aws-sdk-wafv2 1.55.0 → 1.57.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-wafv2/client.rb +507 -68
- data/lib/aws-sdk-wafv2/client_api.rb +53 -0
- data/lib/aws-sdk-wafv2/errors.rb +16 -0
- data/lib/aws-sdk-wafv2/types.rb +715 -203
- data/lib/aws-sdk-wafv2.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-wafv2/types.rb
CHANGED
@@ -12,6 +12,17 @@ module Aws::WAFV2
|
|
12
12
|
|
13
13
|
# Information for a single API key.
|
14
14
|
#
|
15
|
+
# API keys are required for the integration of the CAPTCHA API in your
|
16
|
+
# JavaScript client applications. The API lets you customize the
|
17
|
+
# placement and characteristics of the CAPTCHA puzzle for your end
|
18
|
+
# users. For more information about the CAPTCHA JavaScript integration,
|
19
|
+
# see [WAF client application integration][1] in the *WAF Developer
|
20
|
+
# Guide*.
|
21
|
+
#
|
22
|
+
#
|
23
|
+
#
|
24
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
25
|
+
#
|
15
26
|
# @!attribute [rw] token_domains
|
16
27
|
# The token domains that are defined in this API key.
|
17
28
|
# @return [Array<String>]
|
@@ -19,14 +30,6 @@ module Aws::WAFV2
|
|
19
30
|
# @!attribute [rw] api_key
|
20
31
|
# The generated, encrypted API key. You can copy this for use in your
|
21
32
|
# JavaScript CAPTCHA integration.
|
22
|
-
#
|
23
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
24
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
25
|
-
# Developer Guide*.
|
26
|
-
#
|
27
|
-
#
|
28
|
-
#
|
29
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
30
33
|
# @return [String]
|
31
34
|
#
|
32
35
|
# @!attribute [rw] creation_timestamp
|
@@ -238,6 +241,10 @@ module Aws::WAFV2
|
|
238
241
|
# * For an App Runner service:
|
239
242
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
240
243
|
# `
|
244
|
+
#
|
245
|
+
# * For an Amazon Web Services Verified Access instance:
|
246
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
247
|
+
# `
|
241
248
|
# @return [String]
|
242
249
|
#
|
243
250
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/AssociateWebACLRequest AWS API Documentation
|
@@ -412,11 +419,14 @@ module Aws::WAFV2
|
|
412
419
|
#
|
413
420
|
# @!attribute [rw] text_transformations
|
414
421
|
# Text transformations eliminate some of the unusual formatting that
|
415
|
-
# attackers use in web requests in an effort to bypass detection.
|
416
|
-
#
|
417
|
-
#
|
418
|
-
#
|
419
|
-
#
|
422
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
423
|
+
# transformations are used in rule match statements, to transform the
|
424
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
425
|
+
# used in rate-based rule statements, to transform request components
|
426
|
+
# before using them as custom aggregation keys. If you specify one or
|
427
|
+
# more transformations to apply, WAF performs all transformations on
|
428
|
+
# the specified content, starting from the lowest priority setting,
|
429
|
+
# and then uses the component contents.
|
420
430
|
# @return [Array<Types::TextTransformation>]
|
421
431
|
#
|
422
432
|
# @!attribute [rw] positional_constraint
|
@@ -680,8 +690,8 @@ module Aws::WAFV2
|
|
680
690
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
681
691
|
# for a regional application. A regional application can be an
|
682
692
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
683
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
684
|
-
# service.
|
693
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
694
|
+
# service, or an Amazon Web Services Verified Access instance.
|
685
695
|
#
|
686
696
|
# To work with CloudFront, you must also specify the Region US East
|
687
697
|
# (N. Virginia) as follows:
|
@@ -860,8 +870,8 @@ module Aws::WAFV2
|
|
860
870
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
861
871
|
# for a regional application. A regional application can be an
|
862
872
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
863
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
864
|
-
# service.
|
873
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
874
|
+
# service, or an Amazon Web Services Verified Access instance.
|
865
875
|
#
|
866
876
|
# To work with CloudFront, you must also specify the Region US East
|
867
877
|
# (N. Virginia) as follows:
|
@@ -875,6 +885,11 @@ module Aws::WAFV2
|
|
875
885
|
# @!attribute [rw] token_domains
|
876
886
|
# The client application domains that you want to use this API key
|
877
887
|
# for.
|
888
|
+
#
|
889
|
+
# Example JSON: `"TokenDomains": ["abc.com", "store.abc.com"]`
|
890
|
+
#
|
891
|
+
# Public suffixes aren't allowed. For example, you can't use
|
892
|
+
# `usa.gov` or `co.uk` as token domains.
|
878
893
|
# @return [Array<String>]
|
879
894
|
#
|
880
895
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyRequest AWS API Documentation
|
@@ -889,14 +904,6 @@ module Aws::WAFV2
|
|
889
904
|
# @!attribute [rw] api_key
|
890
905
|
# The generated, encrypted API key. You can copy this for use in your
|
891
906
|
# JavaScript CAPTCHA integration.
|
892
|
-
#
|
893
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
894
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
895
|
-
# Developer Guide*.
|
896
|
-
#
|
897
|
-
#
|
898
|
-
#
|
899
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
900
907
|
# @return [String]
|
901
908
|
#
|
902
909
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyResponse AWS API Documentation
|
@@ -916,8 +923,8 @@ module Aws::WAFV2
|
|
916
923
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
917
924
|
# for a regional application. A regional application can be an
|
918
925
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
919
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
920
|
-
# service.
|
926
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
927
|
+
# service, or an Amazon Web Services Verified Access instance.
|
921
928
|
#
|
922
929
|
# To work with CloudFront, you must also specify the Region US East
|
923
930
|
# (N. Virginia) as follows:
|
@@ -1023,8 +1030,8 @@ module Aws::WAFV2
|
|
1023
1030
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1024
1031
|
# for a regional application. A regional application can be an
|
1025
1032
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1026
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1027
|
-
# service.
|
1033
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1034
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1028
1035
|
#
|
1029
1036
|
# To work with CloudFront, you must also specify the Region US East
|
1030
1037
|
# (N. Virginia) as follows:
|
@@ -1084,8 +1091,8 @@ module Aws::WAFV2
|
|
1084
1091
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1085
1092
|
# for a regional application. A regional application can be an
|
1086
1093
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1087
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1088
|
-
# service.
|
1094
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1095
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1089
1096
|
#
|
1090
1097
|
# To work with CloudFront, you must also specify the Region US East
|
1091
1098
|
# (N. Virginia) as follows:
|
@@ -1199,8 +1206,8 @@ module Aws::WAFV2
|
|
1199
1206
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1200
1207
|
# for a regional application. A regional application can be an
|
1201
1208
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1202
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1203
|
-
# service.
|
1209
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1210
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1204
1211
|
#
|
1205
1212
|
# To work with CloudFront, you must also specify the Region US East
|
1206
1213
|
# (N. Virginia) as follows:
|
@@ -1563,8 +1570,8 @@ module Aws::WAFV2
|
|
1563
1570
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1564
1571
|
# for a regional application. A regional application can be an
|
1565
1572
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1566
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1567
|
-
# service.
|
1573
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1574
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1568
1575
|
#
|
1569
1576
|
# To work with CloudFront, you must also specify the Region US East
|
1570
1577
|
# (N. Virginia) as follows:
|
@@ -1653,8 +1660,8 @@ module Aws::WAFV2
|
|
1653
1660
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1654
1661
|
# for a regional application. A regional application can be an
|
1655
1662
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1656
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1657
|
-
# service.
|
1663
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1664
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1658
1665
|
#
|
1659
1666
|
# To work with CloudFront, you must also specify the Region US East
|
1660
1667
|
# (N. Virginia) as follows:
|
@@ -1707,8 +1714,8 @@ module Aws::WAFV2
|
|
1707
1714
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1708
1715
|
# for a regional application. A regional application can be an
|
1709
1716
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1710
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1711
|
-
# service.
|
1717
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1718
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1712
1719
|
#
|
1713
1720
|
# To work with CloudFront, you must also specify the Region US East
|
1714
1721
|
# (N. Virginia) as follows:
|
@@ -1761,8 +1768,8 @@ module Aws::WAFV2
|
|
1761
1768
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1762
1769
|
# for a regional application. A regional application can be an
|
1763
1770
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1764
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1765
|
-
# service.
|
1771
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1772
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1766
1773
|
#
|
1767
1774
|
# To work with CloudFront, you must also specify the Region US East
|
1768
1775
|
# (N. Virginia) as follows:
|
@@ -1820,8 +1827,8 @@ module Aws::WAFV2
|
|
1820
1827
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
1821
1828
|
# for a regional application. A regional application can be an
|
1822
1829
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
1823
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
1824
|
-
# service.
|
1830
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
1831
|
+
# service, or an Amazon Web Services Verified Access instance.
|
1825
1832
|
#
|
1826
1833
|
# To work with CloudFront, you must also specify the Region US East
|
1827
1834
|
# (N. Virginia) as follows:
|
@@ -1955,6 +1962,10 @@ module Aws::WAFV2
|
|
1955
1962
|
# * For an App Runner service:
|
1956
1963
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
1957
1964
|
# `
|
1965
|
+
#
|
1966
|
+
# * For an Amazon Web Services Verified Access instance:
|
1967
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
1968
|
+
# `
|
1958
1969
|
# @return [String]
|
1959
1970
|
#
|
1960
1971
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DisassociateWebACLRequest AWS API Documentation
|
@@ -2388,8 +2399,8 @@ module Aws::WAFV2
|
|
2388
2399
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2389
2400
|
# for a regional application. A regional application can be an
|
2390
2401
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2391
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2392
|
-
# service.
|
2402
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2403
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2393
2404
|
#
|
2394
2405
|
# To work with CloudFront, you must also specify the Region US East
|
2395
2406
|
# (N. Virginia) as follows:
|
@@ -2439,8 +2450,8 @@ module Aws::WAFV2
|
|
2439
2450
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2440
2451
|
# for a regional application. A regional application can be an
|
2441
2452
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2442
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2443
|
-
# service.
|
2453
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2454
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2444
2455
|
#
|
2445
2456
|
# To work with CloudFront, you must also specify the Region US East
|
2446
2457
|
# (N. Virginia) as follows:
|
@@ -2528,8 +2539,8 @@ module Aws::WAFV2
|
|
2528
2539
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2529
2540
|
# for a regional application. A regional application can be an
|
2530
2541
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2531
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2532
|
-
# service.
|
2542
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2543
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2533
2544
|
#
|
2534
2545
|
# To work with CloudFront, you must also specify the Region US East
|
2535
2546
|
# (N. Virginia) as follows:
|
@@ -2641,8 +2652,8 @@ module Aws::WAFV2
|
|
2641
2652
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2642
2653
|
# for a regional application. A regional application can be an
|
2643
2654
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2644
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2645
|
-
# service.
|
2655
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2656
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2646
2657
|
#
|
2647
2658
|
# To work with CloudFront, you must also specify the Region US East
|
2648
2659
|
# (N. Virginia) as follows:
|
@@ -2715,8 +2726,8 @@ module Aws::WAFV2
|
|
2715
2726
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2716
2727
|
# for a regional application. A regional application can be an
|
2717
2728
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2718
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2719
|
-
# service.
|
2729
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2730
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2720
2731
|
#
|
2721
2732
|
# To work with CloudFront, you must also specify the Region US East
|
2722
2733
|
# (N. Virginia) as follows:
|
@@ -2776,8 +2787,8 @@ module Aws::WAFV2
|
|
2776
2787
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2777
2788
|
# for a regional application. A regional application can be an
|
2778
2789
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2779
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2780
|
-
# service.
|
2790
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2791
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2781
2792
|
#
|
2782
2793
|
# To work with CloudFront, you must also specify the Region US East
|
2783
2794
|
# (N. Virginia) as follows:
|
@@ -2847,8 +2858,8 @@ module Aws::WAFV2
|
|
2847
2858
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2848
2859
|
# for a regional application. A regional application can be an
|
2849
2860
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2850
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2851
|
-
# service.
|
2861
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2862
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2852
2863
|
#
|
2853
2864
|
# To work with CloudFront, you must also specify the Region US East
|
2854
2865
|
# (N. Virginia) as follows:
|
@@ -2944,6 +2955,10 @@ module Aws::WAFV2
|
|
2944
2955
|
# * For an App Runner service:
|
2945
2956
|
# `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
|
2946
2957
|
# `
|
2958
|
+
#
|
2959
|
+
# * For an Amazon Web Services Verified Access instance:
|
2960
|
+
# `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
|
2961
|
+
# `
|
2947
2962
|
# @return [String]
|
2948
2963
|
#
|
2949
2964
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetWebACLForResourceRequest AWS API Documentation
|
@@ -2976,8 +2991,8 @@ module Aws::WAFV2
|
|
2976
2991
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
2977
2992
|
# for a regional application. A regional application can be an
|
2978
2993
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
2979
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
2980
|
-
# service.
|
2994
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
2995
|
+
# service, or an Amazon Web Services Verified Access instance.
|
2981
2996
|
#
|
2982
2997
|
# To work with CloudFront, you must also specify the Region US East
|
2983
2998
|
# (N. Virginia) as follows:
|
@@ -3731,8 +3746,8 @@ module Aws::WAFV2
|
|
3731
3746
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3732
3747
|
# for a regional application. A regional application can be an
|
3733
3748
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3734
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3735
|
-
# service.
|
3749
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3750
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3736
3751
|
#
|
3737
3752
|
# To work with CloudFront, you must also specify the Region US East
|
3738
3753
|
# (N. Virginia) as follows:
|
@@ -3784,14 +3799,6 @@ module Aws::WAFV2
|
|
3784
3799
|
# @!attribute [rw] application_integration_url
|
3785
3800
|
# The CAPTCHA application integration URL, for use in your JavaScript
|
3786
3801
|
# implementation.
|
3787
|
-
#
|
3788
|
-
# For information about how to use this in your CAPTCHA JavaScript
|
3789
|
-
# integration, see [WAF client application integration][1] in the *WAF
|
3790
|
-
# Developer Guide*.
|
3791
|
-
#
|
3792
|
-
#
|
3793
|
-
#
|
3794
|
-
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
|
3795
3802
|
# @return [String]
|
3796
3803
|
#
|
3797
3804
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/ListAPIKeysResponse AWS API Documentation
|
@@ -3818,8 +3825,8 @@ module Aws::WAFV2
|
|
3818
3825
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3819
3826
|
# for a regional application. A regional application can be an
|
3820
3827
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3821
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3822
|
-
# service.
|
3828
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3829
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3823
3830
|
#
|
3824
3831
|
# To work with CloudFront, you must also specify the Region US East
|
3825
3832
|
# (N. Virginia) as follows:
|
@@ -3889,8 +3896,8 @@ module Aws::WAFV2
|
|
3889
3896
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3890
3897
|
# for a regional application. A regional application can be an
|
3891
3898
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3892
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3893
|
-
# service.
|
3899
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3900
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3894
3901
|
#
|
3895
3902
|
# To work with CloudFront, you must also specify the Region US East
|
3896
3903
|
# (N. Virginia) as follows:
|
@@ -3952,8 +3959,8 @@ module Aws::WAFV2
|
|
3952
3959
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
3953
3960
|
# for a regional application. A regional application can be an
|
3954
3961
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
3955
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
3956
|
-
# service.
|
3962
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
3963
|
+
# service, or an Amazon Web Services Verified Access instance.
|
3957
3964
|
#
|
3958
3965
|
# To work with CloudFront, you must also specify the Region US East
|
3959
3966
|
# (N. Virginia) as follows:
|
@@ -4015,8 +4022,8 @@ module Aws::WAFV2
|
|
4015
4022
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4016
4023
|
# for a regional application. A regional application can be an
|
4017
4024
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4018
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4019
|
-
# service.
|
4025
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4026
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4020
4027
|
#
|
4021
4028
|
# To work with CloudFront, you must also specify the Region US East
|
4022
4029
|
# (N. Virginia) as follows:
|
@@ -4078,8 +4085,8 @@ module Aws::WAFV2
|
|
4078
4085
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4079
4086
|
# for a regional application. A regional application can be an
|
4080
4087
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4081
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4082
|
-
# service.
|
4088
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4089
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4083
4090
|
#
|
4084
4091
|
# To work with CloudFront, you must also specify the Region US East
|
4085
4092
|
# (N. Virginia) as follows:
|
@@ -4193,8 +4200,8 @@ module Aws::WAFV2
|
|
4193
4200
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4194
4201
|
# for a regional application. A regional application can be an
|
4195
4202
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4196
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4197
|
-
# service.
|
4203
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4204
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4198
4205
|
#
|
4199
4206
|
# To work with CloudFront, you must also specify the Region US East
|
4200
4207
|
# (N. Virginia) as follows:
|
@@ -4260,7 +4267,8 @@ module Aws::WAFV2
|
|
4260
4267
|
# Used for web ACLs that are scoped for regional applications. A
|
4261
4268
|
# regional application can be an Application Load Balancer (ALB), an
|
4262
4269
|
# Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
|
4263
|
-
# Cognito user pool,
|
4270
|
+
# Cognito user pool, an App Runner service, or an Amazon Web Services
|
4271
|
+
# Verified Access instance.
|
4264
4272
|
#
|
4265
4273
|
# <note markdown="1"> If you don't provide a resource type, the call uses the resource
|
4266
4274
|
# type `APPLICATION_LOAD_BALANCER`.
|
@@ -4296,8 +4304,8 @@ module Aws::WAFV2
|
|
4296
4304
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4297
4305
|
# for a regional application. A regional application can be an
|
4298
4306
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4299
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4300
|
-
# service.
|
4307
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4308
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4301
4309
|
#
|
4302
4310
|
# To work with CloudFront, you must also specify the Region US East
|
4303
4311
|
# (N. Virginia) as follows:
|
@@ -4411,8 +4419,8 @@ module Aws::WAFV2
|
|
4411
4419
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
4412
4420
|
# for a regional application. A regional application can be an
|
4413
4421
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
4414
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
4415
|
-
# service.
|
4422
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
4423
|
+
# service, or an Amazon Web Services Verified Access instance.
|
4416
4424
|
#
|
4417
4425
|
# To work with CloudFront, you must also specify the Region US East
|
4418
4426
|
# (N. Virginia) as follows:
|
@@ -5262,8 +5270,8 @@ module Aws::WAFV2
|
|
5262
5270
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
5263
5271
|
# for a regional application. A regional application can be an
|
5264
5272
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
5265
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
5266
|
-
# service.
|
5273
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
5274
|
+
# service, or an Amazon Web Services Verified Access instance.
|
5267
5275
|
#
|
5268
5276
|
# To work with CloudFront, you must also specify the Region US East
|
5269
5277
|
# (N. Virginia) as follows:
|
@@ -5393,11 +5401,86 @@ module Aws::WAFV2
|
|
5393
5401
|
#
|
5394
5402
|
class QueryString < Aws::EmptyStructure; end
|
5395
5403
|
|
5396
|
-
# A rate-based rule
|
5397
|
-
#
|
5398
|
-
#
|
5399
|
-
#
|
5400
|
-
#
|
5404
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
5405
|
+
# when they are coming at too fast a rate. The rule categorizes requests
|
5406
|
+
# according to your aggregation criteria, collects them into aggregation
|
5407
|
+
# instances, and counts and rate limits the requests for each instance.
|
5408
|
+
#
|
5409
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
5410
|
+
# method. You can also specify aggregation key combinations, like IP
|
5411
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
5412
|
+
#
|
5413
|
+
# Each unique set of values for the aggregation keys that you specify is
|
5414
|
+
# a separate aggregation instance, with the value from each key
|
5415
|
+
# contributing to the aggregation instance definition.
|
5416
|
+
#
|
5417
|
+
# For example, assume the rule evaluates web requests with the following
|
5418
|
+
# IP address and HTTP method values:
|
5419
|
+
#
|
5420
|
+
# * IP address 10.1.1.1, HTTP method POST
|
5421
|
+
#
|
5422
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5423
|
+
#
|
5424
|
+
# * IP address 127.0.0.0, HTTP method POST
|
5425
|
+
#
|
5426
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5427
|
+
#
|
5428
|
+
# The rule would create different aggregation instances according to
|
5429
|
+
# your aggregation criteria, for example:
|
5430
|
+
#
|
5431
|
+
# * If the aggregation criteria is just the IP address, then each
|
5432
|
+
# individual address is an aggregation instance, and WAF counts
|
5433
|
+
# requests separately for each. The aggregation instances and request
|
5434
|
+
# counts for our example would be the following:
|
5435
|
+
#
|
5436
|
+
# * IP address 10.1.1.1: count 3
|
5437
|
+
#
|
5438
|
+
# * IP address 127.0.0.0: count 1
|
5439
|
+
#
|
5440
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
5441
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
5442
|
+
# and request counts for our example would be the following:
|
5443
|
+
#
|
5444
|
+
# * HTTP method POST: count 2
|
5445
|
+
#
|
5446
|
+
# * HTTP method GET: count 2
|
5447
|
+
#
|
5448
|
+
# * If the aggregation criteria is IP address and HTTP method, then each
|
5449
|
+
# IP address and each HTTP method would contribute to the combined
|
5450
|
+
# aggregation instance. The aggregation instances and request counts
|
5451
|
+
# for our example would be the following:
|
5452
|
+
#
|
5453
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
5454
|
+
#
|
5455
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
5456
|
+
#
|
5457
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
5458
|
+
#
|
5459
|
+
# For any n-tuple of aggregation keys, each unique combination of values
|
5460
|
+
# for the keys defines a separate aggregation instance, which WAF counts
|
5461
|
+
# and rate-limits individually.
|
5462
|
+
#
|
5463
|
+
# You can optionally nest another statement inside the rate-based
|
5464
|
+
# statement, to narrow the scope of the rule so that it only counts and
|
5465
|
+
# rate limits requests that match the nested statement. You can use this
|
5466
|
+
# nested scope-down statement in conjunction with your aggregation key
|
5467
|
+
# specifications or you can just count and rate limit all requests that
|
5468
|
+
# match the scope-down statement, without additional aggregation. When
|
5469
|
+
# you choose to just manage all requests that match a scope-down
|
5470
|
+
# statement, the aggregation instance is singular for the rule.
|
5471
|
+
#
|
5472
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
5473
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
5474
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5475
|
+
#
|
5476
|
+
# For additional information about the options, see [Rate limiting web
|
5477
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
5478
|
+
#
|
5479
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
5480
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
5481
|
+
# currently rate limiting for a rule through the API call
|
5482
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
5483
|
+
# other aggregation configurations.
|
5401
5484
|
#
|
5402
5485
|
# WAF tracks and manages web requests separately for each instance of a
|
5403
5486
|
# rate-based rule that you use. For example, if you provide the same
|
@@ -5408,58 +5491,80 @@ module Aws::WAFV2
|
|
5408
5491
|
# multiple places, each use creates a separate instance of the
|
5409
5492
|
# rate-based rule that gets its own tracking and management by WAF.
|
5410
5493
|
#
|
5411
|
-
# When the rule action triggers, WAF blocks additional requests from the
|
5412
|
-
# IP address until the request rate falls below the limit.
|
5413
5494
|
#
|
5414
|
-
# You can optionally nest another statement inside the rate-based
|
5415
|
-
# statement, to narrow the scope of the rule so that it only counts
|
5416
|
-
# requests that match the nested statement. For example, based on recent
|
5417
|
-
# requests that you have seen from an attacker, you might create a
|
5418
|
-
# rate-based rule with a nested AND rule statement that contains the
|
5419
|
-
# following nested statements:
|
5420
5495
|
#
|
5421
|
-
#
|
5422
|
-
# 192.0.2.44.
|
5496
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
5423
5497
|
#
|
5424
|
-
#
|
5425
|
-
#
|
5498
|
+
# @!attribute [rw] limit
|
5499
|
+
# The limit on requests per 5-minute period for a single aggregation
|
5500
|
+
# instance for the rate-based rule. If the rate-based statement
|
5501
|
+
# includes a `ScopeDownStatement`, this limit is applied only to the
|
5502
|
+
# requests that match the statement.
|
5426
5503
|
#
|
5427
|
-
#
|
5428
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
5429
|
-
# both of the nested statements are counted. If the count exceeds 1,000
|
5430
|
-
# requests per five minutes, the rule action triggers. Requests that do
|
5431
|
-
# not meet the criteria of both of the nested statements are not counted
|
5432
|
-
# towards the rate limit and are not affected by this rule.
|
5504
|
+
# Examples:
|
5433
5505
|
#
|
5434
|
-
#
|
5435
|
-
#
|
5436
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5506
|
+
# * If you aggregate on just the IP address, this is the limit on
|
5507
|
+
# requests from any single IP address.
|
5437
5508
|
#
|
5438
|
-
#
|
5439
|
-
#
|
5440
|
-
#
|
5441
|
-
# limit is applied only to the requests that match the statement.
|
5509
|
+
# * If you aggregate on the HTTP method and the query argument name
|
5510
|
+
# "city", then this is the limit on requests for any single
|
5511
|
+
# method, city pair.
|
5442
5512
|
# @return [Integer]
|
5443
5513
|
#
|
5444
5514
|
# @!attribute [rw] aggregate_key_type
|
5445
|
-
# Setting that indicates how to aggregate the request counts.
|
5446
|
-
#
|
5515
|
+
# Setting that indicates how to aggregate the request counts.
|
5516
|
+
#
|
5517
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5518
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5519
|
+
# handling.
|
5520
|
+
#
|
5521
|
+
# </note>
|
5522
|
+
#
|
5523
|
+
# * `CONSTANT` - Count and limit the requests that match the
|
5524
|
+
# rate-based rule's scope-down statement. With this option, the
|
5525
|
+
# counted requests aren't further aggregated. The scope-down
|
5526
|
+
# statement is the only specification used. When the count of all
|
5527
|
+
# requests that satisfy the scope-down statement goes over the
|
5528
|
+
# limit, WAF applies the rule action to all requests that satisfy
|
5529
|
+
# the scope-down statement.
|
5530
|
+
#
|
5531
|
+
# With this option, you must configure the `ScopeDownStatement`
|
5532
|
+
# property.
|
5533
|
+
#
|
5534
|
+
# * `CUSTOM_KEYS` - Aggregate the request counts using one or more web
|
5535
|
+
# request components as the aggregate keys.
|
5536
|
+
#
|
5537
|
+
# With this option, you must specify the aggregate keys in the
|
5538
|
+
# `CustomKeys` property.
|
5539
|
+
#
|
5540
|
+
# To aggregate on only the IP address or only the forwarded IP
|
5541
|
+
# address, don't use custom keys. Instead, set the aggregate key
|
5542
|
+
# type to `IP` or `FORWARDED_IP`.
|
5543
|
+
#
|
5544
|
+
# * `FORWARDED_IP` - Aggregate the request counts on the first IP
|
5545
|
+
# address in an HTTP header.
|
5447
5546
|
#
|
5448
|
-
#
|
5547
|
+
# With this option, you must specify the header to use in the
|
5548
|
+
# `ForwardedIPConfig` property.
|
5549
|
+
#
|
5550
|
+
# To aggregate on a combination of the forwarded IP address with
|
5551
|
+
# other aggregate keys, use `CUSTOM_KEYS`.
|
5552
|
+
#
|
5553
|
+
# * `IP` - Aggregate the request counts on the IP address from the web
|
5449
5554
|
# request origin.
|
5450
5555
|
#
|
5451
|
-
#
|
5452
|
-
#
|
5453
|
-
# `ForwardedIPConfig`, to specify the header to use.
|
5556
|
+
# To aggregate on a combination of the IP address with other
|
5557
|
+
# aggregate keys, use `CUSTOM_KEYS`.
|
5454
5558
|
# @return [String]
|
5455
5559
|
#
|
5456
5560
|
# @!attribute [rw] scope_down_statement
|
5457
5561
|
# An optional nested statement that narrows the scope of the web
|
5458
|
-
# requests that are evaluated by the rate-based statement.
|
5459
|
-
#
|
5460
|
-
#
|
5461
|
-
# scope-down statement, and you
|
5462
|
-
# same as you can for a rule
|
5562
|
+
# requests that are evaluated and managed by the rate-based statement.
|
5563
|
+
# When you use a scope-down statement, the rate-based rule only tracks
|
5564
|
+
# and rate limits requests that match the scope-down statement. You
|
5565
|
+
# can use any nestable Statement in the scope-down statement, and you
|
5566
|
+
# can nest statements at any level, the same as you can for a rule
|
5567
|
+
# statement.
|
5463
5568
|
# @return [Types::Statement]
|
5464
5569
|
#
|
5465
5570
|
# @!attribute [rw] forwarded_ip_config
|
@@ -5473,22 +5578,143 @@ module Aws::WAFV2
|
|
5473
5578
|
#
|
5474
5579
|
# </note>
|
5475
5580
|
#
|
5476
|
-
# This is required if
|
5581
|
+
# This is required if you specify a forwarded IP in the rule's
|
5582
|
+
# aggregate key settings.
|
5477
5583
|
# @return [Types::ForwardedIPConfig]
|
5478
5584
|
#
|
5585
|
+
# @!attribute [rw] custom_keys
|
5586
|
+
# Specifies the aggregate keys to use in a rate-base rule.
|
5587
|
+
# @return [Array<Types::RateBasedStatementCustomKey>]
|
5588
|
+
#
|
5479
5589
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatement AWS API Documentation
|
5480
5590
|
#
|
5481
5591
|
class RateBasedStatement < Struct.new(
|
5482
5592
|
:limit,
|
5483
5593
|
:aggregate_key_type,
|
5484
5594
|
:scope_down_statement,
|
5485
|
-
:forwarded_ip_config
|
5595
|
+
:forwarded_ip_config,
|
5596
|
+
:custom_keys)
|
5597
|
+
SENSITIVE = []
|
5598
|
+
include Aws::Structure
|
5599
|
+
end
|
5600
|
+
|
5601
|
+
# Specifies a single custom aggregate key for a rate-base rule.
|
5602
|
+
#
|
5603
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5604
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5605
|
+
# handling.
|
5606
|
+
#
|
5607
|
+
# </note>
|
5608
|
+
#
|
5609
|
+
# @!attribute [rw] header
|
5610
|
+
# Use the value of a header in the request as an aggregate key. Each
|
5611
|
+
# distinct value in the header contributes to the aggregation
|
5612
|
+
# instance. If you use a single header as your custom key, then each
|
5613
|
+
# value fully defines an aggregation instance.
|
5614
|
+
# @return [Types::RateLimitHeader]
|
5615
|
+
#
|
5616
|
+
# @!attribute [rw] cookie
|
5617
|
+
# Use the value of a cookie in the request as an aggregate key. Each
|
5618
|
+
# distinct value in the cookie contributes to the aggregation
|
5619
|
+
# instance. If you use a single cookie as your custom key, then each
|
5620
|
+
# value fully defines an aggregation instance.
|
5621
|
+
# @return [Types::RateLimitCookie]
|
5622
|
+
#
|
5623
|
+
# @!attribute [rw] query_argument
|
5624
|
+
# Use the specified query argument as an aggregate key. Each distinct
|
5625
|
+
# value for the named query argument contributes to the aggregation
|
5626
|
+
# instance. If you use a single query argument as your custom key,
|
5627
|
+
# then each value fully defines an aggregation instance.
|
5628
|
+
# @return [Types::RateLimitQueryArgument]
|
5629
|
+
#
|
5630
|
+
# @!attribute [rw] query_string
|
5631
|
+
# Use the request's query string as an aggregate key. Each distinct
|
5632
|
+
# string contributes to the aggregation instance. If you use just the
|
5633
|
+
# query string as your custom key, then each string fully defines an
|
5634
|
+
# aggregation instance.
|
5635
|
+
# @return [Types::RateLimitQueryString]
|
5636
|
+
#
|
5637
|
+
# @!attribute [rw] http_method
|
5638
|
+
# Use the request's HTTP method as an aggregate key. Each distinct
|
5639
|
+
# HTTP method contributes to the aggregation instance. If you use just
|
5640
|
+
# the HTTP method as your custom key, then each method fully defines
|
5641
|
+
# an aggregation instance.
|
5642
|
+
# @return [Types::RateLimitHTTPMethod]
|
5643
|
+
#
|
5644
|
+
# @!attribute [rw] forwarded_ip
|
5645
|
+
# Use the first IP address in an HTTP header as an aggregate key. Each
|
5646
|
+
# distinct forwarded IP address contributes to the aggregation
|
5647
|
+
# instance.
|
5648
|
+
#
|
5649
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5650
|
+
# you must also specify at least one other key to use. You can
|
5651
|
+
# aggregate on only the forwarded IP address by specifying
|
5652
|
+
# `FORWARDED_IP` in your rate-based statement's `AggregateKeyType`.
|
5653
|
+
#
|
5654
|
+
# With this option, you must specify the header to use in the
|
5655
|
+
# rate-based rule's `ForwardedIPConfig` property.
|
5656
|
+
# @return [Types::RateLimitForwardedIP]
|
5657
|
+
#
|
5658
|
+
# @!attribute [rw] ip
|
5659
|
+
# Use the request's originating IP address as an aggregate key. Each
|
5660
|
+
# distinct IP address contributes to the aggregation instance.
|
5661
|
+
#
|
5662
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5663
|
+
# you must also specify at least one other key to use. You can
|
5664
|
+
# aggregate on only the IP address by specifying `IP` in your
|
5665
|
+
# rate-based statement's `AggregateKeyType`.
|
5666
|
+
# @return [Types::RateLimitIP]
|
5667
|
+
#
|
5668
|
+
# @!attribute [rw] label_namespace
|
5669
|
+
# Use the specified label namespace as an aggregate key. Each distinct
|
5670
|
+
# fully qualified label name that has the specified label namespace
|
5671
|
+
# contributes to the aggregation instance. If you use just one label
|
5672
|
+
# namespace as your custom key, then each label name fully defines an
|
5673
|
+
# aggregation instance.
|
5674
|
+
#
|
5675
|
+
# This uses only labels that have been added to the request by rules
|
5676
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5677
|
+
#
|
5678
|
+
# For information about label namespaces and names, see [Label syntax
|
5679
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5680
|
+
#
|
5681
|
+
#
|
5682
|
+
#
|
5683
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5684
|
+
# @return [Types::RateLimitLabelNamespace]
|
5685
|
+
#
|
5686
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
|
5687
|
+
#
|
5688
|
+
class RateBasedStatementCustomKey < Struct.new(
|
5689
|
+
:header,
|
5690
|
+
:cookie,
|
5691
|
+
:query_argument,
|
5692
|
+
:query_string,
|
5693
|
+
:http_method,
|
5694
|
+
:forwarded_ip,
|
5695
|
+
:ip,
|
5696
|
+
:label_namespace)
|
5486
5697
|
SENSITIVE = []
|
5487
5698
|
include Aws::Structure
|
5488
5699
|
end
|
5489
5700
|
|
5490
5701
|
# The set of IP addresses that are currently blocked for a
|
5491
|
-
# RateBasedStatement.
|
5702
|
+
# RateBasedStatement. This is only available for rate-based rules that
|
5703
|
+
# aggregate on just the IP address, with the `AggregateKeyType` set to
|
5704
|
+
# `IP` or `FORWARDED_IP`.
|
5705
|
+
#
|
5706
|
+
# A rate-based rule applies its rule action to requests from IP
|
5707
|
+
# addresses that are in the rule's managed keys list and that match the
|
5708
|
+
# rule's scope-down statement. When a rule has no scope-down statement,
|
5709
|
+
# it applies the action to all requests from the IP addresses that are
|
5710
|
+
# in the list. The rule applies its rule action to rate limit the
|
5711
|
+
# matching requests. The action is usually Block but it can be any valid
|
5712
|
+
# rule action except for Allow.
|
5713
|
+
#
|
5714
|
+
# The maximum number of IP addresses that can be rate limited by a
|
5715
|
+
# single rate-based rule instance is 10,000. If more than 10,000
|
5716
|
+
# addresses exceed the rate limit, WAF limits those with the highest
|
5717
|
+
# rates.
|
5492
5718
|
#
|
5493
5719
|
# @!attribute [rw] ip_address_version
|
5494
5720
|
# The version of the IP addresses, either `IPV4` or `IPV6`.
|
@@ -5507,6 +5733,208 @@ module Aws::WAFV2
|
|
5507
5733
|
include Aws::Structure
|
5508
5734
|
end
|
5509
5735
|
|
5736
|
+
# Specifies a cookie as an aggregate key for a rate-based rule. Each
|
5737
|
+
# distinct value in the cookie contributes to the aggregation instance.
|
5738
|
+
# If you use a single cookie as your custom key, then each value fully
|
5739
|
+
# defines an aggregation instance.
|
5740
|
+
#
|
5741
|
+
# @!attribute [rw] name
|
5742
|
+
# The name of the cookie to use.
|
5743
|
+
# @return [String]
|
5744
|
+
#
|
5745
|
+
# @!attribute [rw] text_transformations
|
5746
|
+
# Text transformations eliminate some of the unusual formatting that
|
5747
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5748
|
+
# transformations are used in rule match statements, to transform the
|
5749
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5750
|
+
# used in rate-based rule statements, to transform request components
|
5751
|
+
# before using them as custom aggregation keys. If you specify one or
|
5752
|
+
# more transformations to apply, WAF performs all transformations on
|
5753
|
+
# the specified content, starting from the lowest priority setting,
|
5754
|
+
# and then uses the component contents.
|
5755
|
+
# @return [Array<Types::TextTransformation>]
|
5756
|
+
#
|
5757
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitCookie AWS API Documentation
|
5758
|
+
#
|
5759
|
+
class RateLimitCookie < Struct.new(
|
5760
|
+
:name,
|
5761
|
+
:text_transformations)
|
5762
|
+
SENSITIVE = []
|
5763
|
+
include Aws::Structure
|
5764
|
+
end
|
5765
|
+
|
5766
|
+
# Specifies the first IP address in an HTTP header as an aggregate key
|
5767
|
+
# for a rate-based rule. Each distinct forwarded IP address contributes
|
5768
|
+
# to the aggregation instance.
|
5769
|
+
#
|
5770
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5771
|
+
# specification of a rate-based rule statement. When you specify an IP
|
5772
|
+
# or forwarded IP in the custom key settings, you must also specify at
|
5773
|
+
# least one other key to use. You can aggregate on only the forwarded IP
|
5774
|
+
# address by specifying `FORWARDED_IP` in your rate-based statement's
|
5775
|
+
# `AggregateKeyType`.
|
5776
|
+
#
|
5777
|
+
# This data type supports using the forwarded IP address in the web
|
5778
|
+
# request aggregation for a rate-based rule, in
|
5779
|
+
# `RateBasedStatementCustomKey`. The JSON specification for using the
|
5780
|
+
# forwarded IP address doesn't explicitly use this data type.
|
5781
|
+
#
|
5782
|
+
# JSON specification: `"ForwardedIP": \{\}`
|
5783
|
+
#
|
5784
|
+
# When you use this specification, you must also configure the forwarded
|
5785
|
+
# IP address in the rate-based statement's `ForwardedIPConfig`.
|
5786
|
+
#
|
5787
|
+
# @api private
|
5788
|
+
#
|
5789
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitForwardedIP AWS API Documentation
|
5790
|
+
#
|
5791
|
+
class RateLimitForwardedIP < Aws::EmptyStructure; end
|
5792
|
+
|
5793
|
+
# Specifies the request's HTTP method as an aggregate key for a
|
5794
|
+
# rate-based rule. Each distinct HTTP method contributes to the
|
5795
|
+
# aggregation instance. If you use just the HTTP method as your custom
|
5796
|
+
# key, then each method fully defines an aggregation instance.
|
5797
|
+
#
|
5798
|
+
# JSON specification: `"RateLimitHTTPMethod": \{\}`
|
5799
|
+
#
|
5800
|
+
# @api private
|
5801
|
+
#
|
5802
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHTTPMethod AWS API Documentation
|
5803
|
+
#
|
5804
|
+
class RateLimitHTTPMethod < Aws::EmptyStructure; end
|
5805
|
+
|
5806
|
+
# Specifies a header as an aggregate key for a rate-based rule. Each
|
5807
|
+
# distinct value in the header contributes to the aggregation instance.
|
5808
|
+
# If you use a single header as your custom key, then each value fully
|
5809
|
+
# defines an aggregation instance.
|
5810
|
+
#
|
5811
|
+
# @!attribute [rw] name
|
5812
|
+
# The name of the header to use.
|
5813
|
+
# @return [String]
|
5814
|
+
#
|
5815
|
+
# @!attribute [rw] text_transformations
|
5816
|
+
# Text transformations eliminate some of the unusual formatting that
|
5817
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5818
|
+
# transformations are used in rule match statements, to transform the
|
5819
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5820
|
+
# used in rate-based rule statements, to transform request components
|
5821
|
+
# before using them as custom aggregation keys. If you specify one or
|
5822
|
+
# more transformations to apply, WAF performs all transformations on
|
5823
|
+
# the specified content, starting from the lowest priority setting,
|
5824
|
+
# and then uses the component contents.
|
5825
|
+
# @return [Array<Types::TextTransformation>]
|
5826
|
+
#
|
5827
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHeader AWS API Documentation
|
5828
|
+
#
|
5829
|
+
class RateLimitHeader < Struct.new(
|
5830
|
+
:name,
|
5831
|
+
:text_transformations)
|
5832
|
+
SENSITIVE = []
|
5833
|
+
include Aws::Structure
|
5834
|
+
end
|
5835
|
+
|
5836
|
+
# Specifies the IP address in the web request as an aggregate key for a
|
5837
|
+
# rate-based rule. Each distinct IP address contributes to the
|
5838
|
+
# aggregation instance.
|
5839
|
+
#
|
5840
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5841
|
+
# specification of a rate-based rule statement. To use this in the
|
5842
|
+
# custom key settings, you must specify at least one other key to use,
|
5843
|
+
# along with the IP address. To aggregate on only the IP address, in
|
5844
|
+
# your rate-based statement's `AggregateKeyType`, specify `IP`.
|
5845
|
+
#
|
5846
|
+
# JSON specification: `"RateLimitIP": \{\}`
|
5847
|
+
#
|
5848
|
+
# @api private
|
5849
|
+
#
|
5850
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitIP AWS API Documentation
|
5851
|
+
#
|
5852
|
+
class RateLimitIP < Aws::EmptyStructure; end
|
5853
|
+
|
5854
|
+
# Specifies a label namespace to use as an aggregate key for a
|
5855
|
+
# rate-based rule. Each distinct fully qualified label name that has the
|
5856
|
+
# specified label namespace contributes to the aggregation instance. If
|
5857
|
+
# you use just one label namespace as your custom key, then each label
|
5858
|
+
# name fully defines an aggregation instance.
|
5859
|
+
#
|
5860
|
+
# This uses only labels that have been added to the request by rules
|
5861
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5862
|
+
#
|
5863
|
+
# For information about label namespaces and names, see [Label syntax
|
5864
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5865
|
+
#
|
5866
|
+
#
|
5867
|
+
#
|
5868
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5869
|
+
#
|
5870
|
+
# @!attribute [rw] namespace
|
5871
|
+
# The namespace to use for aggregation.
|
5872
|
+
# @return [String]
|
5873
|
+
#
|
5874
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitLabelNamespace AWS API Documentation
|
5875
|
+
#
|
5876
|
+
class RateLimitLabelNamespace < Struct.new(
|
5877
|
+
:namespace)
|
5878
|
+
SENSITIVE = []
|
5879
|
+
include Aws::Structure
|
5880
|
+
end
|
5881
|
+
|
5882
|
+
# Specifies a query argument in the request as an aggregate key for a
|
5883
|
+
# rate-based rule. Each distinct value for the named query argument
|
5884
|
+
# contributes to the aggregation instance. If you use a single query
|
5885
|
+
# argument as your custom key, then each value fully defines an
|
5886
|
+
# aggregation instance.
|
5887
|
+
#
|
5888
|
+
# @!attribute [rw] name
|
5889
|
+
# The name of the query argument to use.
|
5890
|
+
# @return [String]
|
5891
|
+
#
|
5892
|
+
# @!attribute [rw] text_transformations
|
5893
|
+
# Text transformations eliminate some of the unusual formatting that
|
5894
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5895
|
+
# transformations are used in rule match statements, to transform the
|
5896
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5897
|
+
# used in rate-based rule statements, to transform request components
|
5898
|
+
# before using them as custom aggregation keys. If you specify one or
|
5899
|
+
# more transformations to apply, WAF performs all transformations on
|
5900
|
+
# the specified content, starting from the lowest priority setting,
|
5901
|
+
# and then uses the component contents.
|
5902
|
+
# @return [Array<Types::TextTransformation>]
|
5903
|
+
#
|
5904
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryArgument AWS API Documentation
|
5905
|
+
#
|
5906
|
+
class RateLimitQueryArgument < Struct.new(
|
5907
|
+
:name,
|
5908
|
+
:text_transformations)
|
5909
|
+
SENSITIVE = []
|
5910
|
+
include Aws::Structure
|
5911
|
+
end
|
5912
|
+
|
5913
|
+
# Specifies the request's query string as an aggregate key for a
|
5914
|
+
# rate-based rule. Each distinct string contributes to the aggregation
|
5915
|
+
# instance. If you use just the query string as your custom key, then
|
5916
|
+
# each string fully defines an aggregation instance.
|
5917
|
+
#
|
5918
|
+
# @!attribute [rw] text_transformations
|
5919
|
+
# Text transformations eliminate some of the unusual formatting that
|
5920
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5921
|
+
# transformations are used in rule match statements, to transform the
|
5922
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5923
|
+
# used in rate-based rule statements, to transform request components
|
5924
|
+
# before using them as custom aggregation keys. If you specify one or
|
5925
|
+
# more transformations to apply, WAF performs all transformations on
|
5926
|
+
# the specified content, starting from the lowest priority setting,
|
5927
|
+
# and then uses the component contents.
|
5928
|
+
# @return [Array<Types::TextTransformation>]
|
5929
|
+
#
|
5930
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryString AWS API Documentation
|
5931
|
+
#
|
5932
|
+
class RateLimitQueryString < Struct.new(
|
5933
|
+
:text_transformations)
|
5934
|
+
SENSITIVE = []
|
5935
|
+
include Aws::Structure
|
5936
|
+
end
|
5937
|
+
|
5510
5938
|
# A single regular expression. This is used in a RegexPatternSet.
|
5511
5939
|
#
|
5512
5940
|
# @!attribute [rw] regex_string
|
@@ -5534,11 +5962,14 @@ module Aws::WAFV2
|
|
5534
5962
|
#
|
5535
5963
|
# @!attribute [rw] text_transformations
|
5536
5964
|
# Text transformations eliminate some of the unusual formatting that
|
5537
|
-
# attackers use in web requests in an effort to bypass detection.
|
5538
|
-
#
|
5539
|
-
#
|
5540
|
-
#
|
5541
|
-
#
|
5965
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5966
|
+
# transformations are used in rule match statements, to transform the
|
5967
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5968
|
+
# used in rate-based rule statements, to transform request components
|
5969
|
+
# before using them as custom aggregation keys. If you specify one or
|
5970
|
+
# more transformations to apply, WAF performs all transformations on
|
5971
|
+
# the specified content, starting from the lowest priority setting,
|
5972
|
+
# and then uses the component contents.
|
5542
5973
|
# @return [Array<Types::TextTransformation>]
|
5543
5974
|
#
|
5544
5975
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexMatchStatement AWS API Documentation
|
@@ -5615,11 +6046,14 @@ module Aws::WAFV2
|
|
5615
6046
|
#
|
5616
6047
|
# @!attribute [rw] text_transformations
|
5617
6048
|
# Text transformations eliminate some of the unusual formatting that
|
5618
|
-
# attackers use in web requests in an effort to bypass detection.
|
5619
|
-
#
|
5620
|
-
#
|
5621
|
-
#
|
5622
|
-
#
|
6049
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
6050
|
+
# transformations are used in rule match statements, to transform the
|
6051
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
6052
|
+
# used in rate-based rule statements, to transform request components
|
6053
|
+
# before using them as custom aggregation keys. If you specify one or
|
6054
|
+
# more transformations to apply, WAF performs all transformations on
|
6055
|
+
# the specified content, starting from the lowest priority setting,
|
6056
|
+
# and then uses the component contents.
|
5623
6057
|
# @return [Array<Types::TextTransformation>]
|
5624
6058
|
#
|
5625
6059
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
|
@@ -6617,11 +7051,14 @@ module Aws::WAFV2
|
|
6617
7051
|
#
|
6618
7052
|
# @!attribute [rw] text_transformations
|
6619
7053
|
# Text transformations eliminate some of the unusual formatting that
|
6620
|
-
# attackers use in web requests in an effort to bypass detection.
|
6621
|
-
#
|
6622
|
-
#
|
6623
|
-
#
|
6624
|
-
#
|
7054
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7055
|
+
# transformations are used in rule match statements, to transform the
|
7056
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7057
|
+
# used in rate-based rule statements, to transform request components
|
7058
|
+
# before using them as custom aggregation keys. If you specify one or
|
7059
|
+
# more transformations to apply, WAF performs all transformations on
|
7060
|
+
# the specified content, starting from the lowest priority setting,
|
7061
|
+
# and then uses the component contents.
|
6625
7062
|
# @return [Array<Types::TextTransformation>]
|
6626
7063
|
#
|
6627
7064
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
|
@@ -6645,11 +7082,14 @@ module Aws::WAFV2
|
|
6645
7082
|
#
|
6646
7083
|
# @!attribute [rw] text_transformations
|
6647
7084
|
# Text transformations eliminate some of the unusual formatting that
|
6648
|
-
# attackers use in web requests in an effort to bypass detection.
|
6649
|
-
#
|
6650
|
-
#
|
6651
|
-
#
|
6652
|
-
#
|
7085
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7086
|
+
# transformations are used in rule match statements, to transform the
|
7087
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7088
|
+
# used in rate-based rule statements, to transform request components
|
7089
|
+
# before using them as custom aggregation keys. If you specify one or
|
7090
|
+
# more transformations to apply, WAF performs all transformations on
|
7091
|
+
# the specified content, starting from the lowest priority setting,
|
7092
|
+
# and then uses the component contents.
|
6653
7093
|
# @return [Array<Types::TextTransformation>]
|
6654
7094
|
#
|
6655
7095
|
# @!attribute [rw] sensitivity_level
|
@@ -6809,11 +7249,88 @@ module Aws::WAFV2
|
|
6809
7249
|
# @return [Types::RegexPatternSetReferenceStatement]
|
6810
7250
|
#
|
6811
7251
|
# @!attribute [rw] rate_based_statement
|
6812
|
-
# A rate-based rule
|
6813
|
-
#
|
6814
|
-
#
|
6815
|
-
#
|
6816
|
-
#
|
7252
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
7253
|
+
# when they are coming at too fast a rate. The rule categorizes
|
7254
|
+
# requests according to your aggregation criteria, collects them into
|
7255
|
+
# aggregation instances, and counts and rate limits the requests for
|
7256
|
+
# each instance.
|
7257
|
+
#
|
7258
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
7259
|
+
# method. You can also specify aggregation key combinations, like IP
|
7260
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
7261
|
+
#
|
7262
|
+
# Each unique set of values for the aggregation keys that you specify
|
7263
|
+
# is a separate aggregation instance, with the value from each key
|
7264
|
+
# contributing to the aggregation instance definition.
|
7265
|
+
#
|
7266
|
+
# For example, assume the rule evaluates web requests with the
|
7267
|
+
# following IP address and HTTP method values:
|
7268
|
+
#
|
7269
|
+
# * IP address 10.1.1.1, HTTP method POST
|
7270
|
+
#
|
7271
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7272
|
+
#
|
7273
|
+
# * IP address 127.0.0.0, HTTP method POST
|
7274
|
+
#
|
7275
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7276
|
+
#
|
7277
|
+
# The rule would create different aggregation instances according to
|
7278
|
+
# your aggregation criteria, for example:
|
7279
|
+
#
|
7280
|
+
# * If the aggregation criteria is just the IP address, then each
|
7281
|
+
# individual address is an aggregation instance, and WAF counts
|
7282
|
+
# requests separately for each. The aggregation instances and
|
7283
|
+
# request counts for our example would be the following:
|
7284
|
+
#
|
7285
|
+
# * IP address 10.1.1.1: count 3
|
7286
|
+
#
|
7287
|
+
# * IP address 127.0.0.0: count 1
|
7288
|
+
#
|
7289
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
7290
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
7291
|
+
# and request counts for our example would be the following:
|
7292
|
+
#
|
7293
|
+
# * HTTP method POST: count 2
|
7294
|
+
#
|
7295
|
+
# * HTTP method GET: count 2
|
7296
|
+
#
|
7297
|
+
# * If the aggregation criteria is IP address and HTTP method, then
|
7298
|
+
# each IP address and each HTTP method would contribute to the
|
7299
|
+
# combined aggregation instance. The aggregation instances and
|
7300
|
+
# request counts for our example would be the following:
|
7301
|
+
#
|
7302
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
7303
|
+
#
|
7304
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
7305
|
+
#
|
7306
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
7307
|
+
#
|
7308
|
+
# For any n-tuple of aggregation keys, each unique combination of
|
7309
|
+
# values for the keys defines a separate aggregation instance, which
|
7310
|
+
# WAF counts and rate-limits individually.
|
7311
|
+
#
|
7312
|
+
# You can optionally nest another statement inside the rate-based
|
7313
|
+
# statement, to narrow the scope of the rule so that it only counts
|
7314
|
+
# and rate limits requests that match the nested statement. You can
|
7315
|
+
# use this nested scope-down statement in conjunction with your
|
7316
|
+
# aggregation key specifications or you can just count and rate limit
|
7317
|
+
# all requests that match the scope-down statement, without additional
|
7318
|
+
# aggregation. When you choose to just manage all requests that match
|
7319
|
+
# a scope-down statement, the aggregation instance is singular for the
|
7320
|
+
# rule.
|
7321
|
+
#
|
7322
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
7323
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
7324
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7325
|
+
#
|
7326
|
+
# For additional information about the options, see [Rate limiting web
|
7327
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
7328
|
+
#
|
7329
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
7330
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
7331
|
+
# currently rate limiting for a rule through the API call
|
7332
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
7333
|
+
# other aggregation configurations.
|
6817
7334
|
#
|
6818
7335
|
# WAF tracks and manages web requests separately for each instance of
|
6819
7336
|
# a rate-based rule that you use. For example, if you provide the same
|
@@ -6824,33 +7341,9 @@ module Aws::WAFV2
|
|
6824
7341
|
# multiple places, each use creates a separate instance of the
|
6825
7342
|
# rate-based rule that gets its own tracking and management by WAF.
|
6826
7343
|
#
|
6827
|
-
# When the rule action triggers, WAF blocks additional requests from
|
6828
|
-
# the IP address until the request rate falls below the limit.
|
6829
7344
|
#
|
6830
|
-
# You can optionally nest another statement inside the rate-based
|
6831
|
-
# statement, to narrow the scope of the rule so that it only counts
|
6832
|
-
# requests that match the nested statement. For example, based on
|
6833
|
-
# recent requests that you have seen from an attacker, you might
|
6834
|
-
# create a rate-based rule with a nested AND rule statement that
|
6835
|
-
# contains the following nested statements:
|
6836
|
-
#
|
6837
|
-
# * An IP match statement with an IP set that specifies the address
|
6838
|
-
# 192.0.2.44.
|
6839
|
-
#
|
6840
|
-
# * A string match statement that searches in the User-Agent header
|
6841
|
-
# for the string BadBot.
|
6842
|
-
#
|
6843
|
-
# In this rate-based rule, you also define a rate limit. For this
|
6844
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
6845
|
-
# both of the nested statements are counted. If the count exceeds
|
6846
|
-
# 1,000 requests per five minutes, the rule action triggers. Requests
|
6847
|
-
# that do not meet the criteria of both of the nested statements are
|
6848
|
-
# not counted towards the rate limit and are not affected by this
|
6849
|
-
# rule.
|
6850
7345
|
#
|
6851
|
-
#
|
6852
|
-
# example inside a `NotStatement` or `OrStatement`. You can define a
|
6853
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7346
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
6854
7347
|
# @return [Types::RateBasedStatement]
|
6855
7348
|
#
|
6856
7349
|
# @!attribute [rw] and_statement
|
@@ -7025,11 +7518,10 @@ module Aws::WAFV2
|
|
7025
7518
|
# attackers use in web requests in an effort to bypass detection.
|
7026
7519
|
#
|
7027
7520
|
# @!attribute [rw] priority
|
7028
|
-
# Sets the relative processing order for multiple transformations
|
7029
|
-
#
|
7030
|
-
#
|
7031
|
-
#
|
7032
|
-
# all be different.
|
7521
|
+
# Sets the relative processing order for multiple transformations. WAF
|
7522
|
+
# processes all transformations, from lowest priority to highest,
|
7523
|
+
# before inspecting the transformed content. The priorities don't
|
7524
|
+
# need to be consecutive, but they must all be different.
|
7033
7525
|
# @return [Integer]
|
7034
7526
|
#
|
7035
7527
|
# @!attribute [rw] type
|
@@ -7240,8 +7732,8 @@ module Aws::WAFV2
|
|
7240
7732
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7241
7733
|
# for a regional application. A regional application can be an
|
7242
7734
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7243
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7244
|
-
# service.
|
7735
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7736
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7245
7737
|
#
|
7246
7738
|
# To work with CloudFront, you must also specify the Region US East
|
7247
7739
|
# (N. Virginia) as follows:
|
@@ -7359,8 +7851,8 @@ module Aws::WAFV2
|
|
7359
7851
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7360
7852
|
# for a regional application. A regional application can be an
|
7361
7853
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7362
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7363
|
-
# service.
|
7854
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7855
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7364
7856
|
#
|
7365
7857
|
# To work with CloudFront, you must also specify the Region US East
|
7366
7858
|
# (N. Virginia) as follows:
|
@@ -7458,8 +7950,8 @@ module Aws::WAFV2
|
|
7458
7950
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7459
7951
|
# for a regional application. A regional application can be an
|
7460
7952
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7461
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7462
|
-
# service.
|
7953
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
7954
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7463
7955
|
#
|
7464
7956
|
# To work with CloudFront, you must also specify the Region US East
|
7465
7957
|
# (N. Virginia) as follows:
|
@@ -7531,8 +8023,8 @@ module Aws::WAFV2
|
|
7531
8023
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7532
8024
|
# for a regional application. A regional application can be an
|
7533
8025
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7534
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7535
|
-
# service.
|
8026
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
8027
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7536
8028
|
#
|
7537
8029
|
# To work with CloudFront, you must also specify the Region US East
|
7538
8030
|
# (N. Virginia) as follows:
|
@@ -7635,8 +8127,8 @@ module Aws::WAFV2
|
|
7635
8127
|
# Specifies whether this is for an Amazon CloudFront distribution or
|
7636
8128
|
# for a regional application. A regional application can be an
|
7637
8129
|
# Application Load Balancer (ALB), an Amazon API Gateway REST API, an
|
7638
|
-
# AppSync GraphQL API, an Amazon Cognito user pool,
|
7639
|
-
# service.
|
8130
|
+
# AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
|
8131
|
+
# service, or an Amazon Web Services Verified Access instance.
|
7640
8132
|
#
|
7641
8133
|
# To work with CloudFront, you must also specify the Region US East
|
7642
8134
|
# (N. Virginia) as follows:
|
@@ -8226,6 +8718,22 @@ module Aws::WAFV2
|
|
8226
8718
|
include Aws::Structure
|
8227
8719
|
end
|
8228
8720
|
|
8721
|
+
# The rule that you've named doesn't aggregate solely on the IP
|
8722
|
+
# address or solely on the forwarded IP address. This call is only
|
8723
|
+
# available for rate-based rules with an `AggregateKeyType` setting of
|
8724
|
+
# `IP` or `FORWARDED_IP`.
|
8725
|
+
#
|
8726
|
+
# @!attribute [rw] message
|
8727
|
+
# @return [String]
|
8728
|
+
#
|
8729
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFUnsupportedAggregateKeyTypeException AWS API Documentation
|
8730
|
+
#
|
8731
|
+
class WAFUnsupportedAggregateKeyTypeException < Struct.new(
|
8732
|
+
:message)
|
8733
|
+
SENSITIVE = []
|
8734
|
+
include Aws::Structure
|
8735
|
+
end
|
8736
|
+
|
8229
8737
|
# A web ACL defines a collection of rules to use to inspect and control
|
8230
8738
|
# web requests. Each rule has an action defined (allow, block, or count)
|
8231
8739
|
# for requests that match the statement of the rule. In the web ACL, you
|
@@ -8235,7 +8743,8 @@ module Aws::WAFV2
|
|
8235
8743
|
# can associate a web ACL with one or more Amazon Web Services resources
|
8236
8744
|
# to protect. The resources can be an Amazon CloudFront distribution, an
|
8237
8745
|
# Amazon API Gateway REST API, an Application Load Balancer, an AppSync
|
8238
|
-
# GraphQL API, an Amazon Cognito user pool,
|
8746
|
+
# GraphQL API, an Amazon Cognito user pool, an App Runner service, or an
|
8747
|
+
# Amazon Web Services Verified Access instance.
|
8239
8748
|
#
|
8240
8749
|
# @!attribute [rw] name
|
8241
8750
|
# The name of the web ACL. You cannot change the name of a web ACL
|
@@ -8487,11 +8996,14 @@ module Aws::WAFV2
|
|
8487
8996
|
#
|
8488
8997
|
# @!attribute [rw] text_transformations
|
8489
8998
|
# Text transformations eliminate some of the unusual formatting that
|
8490
|
-
# attackers use in web requests in an effort to bypass detection.
|
8491
|
-
#
|
8492
|
-
#
|
8493
|
-
#
|
8494
|
-
#
|
8999
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
9000
|
+
# transformations are used in rule match statements, to transform the
|
9001
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
9002
|
+
# used in rate-based rule statements, to transform request components
|
9003
|
+
# before using them as custom aggregation keys. If you specify one or
|
9004
|
+
# more transformations to apply, WAF performs all transformations on
|
9005
|
+
# the specified content, starting from the lowest priority setting,
|
9006
|
+
# and then uses the component contents.
|
8495
9007
|
# @return [Array<Types::TextTransformation>]
|
8496
9008
|
#
|
8497
9009
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation
|