302
4310
|
# To work with CloudFront, you must also specify the Region US East
|
4303
4311
|
# (N. Virginia) as follows:
|
@@ -4411,8 +4419,8 @@ module Aws::WAFV2
|
|
4411
4419
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4412
4420
|
# for a regional application. A regional application can be an
|
4413
4421
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4414
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4415
|
-
# service.
|
4422
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4423
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4416
4424
|
#
|
4417
4425
|
# To work with CloudFront, you must also specify the Region US East
|
4418
4426
|
# (N. Virginia) as follows:
|
@@ -5262,8 +5270,8 @@ module Aws::WAFV2
|
|
5262
5270
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
5263
5271
|
# for a regional application. A regional application can be an
|
5264
5272
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
5265
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
5266
|
-
# service.
|
5273
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
5274
|
+
# service, or an Amazon Web Services Verified Access instance.
|
5267
5275
|
#
|
5268
5276
|
# To work with CloudFront, you must also specify the Region US East
|
5269
5277
|
# (N. Virginia) as follows:
|
@@ -5393,11 +5401,86 @@ module Aws::WAFV2
|
|
5393
5401
|
#
|
5394
5402
|
class QueryString < Aws::EmptyStructure; end
|
5395
5403
|
|
5396
|
-
# A rate-based rule
|
5397
|
-
#
|
5398
|
-
#
|
5399
|
-
#
|
5400
|
-
#
|
5404
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
5405
|
+
# when they are coming at too fast a rate. The rule categorizes requests
|
5406
|
+
# according to your aggregation criteria, collects them into aggregation
|
5407
|
+
# instances, and counts and rate limits the requests for each instance.
|
5408
|
+
#
|
5409
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
5410
|
+
# method. You can also specify aggregation key combinations, like IP
|
5411
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
5412
|
+
#
|
5413
|
+
# Each unique set of values for the aggregation keys that you specify is
|
5414
|
+
# a separate aggregation instance, with the value from each key
|
5415
|
+
# contributing to the aggregation instance definition.
|
5416
|
+
#
|
5417
|
+
# For example, assume the rule evaluates web requests with the following
|
5418
|
+
# IP address and HTTP method values:
|
5419
|
+
#
|
5420
|
+
# * IP address 10.1.1.1, HTTP method POST
|
5421
|
+
#
|
5422
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5423
|
+
#
|
5424
|
+
# * IP address 127.0.0.0, HTTP method POST
|
5425
|
+
#
|
5426
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5427
|
+
#
|
5428
|
+
# The rule would create different aggregation instances according to
|
5429
|
+
# your aggregation criteria, for example:
|
5430
|
+
#
|
5431
|
+
# * If the aggregation criteria is just the IP address, then each
|
5432
|
+
# individual address is an aggregation instance, and WAF counts
|
5433
|
+
# requests separately for each. The aggregation instances and request
|
5434
|
+
# counts for our example would be the following:
|
5435
|
+
#
|
5436
|
+
# * IP address 10.1.1.1: count 3
|
5437
|
+
#
|
5438
|
+
# * IP address 127.0.0.0: count 1
|
5439
|
+
#
|
5440
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
5441
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
5442
|
+
# and request counts for our example would be the following:
|
5443
|
+
#
|
5444
|
+
# * HTTP method POST: count 2
|
5445
|
+
#
|
5446
|
+
# * HTTP method GET: count 2
|
5447
|
+
#
|
5448
|
+
# * If the aggregation criteria is IP address and HTTP method, then each
|
5449
|
+
# IP address and each HTTP method would contribute to the combined
|
5450
|
+
# aggregation instance. The aggregation instances and request counts
|
5451
|
+
# for our example would be the following:
|
5452
|
+
#
|
5453
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
5454
|
+
#
|
5455
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
5456
|
+
#
|
5457
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
5458
|
+
#
|
5459
|
+
# For any n-tuple of aggregation keys, each unique combination of values
|
5460
|
+
# for the keys defines a separate aggregation instance, which WAF counts
|
5461
|
+
# and rate-limits individually.
|
5462
|
+
#
|
5463
|
+
# You can optionally nest another statement inside the rate-based
|
5464
|
+
# statement, to narrow the scope of the rule so that it only counts and
|
5465
|
+
# rate limits requests that match the nested statement. You can use this
|
5466
|
+
# nested scope-down statement in conjunction with your aggregation key
|
5467
|
+
# specifications or you can just count and rate limit all requests that
|
5468
|
+
# match the scope-down statement, without additional aggregation. When
|
5469
|
+
# you choose to just manage all requests that match a scope-down
|
5470
|
+
# statement, the aggregation instance is singular for the rule.
|
5471
|
+
#
|
5472
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
5473
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
5474
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5475
|
+
#
|
5476
|
+
# For additional information about the options, see [Rate limiting web
|
5477
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
5478
|
+
#
|
5479
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
5480
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
5481
|
+
# currently rate limiting for a rule through the API call
|
5482
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
5483
|
+
# other aggregation configurations.
|
5401
5484
|
#
|
5402
5485
|
# WAF tracks and manages web requests separately for each instance of a
|
5403
5486
|
# rate-based rule that you use. For example, if you provide the same
|
@@ -5408,58 +5491,80 @@ module Aws::WAFV2
|
|
5408
5491
|
# multiple places, each use creates a separate instance of the
|
5409
5492
|
# rate-based rule that gets its own tracking and management by WAF.
|
5410
5493
|
#
|
5411
|
-
# When the rule action triggers, WAF blocks additional requests from the
|
5412
|
-
# IP address until the request rate falls below the limit.
|
5413
5494
|
#
|
5414
|
-
# You can optionally nest another statement inside the rate-based
|
5415
|
-
# statement, to narrow the scope of the rule so that it only counts
|
5416
|
-
# requests that match the nested statement. For example, based on recent
|
5417
|
-
# requests that you have seen from an attacker, you might create a
|
5418
|
-
# rate-based rule with a nested AND rule statement that contains the
|
5419
|
-
# following nested statements:
|
5420
5495
|
#
|
5421
|
-
#
|
5422
|
-
# 192.0.2.44.
|
5496
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
5423
5497
|
#
|
5424
|
-
#
|
5425
|
-
#
|
5498
|
+
# @!attribute [rw] limit
|
5499
|
+
# The limit on requests per 5-minute period for a single aggregation
|
5500
|
+
# instance for the rate-based rule. If the rate-based statement
|
5501
|
+
# includes a `ScopeDownStatement`, this limit is applied only to the
|
5502
|
+
# requests that match the statement.
|
5426
5503
|
#
|
5427
|
-
#
|
5428
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
5429
|
-
# both of the nested statements are counted. If the count exceeds 1,000
|
5430
|
-
# requests per five minutes, the rule action triggers. Requests that do
|
5431
|
-
# not meet the criteria of both of the nested statements are not counted
|
5432
|
-
# towards the rate limit and are not affected by this rule.
|
5504
|
+
# Examples:
|
5433
5505
|
#
|
5434
|
-
#
|
5435
|
-
#
|
5436
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5506
|
+
# * If you aggregate on just the IP address, this is the limit on
|
5507
|
+
# requests from any single IP address.
|
5437
5508
|
#
|
5438
|
-
#
|
5439
|
-
#
|
5440
|
-
#
|
5441
|
-
# limit is applied only to the requests that match the statement.
|
5509
|
+
# * If you aggregate on the HTTP method and the query argument name
|
5510
|
+
# "city", then this is the limit on requests for any single
|
5511
|
+
# method, city pair.
|
5442
5512
|
# @return [Integer]
|
5443
5513
|
#
|
5444
5514
|
# @!attribute [rw] aggregate_key_type
|
5445
|
-
# Setting that indicates how to aggregate the request counts.
|
5446
|
-
#
|
5515
|
+
# Setting that indicates how to aggregate the request counts.
|
5516
|
+
#
|
5517
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5518
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5519
|
+
# handling.
|
5520
|
+
#
|
5521
|
+
# </note>
|
5522
|
+
#
|
5523
|
+
# * `CONSTANT` - Count and limit the requests that match the
|
5524
|
+
# rate-based rule's scope-down statement. With this option, the
|
5525
|
+
# counted requests aren't further aggregated. The scope-down
|
5526
|
+
# statement is the only specification used. When the count of all
|
5527
|
+
# requests that satisfy the scope-down statement goes over the
|
5528
|
+
# limit, WAF applies the rule action to all requests that satisfy
|
5529
|
+
# the scope-down statement.
|
5530
|
+
#
|
5531
|
+
# With this option, you must configure the `ScopeDownStatement`
|
5532
|
+
# property.
|
5533
|
+
#
|
5534
|
+
# * `CUSTOM_KEYS` - Aggregate the request counts using one or more web
|
5535
|
+
# request components as the aggregate keys.
|
5536
|
+
#
|
5537
|
+
# With this option, you must specify the aggregate keys in the
|
5538
|
+
# `CustomKeys` property.
|
5539
|
+
#
|
5540
|
+
# To aggregate on only the IP address or only the forwarded IP
|
5541
|
+
# address, don't use custom keys. Instead, set the aggregate key
|
5542
|
+
# type to `IP` or `FORWARDED_IP`.
|
5543
|
+
#
|
5544
|
+
# * `FORWARDED_IP` - Aggregate the request counts on the first IP
|
5545
|
+
# address in an HTTP header.
|
5447
5546
|
#
|
5448
|
-
#
|
5547
|
+
# With this option, you must specify the header to use in the
|
5548
|
+
# `ForwardedIPConfig` property.
|
5549
|
+
#
|
5550
|
+
# To aggregate on a combination of the forwarded IP address with
|
5551
|
+
# other aggregate keys, use `CUSTOM_KEYS`.
|
5552
|
+
#
|
5553
|
+
# * `IP` - Aggregate the request counts on the IP address from the web
|
5449
5554
|
# request origin.
|
5450
5555
|
#
|
5451
|
-
#
|
5452
|
-
#
|
5453
|
-
# `ForwardedIPConfig`, to specify the header to use.
|
5556
|
+
# To aggregate on a combination of the IP address with other
|
5557
|
+
# aggregate keys, use `CUSTOM_KEYS`.
|
5454
5558
|
# @return [String]
|
5455
5559
|
#
|
5456
5560
|
# @!attribute [rw] scope_down_statement
|
5457
5561
|
# An optional nested statement that narrows the scope of the web
|
5458
|
-
# requests that are evaluated by the rate-based statement.
|
5459
|
-
#
|
5460
|
-
#
|
5461
|
-
# scope-down statement, and you
|
5462
|
-
# same as you can for a rule
|
5562
|
+
# requests that are evaluated and managed by the rate-based statement.
|
5563
|
+
# When you use a scope-down statement, the rate-based rule only tracks
|
5564
|
+
# and rate limits requests that match the scope-down statement. You
|
5565
|
+
# can use any nestable Statement in the scope-down statement, and you
|
5566
|
+
# can nest statements at any level, the same as you can for a rule
|
5567
|
+
# statement.
|
5463
5568
|
# @return [Types::Statement]
|
5464
5569
|
#
|
5465
5570
|
# @!attribute [rw] forwarded_ip_config
|
@@ -5473,22 +5578,143 @@ module Aws::WAFV2
|
|
5473
5578
|
#
|
5474
5579
|
# </note>
|
5475
5580
|
#
|
5476
|
-
# This is required if
|
5581
|
+
# This is required if you specify a forwarded IP in the rule's
|
5582
|
+
# aggregate key settings.
|
5477
5583
|
# @return [Types::ForwardedIPConfig]
|
5478
5584
|
#
|
5585
|
+
# @!attribute [rw] custom_keys
|
5586
|
+
# Specifies the aggregate keys to use in a rate-base rule.
|
5587
|
+
# @return [Array<Types::RateBasedStatementCustomKey>]
|
5588
|
+
#
|
5479
5589
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatement AWS API Documentation
|
5480
5590
|
#
|
5481
5591
|
class RateBasedStatement < Struct.new(
|
5482
5592
|
:limit,
|
5483
5593
|
:aggregate_key_type,
|
5484
5594
|
:scope_down_statement,
|
5485
|
-
:forwarded_ip_config
|
5595
|
+
:forwarded_ip_config,
|
5596
|
+
:custom_keys)
|
5597
|
+
SENSITIVE = []
|
5598
|
+
include Aws::Structure
|
5599
|
+
end
|
5600
|
+
|
5601
|
+
# Specifies a single custom aggregate key for a rate-base rule.
|
5602
|
+
#
|
5603
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5604
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5605
|
+
# handling.
|
5606
|
+
#
|
5607
|
+
# </note>
|
5608
|
+
#
|
5609
|
+
# @!attribute [rw] header
|
5610
|
+
# Use the value of a header in the request as an aggregate key. Each
|
5611
|
+
# distinct value in the header contributes to the aggregation
|
5612
|
+
# instance. If you use a single header as your custom key, then each
|
5613
|
+
# value fully defines an aggregation instance.
|
5614
|
+
# @return [Types::RateLimitHeader]
|
5615
|
+
#
|
5616
|
+
# @!attribute [rw] cookie
|
5617
|
+
# Use the value of a cookie in the request as an aggregate key. Each
|
5618
|
+
# distinct value in the cookie contributes to the aggregation
|
5619
|
+
# instance. If you use a single cookie as your custom key, then each
|
5620
|
+
# value fully defines an aggregation instance.
|
5621
|
+
# @return [Types::RateLimitCookie]
|
5622
|
+
#
|
5623
|
+
# @!attribute [rw] query_argument
|
5624
|
+
# Use the specified query argument as an aggregate key. Each distinct
|
5625
|
+
# value for the named query argument contributes to the aggregation
|
5626
|
+
# instance. If you use a single query argument as your custom key,
|
5627
|
+
# then each value fully defines an aggregation instance.
|
5628
|
+
# @return [Types::RateLimitQueryArgument]
|
5629
|
+
#
|
5630
|
+
# @!attribute [rw] query_string
|
5631
|
+
# Use the request's query string as an aggregate key. Each distinct
|
5632
|
+
# string contributes to the aggregation instance. If you use just the
|
5633
|
+
# query string as your custom key, then each string fully defines an
|
5634
|
+
# aggregation instance.
|
5635
|
+
# @return [Types::RateLimitQueryString]
|
5636
|
+
#
|
5637
|
+
# @!attribute [rw] http_method
|
5638
|
+
# Use the request's HTTP method as an aggregate key. Each distinct
|
5639
|
+
# HTTP method contributes to the aggregation instance. If you use just
|
5640
|
+
# the HTTP method as your custom key, then each method fully defines
|
5641
|
+
# an aggregation instance.
|
5642
|
+
# @return [Types::RateLimitHTTPMethod]
|
5643
|
+
#
|
5644
|
+
# @!attribute [rw] forwarded_ip
|
5645
|
+
# Use the first IP address in an HTTP header as an aggregate key. Each
|
5646
|
+
# distinct forwarded IP address contributes to the aggregation
|
5647
|
+
# instance.
|
5648
|
+
#
|
5649
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5650
|
+
# you must also specify at least one other key to use. You can
|
5651
|
+
# aggregate on only the forwarded IP address by specifying
|
5652
|
+
# `FORWARDED_IP` in your rate-based statement's `AggregateKeyType`.
|
5653
|
+
#
|
5654
|
+
# With this option, you must specify the header to use in the
|
5655
|
+
# rate-based rule's `ForwardedIPConfig` property.
|
5656
|
+
# @return [Types::RateLimitForwardedIP]
|
5657
|
+
#
|
5658
|
+
# @!attribute [rw] ip
|
5659
|
+
# Use the request's originating IP address as an aggregate key. Each
|
5660
|
+
# distinct IP address contributes to the aggregation instance.
|
5661
|
+
#
|
5662
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5663
|
+
# you must also specify at least one other key to use. You can
|
5664
|
+
# aggregate on only the IP address by specifying `IP` in your
|
5665
|
+
# rate-based statement's `AggregateKeyType`.
|
5666
|
+
# @return [Types::RateLimitIP]
|
5667
|
+
#
|
5668
|
+
# @!attribute [rw] label_namespace
|
5669
|
+
# Use the specified label namespace as an aggregate key. Each distinct
|
5670
|
+
# fully qualified label name that has the specified label namespace
|
5671
|
+
# contributes to the aggregation instance. If you use just one label
|
5672
|
+
# namespace as your custom key, then each label name fully defines an
|
5673
|
+
# aggregation instance.
|
5674
|
+
#
|
5675
|
+
# This uses only labels that have been added to the request by rules
|
5676
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5677
|
+
#
|
5678
|
+
# For information about label namespaces and names, see [Label syntax
|
5679
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5680
|
+
#
|
5681
|
+
#
|
5682
|
+
#
|
5683
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5684
|
+
# @return [Types::RateLimitLabelNamespace]
|
5685
|
+
#
|
5686
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
|
5687
|
+
#
|
5688
|
+
class RateBasedStatementCustomKey < Struct.new(
|
5689
|
+
:header,
|
5690
|
+
:cookie,
|
5691
|
+
:query_argument,
|
5692
|
+
:query_string,
|
5693
|
+
:http_method,
|
5694
|
+
:forwarded_ip,
|
5695
|
+
:ip,
|
5696
|
+
:label_namespace)
|
5486
5697
|
SENSITIVE = []
|
5487
5698
|
include Aws::Structure
|
5488
5699
|
end
|
5489
5700
|
|
5490
5701
|
# The set of IP addresses that are currently blocked for a
|
5491
|
-
# RateBasedStatement.
|
5702
|
+
# RateBasedStatement. This is only available for rate-based rules that
|
5703
|
+
# aggregate on just the IP address, with the `AggregateKeyType` set to
|
5704
|
+
# `IP` or `FORWARDED_IP`.
|
5705
|
+
#
|
5706
|
+
# A rate-based rule applies its rule action to requests from IP
|
5707
|
+
# addresses that are in the rule's managed keys list and that match the
|
5708
|
+
# rule's scope-down statement. When a rule has no scope-down statement,
|
5709
|
+
# it applies the action to all requests from the IP addresses that are
|
5710
|
+
# in the list. The rule applies its rule action to rate limit the
|
5711
|
+
# matching requests. The action is usually Block but it can be any valid
|
5712
|
+
# rule action except for Allow.
|
5713
|
+
#
|
5714
|
+
# The maximum number of IP addresses that can be rate limited by a
|
5715
|
+
# single rate-based rule instance is 10,000. If more than 10,000
|
5716
|
+
# addresses exceed the rate limit, WAF limits those with the highest
|
5717
|
+
# rates.
|
5492
5718
|
#
|
5493
5719
|
# @!attribute [rw] ip_address_version
|
5494
5720
|
# The version of the IP addresses, either `IPV4` or `IPV6`.
|
@@ -5507,6 +5733,208 @@ module Aws::WAFV2
|
|
5507
5733
|
include Aws::Structure
|
5508
5734
|
end
|
5509
5735
|
|
5736
|
+
# Specifies a cookie as an aggregate key for a rate-based rule. Each
|
5737
|
+
# distinct value in the cookie contributes to the aggregation instance.
|
5738
|
+
# If you use a single cookie as your custom key, then each value fully
|
5739
|
+
# defines an aggregation instance.
|
5740
|
+
#
|
5741
|
+
# @!attribute [rw] name
|
5742
|
+
# The name of the cookie to use.
|
5743
|
+
# @return [String]
|
5744
|
+
#
|
5745
|
+
# @!attribute [rw] text_transformations
|
5746
|
+
# Text transformations eliminate some of the unusual formatting that
|
5747
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5748
|
+
# transformations are used in rule match statements, to transform the
|
5749
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5750
|
+
# used in rate-based rule statements, to transform request components
|
5751
|
+
# before using them as custom aggregation keys. If you specify one or
|
5752
|
+
# more transformations to apply, WAF performs all transformations on
|
5753
|
+
# the specified content, starting from the lowest priority setting,
|
5754
|
+
# and then uses the component contents.
|
5755
|
+
# @return [Array<Types::TextTransformation>]
|
5756
|
+
#
|
5757
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitCookie AWS API Documentation
|
5758
|
+
#
|
5759
|
+
class RateLimitCookie < Struct.new(
|
5760
|
+
:name,
|
5761
|
+
:text_transformations)
|
5762
|
+
SENSITIVE = []
|
5763
|
+
include Aws::Structure
|
5764
|
+
end
|
5765
|
+
|
5766
|
+
# Specifies the first IP address in an HTTP header as an aggregate key
|
5767
|
+
# for a rate-based rule. Each distinct forwarded IP address contributes
|
5768
|
+
# to the aggregation instance.
|
5769
|
+
#
|
5770
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5771
|
+
# specification of a rate-based rule statement. When you specify an IP
|
5772
|
+
# or forwarded IP in the custom key settings, you must also specify at
|
5773
|
+
# least one other key to use. You can aggregate on only the forwarded IP
|
5774
|
+
# address by specifying `FORWARDED_IP` in your rate-based statement's
|
5775
|
+
# `AggregateKeyType`.
|
5776
|
+
#
|
5777
|
+
# This data type supports using the forwarded IP address in the web
|
5778
|
+
# request aggregation for a rate-based rule, in
|
5779
|
+
# `RateBasedStatementCustomKey`. The JSON specification for using the
|
5780
|
+
# forwarded IP address doesn't explicitly use this data type.
|
5781
|
+
#
|
5782
|
+
# JSON specification: `"ForwardedIP": \{\}`
|
5783
|
+
#
|
5784
|
+
# When you use this specification, you must also configure the forwarded
|
5785
|
+
# IP address in the rate-based statement's `ForwardedIPConfig`.
|
5786
|
+
#
|
5787
|
+
# @api private
|
5788
|
+
#
|
5789
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitForwardedIP AWS API Documentation
|
5790
|
+
#
|
5791
|
+
class RateLimitForwardedIP < Aws::EmptyStructure; end
|
5792
|
+
|
5793
|
+
# Specifies the request's HTTP method as an aggregate key for a
|
5794
|
+
# rate-based rule. Each distinct HTTP method contributes to the
|
5795
|
+
# aggregation instance. If you use just the HTTP method as your custom
|
5796
|
+
# key, then each method fully defines an aggregation instance.
|
5797
|
+
#
|
5798
|
+
# JSON specification: `"RateLimitHTTPMethod": \{\}`
|
5799
|
+
#
|
5800
|
+
# @api private
|
5801
|
+
#
|
5802
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHTTPMethod AWS API Documentation
|
5803
|
+
#
|
5804
|
+
class RateLimitHTTPMethod < Aws::EmptyStructure; end
|
5805
|
+
|
5806
|
+
# Specifies a header as an aggregate key for a rate-based rule. Each
|
5807
|
+
# distinct value in the header contributes to the aggregation instance.
|
5808
|
+
# If you use a single header as your custom key, then each value fully
|
5809
|
+
# defines an aggregation instance.
|
5810
|
+
#
|
5811
|
+
# @!attribute [rw] name
|
5812
|
+
# The name of the header to use.
|
5813
|
+
# @return [String]
|
5814
|
+
#
|
5815
|
+
# @!attribute [rw] text_transformations
|
5816
|
+
# Text transformations eliminate some of the unusual formatting that
|
5817
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5818
|
+
# transformations are used in rule match statements, to transform the
|
5819
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5820
|
+
# used in rate-based rule statements, to transform request components
|
5821
|
+
# before using them as custom aggregation keys. If you specify one or
|
5822
|
+
# more transformations to apply, WAF performs all transformations on
|
5823
|
+
# the specified content, starting from the lowest priority setting,
|
5824
|
+
# and then uses the component contents.
|
5825
|
+
# @return [Array<Types::TextTransformation>]
|
5826
|
+
#
|
5827
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHeader AWS API Documentation
|
5828
|
+
#
|
5829
|
+
class RateLimitHeader < Struct.new(
|
5830
|
+
:name,
|
5831
|
+
:text_transformations)
|
5832
|
+
SENSITIVE = []
|
5833
|
+
include Aws::Structure
|
5834
|
+
end
|
5835
|
+
|
5836
|
+
# Specifies the IP address in the web request as an aggregate key for a
|
5837
|
+
# rate-based rule. Each distinct IP address contributes to the
|
5838
|
+
# aggregation instance.
|
5839
|
+
#
|
5840
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5841
|
+
# specification of a rate-based rule statement. To use this in the
|
5842
|
+
# custom key settings, you must specify at least one other key to use,
|
5843
|
+
# along with the IP address. To aggregate on only the IP address, in
|
5844
|
+
# your rate-based statement's `AggregateKeyType`, specify `IP`.
|
5845
|
+
#
|
5846
|
+
# JSON specification: `"RateLimitIP": \{\}`
|
5847
|
+
#
|
5848
|
+
# @api private
|
5849
|
+
#
|
5850
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitIP AWS API Documentation
|
5851
|
+
#
|
5852
|
+
class RateLimitIP < Aws::EmptyStructure; end
|
5853
|
+
|
5854
|
+
# Specifies a label namespace to use as an aggregate key for a
|
5855
|
+
# rate-based rule. Each distinct fully qualified label name that has the
|
5856
|
+
# specified label namespace contributes to the aggregation instance. If
|
5857
|
+
# you use just one label namespace as your custom key, then each label
|
5858
|
+
# name fully defines an aggregation instance.
|
5859
|
+
#
|
5860
|
+
# This uses only labels that have been added to the request by rules
|
5861
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5862
|
+
#
|
5863
|
+
# For information about label namespaces and names, see [Label syntax
|
5864
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5865
|
+
#
|
5866
|
+
#
|
5867
|
+
#
|
5868
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5869
|
+
#
|
5870
|
+
# @!attribute [rw] namespace
|
5871
|
+
# The namespace to use for aggregation.
|
5872
|
+
# @return [String]
|
5873
|
+
#
|
5874
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitLabelNamespace AWS API Documentation
|
5875
|
+
#
|
5876
|
+
class RateLimitLabelNamespace < Struct.new(
|
5877
|
+
:namespace)
|
5878
|
+
SENSITIVE = []
|
5879
|
+
include Aws::Structure
|
5880
|
+
end
|
5881
|
+
|
5882
|
+
# Specifies a query argument in the request as an aggregate key for a
|
5883
|
+
# rate-based rule. Each distinct value for the named query argument
|
5884
|
+
# contributes to the aggregation instance. If you use a single query
|
5885
|
+
# argument as your custom key, then each value fully defines an
|
5886
|
+
# aggregation instance.
|
5887
|
+
#
|
5888
|
+
# @!attribute [rw] name
|
5889
|
+
# The name of the query argument to use.
|
5890
|
+
# @return [String]
|
5891
|
+
#
|
5892
|
+
# @!attribute [rw] text_transformations
|
5893
|
+
# Text transformations eliminate some of the unusual formatting that
|
5894
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5895
|
+
# transformations are used in rule match statements, to transform the
|
5896
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5897
|
+
# used in rate-based rule statements, to transform request components
|
5898
|
+
# before using them as custom aggregation keys. If you specify one or
|
5899
|
+
# more transformations to apply, WAF performs all transformations on
|
5900
|
+
# the specified content, starting from the lowest priority setting,
|
5901
|
+
# and then uses the component contents.
|
5902
|
+
# @return [Array<Types::TextTransformation>]
|
5903
|
+
#
|
5904
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryArgument AWS API Documentation
|
5905
|
+
#
|
5906
|
+
class RateLimitQueryArgument < Struct.new(
|
5907
|
+
:name,
|
5908
|
+
:text_transformations)
|
5909
|
+
SENSITIVE = []
|
5910
|
+
include Aws::Structure
|
5911
|
+
end
|
5912
|
+
|
5913
|
+
# Specifies the request's query string as an aggregate key for a
|
5914
|
+
# rate-based rule. Each distinct string contributes to the aggregation
|
5915
|
+
# instance. If you use just the query string as your custom key, then
|
5916
|
+
# each string fully defines an aggregation instance.
|
5917
|
+
#
|
5918
|
+
# @!attribute [rw] text_transformations
|
5919
|
+
# Text transformations eliminate some of the unusual formatting that
|
5920
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5921
|
+
# transformations are used in rule match statements, to transform the
|
5922
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5923
|
+
# used in rate-based rule statements, to transform request components
|
5924
|
+
# before using them as custom aggregation keys. If you specify one or
|
5925
|
+
# more transformations to apply, WAF performs all transformations on
|
5926
|
+
# the specified content, starting from the lowest priority setting,
|
5927
|
+
# and then uses the component contents.
|
5928
|
+
# @return [Array<Types::TextTransformation>]
|
5929
|
+
#
|
5930
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryString AWS API Documentation
|
5931
|
+
#
|
5932
|
+
class RateLimitQueryString < Struct.new(
|
5933
|
+
:text_transformations)
|
5934
|
+
SENSITIVE = []
|
5935
|
+
include Aws::Structure
|
5936
|
+
end
|
5937
|
+
|
5510
5938
|
# A single regular expression. This is used in a RegexPatternSet.
|
5511
5939
|
#
|
5512
5940
|
# @!attribute [rw] regex_string
|
@@ -5534,11 +5962,14 @@ module Aws::WAFV2
|
|
5534
5962
|
#
|
5535
5963
|
# @!attribute [rw] text_transformations
|
5536
5964
|
# Text transformations eliminate some of the unusual formatting that
|
5537
|
-
# attackers use in web requests in an effort to bypass detection.
|
5538
|
-
#
|
5539
|
-
#
|
5540
|
-
#
|
5541
|
-
#
|
5965
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5966
|
+
# transformations are used in rule match statements, to transform the
|
5967
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5968
|
+
# used in rate-based rule statements, to transform request components
|
5969
|
+
# before using them as custom aggregation keys. If you specify one or
|
5970
|
+
# more transformations to apply, WAF performs all transformations on
|
5971
|
+
# the specified content, starting from the lowest priority setting,
|
5972
|
+
# and then uses the component contents.
|
5542
5973
|
# @return [Array<Types::TextTransformation>]
|
5543
5974
|
#
|
5544
5975
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexMatchStatement AWS API Documentation
|
@@ -5615,11 +6046,14 @@ module Aws::WAFV2
|
|
5615
6046
|
#
|
5616
6047
|
# @!attribute [rw] text_transformations
|
5617
6048
|
# Text transformations eliminate some of the unusual formatting that
|
5618
|
-
# attackers use in web requests in an effort to bypass detection.
|
5619
|
-
#
|
5620
|
-
#
|
5621
|
-
#
|
5622
|
-
#
|
6049
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
6050
|
+
# transformations are used in rule match statements, to transform the
|
6051
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
6052
|
+
# used in rate-based rule statements, to transform request components
|
6053
|
+
# before using them as custom aggregation keys. If you specify one or
|
6054
|
+
# more transformations to apply, WAF performs all transformations on
|
6055
|
+
# the specified content, starting from the lowest priority setting,
|
6056
|
+
# and then uses the component contents.
|
5623
6057
|
# @return [Array<Types::TextTransformation>]
|
5624
6058
|
#
|
5625
6059
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
|
@@ -6617,11 +7051,14 @@ module Aws::WAFV2
|
|
6617
7051
|
#
|
6618
7052
|
# @!attribute [rw] text_transformations
|
6619
7053
|
# Text transformations eliminate some of the unusual formatting that
|
6620
|
-
# attackers use in web requests in an effort to bypass detection.
|
6621
|
-
#
|
6622
|
-
#
|
6623
|
-
#
|
6624
|
-
#
|
7054
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7055
|
+
# transformations are used in rule match statements, to transform the
|
7056
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7057
|
+
# used in rate-based rule statements, to transform request components
|
7058
|
+
# before using them as custom aggregation keys. If you specify one or
|
7059
|
+
# more transformations to apply, WAF performs all transformations on
|
7060
|
+
# the specified content, starting from the lowest priority setting,
|
7061
|
+
# and then uses the component contents.
|
6625
7062
|
# @return [Array<Types::TextTransformation>]
|
6626
7063
|
#
|
6627
7064
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
|
@@ -6645,11 +7082,14 @@ module Aws::WAFV2
|
|
6645
7082
|
#
|
6646
7083
|
# @!attribute [rw] text_transformations
|
6647
7084
|
# Text transformations eliminate some of the unusual formatting that
|
6648
|
-
# attackers use in web requests in an effort to bypass detection.
|
6649
|
-
#
|
6650
|
-
#
|
6651
|
-
#
|
6652
|
-
#
|
7085
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7086
|
+
# transformations are used in rule match statements, to transform the
|
7087
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7088
|
+
# used in rate-based rule statements, to transform request components
|
7089
|
+
# before using them as custom aggregation keys. If you specify one or
|
7090
|
+
# more transformations to apply, WAF performs all transformations on
|
7091
|
+
# the specified content, starting from the lowest priority setting,
|
7092
|
+
# and then uses the component contents.
|
6653
7093
|
# @return [Array<Types::TextTransformation>]
|
6654
7094
|
#
|
6655
7095
|
# @!attribute [rw] sensitivity_level
|
@@ -6809,11 +7249,88 @@ module Aws::WAFV2
|
|
6809
7249
|
# @return [Types::RegexPatternSetReferenceStatement]
|
6810
7250
|
#
|
6811
7251
|
# @!attribute [rw] rate_based_statement
|
6812
|
-
# A rate-based rule
|
6813
|
-
#
|
6814
|
-
#
|
6815
|
-
#
|
6816
|
-
#
|
7252
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
7253
|
+
# when they are coming at too fast a rate. The rule categorizes
|
7254
|
+
# requests according to your aggregation criteria, collects them into
|
7255
|
+
# aggregation instances, and counts and rate limits the requests for
|
7256
|
+
# each instance.
|
7257
|
+
#
|
7258
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
7259
|
+
# method. You can also specify aggregation key combinations, like IP
|
7260
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
7261
|
+
#
|
7262
|
+
# Each unique set of values for the aggregation keys that you specify
|
7263
|
+
# is a separate aggregation instance, with the value from each key
|
7264
|
+
# contributing to the aggregation instance definition.
|
7265
|
+
#
|
7266
|
+
# For example, assume the rule evaluates web requests with the
|
7267
|
+
# following IP address and HTTP method values:
|
7268
|
+
#
|
7269
|
+
# * IP address 10.1.1.1, HTTP method POST
|
7270
|
+
#
|
7271
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7272
|
+
#
|
7273
|
+
# * IP address 127.0.0.0, HTTP method POST
|
7274
|
+
#
|
7275
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7276
|
+
#
|
7277
|
+
# The rule would create different aggregation instances according to
|
7278
|
+
# your aggregation criteria, for example:
|
7279
|
+
#
|
7280
|
+
# * If the aggregation criteria is just the IP address, then each
|
7281
|
+
# individual address is an aggregation instance, and WAF counts
|
7282
|
+
# requests separately for each. The aggregation instances and
|
7283
|
+
# request counts for our example would be the following:
|
7284
|
+
#
|
7285
|
+
# * IP address 10.1.1.1: count 3
|
7286
|
+
#
|
7287
|
+
# * IP address 127.0.0.0: count 1
|
7288
|
+
#
|
7289
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
7290
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
7291
|
+
# and request counts for our example would be the following:
|
7292
|
+
#
|
7293
|
+
# * HTTP method POST: count 2
|
7294
|
+
#
|
7295
|
+
# * HTTP method GET: count 2
|
7296
|
+
#
|
7297
|
+
# * If the aggregation criteria is IP address and HTTP method, then
|
7298
|
+
# each IP address and each HTTP method would contribute to the
|
7299
|
+
# combined aggregation instance. The aggregation instances and
|
7300
|
+
# request counts for our example would be the following:
|
7301
|
+
#
|
7302
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
7303
|
+
#
|
7304
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
7305
|
+
#
|
7306
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
7307
|
+
#
|
7308
|
+
# For any n-tuple of aggregation keys, each unique combination of
|
7309
|
+
# values for the keys defines a separate aggregation instance, which
|
7310
|
+
# WAF counts and rate-limits individually.
|
7311
|
+
#
|
7312
|
+
# You can optionally nest another statement inside the rate-based
|
7313
|
+
# statement, to narrow the scope of the rule so that it only counts
|
7314
|
+
# and rate limits requests that match the nested statement. You can
|
7315
|
+
# use this nested scope-down statement in conjunction with your
|
7316
|
+
# aggregation key specifications or you can just count and rate limit
|
7317
|
+
# all requests that match the scope-down statement, without additional
|
7318
|
+
# aggregation. When you choose to just manage all requests that match
|
7319
|
+
# a scope-down statement, the aggregation instance is singular for the
|
7320
|
+
# rule.
|
7321
|
+
#
|
7322
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
7323
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
7324
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7325
|
+
#
|
7326
|
+
# For additional information about the options, see [Rate limiting web
|
7327
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
7328
|
+
#
|
7329
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
7330
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
7331
|
+
# currently rate limiting for a rule through the API call
|
7332
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
7333
|
+
# other aggregation configurations.
|
6817
7334
|
#
|
6818
7335
|
# WAF tracks and manages web requests separately for each instance of
|
6819
7336
|
# a rate-based rule that you use. For example, if you provide the same
|
@@ -6824,33 +7341,9 @@ module Aws::WAFV2
|
|
6824
7341
|
# multiple places, each use creates a separate instance of the
|
6825
7342
|
# rate-based rule that gets its own tracking and management by WAF.
|
6826
7343
|
#
|
6827
|
-
# When the rule action triggers, WAF blocks additional requests from
|
6828
|
-
# the IP address until the request rate falls below the limit.
|
6829
7344
|
#
|
6830
|
-
# You can optionally nest another statement inside the rate-based
|
6831
|
-
# statement, to narrow the scope of the rule so that it only counts
|
6832
|
-
# requests that match the nested statement. For example, based on
|
6833
|
-
# recent requests that you have seen from an attacker, you might
|
6834
|
-
# create a rate-based rule with a nested AND rule statement that
|
6835
|
-
# contains the following nested statements:
|
6836
|
-
#
|
6837
|
-
# * An IP match statement with an IP set that specifies the address
|
6838
|
-
# 192.0.2.44.
|
6839
|
-
#
|
6840
|
-
# * A string match statement that searches in the User-Agent header
|
6841
|
-
# for the string BadBot.
|
6842
|
-
#
|
6843
|
-
# In this rate-based rule, you also define a rate limit. For this
|
6844
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
6845
|
-
# both of the nested statements are counted. If the count exceeds
|
6846
|
-
# 1,000 requests per five minutes, the rule action triggers. Requests
|
6847
|
-
# that do not meet the criteria of both of the nested statements are
|
6848
|
-
# not counted towards the rate limit and are not affected by this
|
6849
|
-
# rule.
|
6850
7345
|
#
|
6851
|
-
#
|
6852
|
-
# example inside a `NotStatement` or `OrStatement`. You can define a
|
6853
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7346
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
6854
7347
|
# @return [Types::RateBasedStatement]
|
6855
7348
|
#
|
6856
7349
|
# @!attribute [rw] and_statement
|
@@ -7025,11 +7518,10 @@ module Aws::WAFV2
|
|
7025
7518
|
# attackers use in web requests in an effort to bypass detection.
|
7026
7519
|
#
|
7027
7520
|
# @!attribute [rw] priority
|
7028
|
-
# Sets the relative processing order for multiple transformations
|
7029
|
-
#
|
7030
|
-
#
|
7031
|
-
#
|
7032
|
-
# all be different.
|
7521
|
+
# Sets the relative processing order for multiple transformations. WAF
|
7522
|
+
# processes all transformations, from lowest priority to highest,
|
7523
|
+
# before inspecting the transformed content. The priorities don't
|
7524
|
+
# need to be consecutive, but they must all be different.
|
7033
7525
|
# @return [Integer]
|
7034
7526
|
#
|
7035
7527
|
# @!attribute [rw] type
|
@@ -7240,8 +7732,8 @@ module Aws::WAFV2
|
|
7240
7732
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7241
7733
|
# for a regional application. A regional application can be an
|
7242
7734
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7243
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7244
|
-
# service.
|
7735
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7736
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7245
7737
|
#
|
7246
7738
|
# To work with CloudFront, you must also specify the Region US East
|
7247
7739
|
# (N. Virginia) as follows:
|
@@ -7359,8 +7851,8 @@ module Aws::WAFV2
|
|
7359
7851
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7360
7852
|
# for a regional application. A regional application can be an
|
7361
7853
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7362
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7363
|
-
# service.
|
7854
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7855
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7364
7856
|
#
|
7365
7857
|
# To work with CloudFront, you must also specify the Region US East
|
7366
7858
|
# (N. Virginia) as follows:
|
@@ -7458,8 +7950,8 @@ module Aws::WAFV2
|
|
7458
7950
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7459
7951
|
# for a regional application. A regional application can be an
|
7460
7952
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7461
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7462
|
-
# service.
|
7953
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7954
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7463
7955
|
#
|
7464
7956
|
# To work with CloudFront, you must also specify the Region US East
|
7465
7957
|
# (N. Virginia) as follows:
|
@@ -7531,8 +8023,8 @@ module Aws::WAFV2
|
|
7531
8023
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7532
8024
|
# for a regional application. A regional application can be an
|
7533
8025
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7534
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7535
|
-
# service.
|
8026
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
8027
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7536
8028
|
#
|
7537
8029
|
# To work with CloudFront, you must also specify the Region US East
|
7538
8030
|
# (N. Virginia) as follows:
|
@@ -7635,8 +8127,8 @@ module Aws::WAFV2
|
|
7635
8127
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7636
8128
|
# for a regional application. A regional application can be an
|
7637
8129
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7638
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7639
|
-
# service.
|
8130
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
8131
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7640
8132
|
#
|
7641
8133
|
# To work with CloudFront, you must also specify the Region US East
|
7642
8134
|
# (N. Virginia) as follows:
|
@@ -8226,6 +8718,22 @@ module Aws::WAFV2
|
|
8226
8718
|
include Aws::Structure
|
8227
8719
|
end
|
8228
8720
|
|
8721
|
+
# The rule that you've named doesn't aggregate solely on the IP
|
8722
|
+
# address or solely on the forwarded IP address. This call is only
|
8723
|
+
# available for rate-based rules with an `AggregateKeyType` setting of
|
8724
|
+
# `IP` or `FORWARDED_IP`.
|
8725
|
+
#
|
8726
|
+
# @!attribute [rw] message
|
8727
|
+
# @return [String]
|
8728
|
+
#
|
8729
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFUnsupportedAggregateKeyTypeException AWS API Documentation
|
8730
|
+
#
|
8731
|
+
class WAFUnsupportedAggregateKeyTypeException < Struct.new(
|
8732
|
+
:message)
|
8733
|
+
SENSITIVE = []
|
8734
|
+
include Aws::Structure
|
8735
|
+
end
|
8736
|
+
|
8229
8737
|
# A web ACL defines a collection of rules to use to inspect and control
|
8230
8738
|
# web requests. Each rule has an action defined (allow, block, or count)
|
8231
8739
|
# for requests that match the statement of the rule. In the web ACL, you
|
@@ -8235,7 +8743,8 @@ module Aws::WAFV2
|
|
8235
8743
|
# can associate a web ACL with one or more Amazon Web Services resources
|
8236
8744
|
# to protect. The resources can be an Amazon CloudFront distribution, an
|
8237
8745
|
# Amazon API Gateway REST API, an Application Load Balancer, an AppSync
|
8238
|
-
# GraphQL API, an Amazon Cognito user pool,
|
8746
|
+
# GraphQL API, an Amazon Cognito user pool, an App Runner service, or an
|
8747
|
+
# Amazon Web Services Verified Access instance.
|
8239
8748
|
#
|
8240
8749
|
# @!attribute [rw] name
|
8241
8750
|
# The name of the web ACL. You cannot change the name of a web ACL
|
@@ -8487,11 +8996,14 @@ module Aws::WAFV2
|
|
8487
8996
|
#
|
8488
8997
|
# @!attribute [rw] text_transformations
|
8489
8998
|
# Text transformations eliminate some of the unusual formatting that
|
8490
|
-
# attackers use in web requests in an effort to bypass detection.
|
8491
|
-
#
|
8492
|
-
#
|
8493
|
-
#
|
8494
|
-
#
|
8999
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
9000
|
+
# transformations are used in rule match statements, to transform the
|
9001
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
9002
|
+
# used in rate-based rule statements, to transform request components
|
9003
|
+
# before using them as custom aggregation keys. If you specify one or
|
9004
|
+
# more transformations to apply, WAF performs all transformations on
|
9005
|
+
# the specified content, starting from the lowest priority setting,
|
9006
|
+
# and then uses the component contents.
|
8495
9007
|
# @return [Array<Types::TextTransformation>]
|
8496
9008
|
#
|
8497
9009
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation
|