aws-sdk-wafv2 1.55.0 → 1.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -12,6 +12,17 @@ module Aws::WAFV2
12
12
 
13
13
  # Information for a single API key.
14
14
  #
15
+ # API keys are required for the integration of the CAPTCHA API in your
16
+ # JavaScript client applications. The API lets you customize the
17
+ # placement and characteristics of the CAPTCHA puzzle for your end
18
+ # users. For more information about the CAPTCHA JavaScript integration,
19
+ # see [WAF client application integration][1] in the *WAF Developer
20
+ # Guide*.
21
+ #
22
+ #
23
+ #
24
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
25
+ #
15
26
  # @!attribute [rw] token_domains
16
27
  # The token domains that are defined in this API key.
17
28
  # @return [Array<String>]
@@ -19,14 +30,6 @@ module Aws::WAFV2
19
30
  # @!attribute [rw] api_key
20
31
  # The generated, encrypted API key. You can copy this for use in your
21
32
  # JavaScript CAPTCHA integration.
22
- #
23
- # For information about how to use this in your CAPTCHA JavaScript
24
- # integration, see [WAF client application integration][1] in the *WAF
25
- # Developer Guide*.
26
- #
27
- #
28
- #
29
- # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
30
33
  # @return [String]
31
34
  #
32
35
  # @!attribute [rw] creation_timestamp
@@ -238,6 +241,10 @@ module Aws::WAFV2
238
241
  # * For an App Runner service:
239
242
  # `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
240
243
  # `
244
+ #
245
+ # * For an Amazon Web Services Verified Access instance:
246
+ # `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
247
+ # `
241
248
  # @return [String]
242
249
  #
243
250
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/AssociateWebACLRequest AWS API Documentation
@@ -412,11 +419,14 @@ module Aws::WAFV2
412
419
  #
413
420
  # @!attribute [rw] text_transformations
414
421
  # Text transformations eliminate some of the unusual formatting that
415
- # attackers use in web requests in an effort to bypass detection. If
416
- # you specify one or more transformations in a rule statement, WAF
417
- # performs all transformations on the content of the request component
418
- # identified by `FieldToMatch`, starting from the lowest priority
419
- # setting, before inspecting the content for a match.
422
+ # attackers use in web requests in an effort to bypass detection. Text
423
+ # transformations are used in rule match statements, to transform the
424
+ # `FieldToMatch` request component before inspecting it, and they're
425
+ # used in rate-based rule statements, to transform request components
426
+ # before using them as custom aggregation keys. If you specify one or
427
+ # more transformations to apply, WAF performs all transformations on
428
+ # the specified content, starting from the lowest priority setting,
429
+ # and then uses the component contents.
420
430
  # @return [Array<Types::TextTransformation>]
421
431
  #
422
432
  # @!attribute [rw] positional_constraint
@@ -680,8 +690,8 @@ module Aws::WAFV2
680
690
  # Specifies whether this is for an Amazon CloudFront distribution or
681
691
  # for a regional application. A regional application can be an
682
692
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
683
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
684
- # service.
693
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
694
+ # service, or an Amazon Web Services Verified Access instance.
685
695
  #
686
696
  # To work with CloudFront, you must also specify the Region US East
687
697
  # (N. Virginia) as follows:
@@ -860,8 +870,8 @@ module Aws::WAFV2
860
870
  # Specifies whether this is for an Amazon CloudFront distribution or
861
871
  # for a regional application. A regional application can be an
862
872
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
863
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
864
- # service.
873
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
874
+ # service, or an Amazon Web Services Verified Access instance.
865
875
  #
866
876
  # To work with CloudFront, you must also specify the Region US East
867
877
  # (N. Virginia) as follows:
@@ -875,6 +885,11 @@ module Aws::WAFV2
875
885
  # @!attribute [rw] token_domains
876
886
  # The client application domains that you want to use this API key
877
887
  # for.
888
+ #
889
+ # Example JSON: `"TokenDomains": ["abc.com", "store.abc.com"]`
890
+ #
891
+ # Public suffixes aren't allowed. For example, you can't use
892
+ # `usa.gov` or `co.uk` as token domains.
878
893
  # @return [Array<String>]
879
894
  #
880
895
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyRequest AWS API Documentation
@@ -889,14 +904,6 @@ module Aws::WAFV2
889
904
  # @!attribute [rw] api_key
890
905
  # The generated, encrypted API key. You can copy this for use in your
891
906
  # JavaScript CAPTCHA integration.
892
- #
893
- # For information about how to use this in your CAPTCHA JavaScript
894
- # integration, see [WAF client application integration][1] in the *WAF
895
- # Developer Guide*.
896
- #
897
- #
898
- #
899
- # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
900
907
  # @return [String]
901
908
  #
902
909
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/CreateAPIKeyResponse AWS API Documentation
@@ -916,8 +923,8 @@ module Aws::WAFV2
916
923
  # Specifies whether this is for an Amazon CloudFront distribution or
917
924
  # for a regional application. A regional application can be an
918
925
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
919
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
920
- # service.
926
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
927
+ # service, or an Amazon Web Services Verified Access instance.
921
928
  #
922
929
  # To work with CloudFront, you must also specify the Region US East
923
930
  # (N. Virginia) as follows:
@@ -1023,8 +1030,8 @@ module Aws::WAFV2
1023
1030
  # Specifies whether this is for an Amazon CloudFront distribution or
1024
1031
  # for a regional application. A regional application can be an
1025
1032
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1026
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1027
- # service.
1033
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1034
+ # service, or an Amazon Web Services Verified Access instance.
1028
1035
  #
1029
1036
  # To work with CloudFront, you must also specify the Region US East
1030
1037
  # (N. Virginia) as follows:
@@ -1084,8 +1091,8 @@ module Aws::WAFV2
1084
1091
  # Specifies whether this is for an Amazon CloudFront distribution or
1085
1092
  # for a regional application. A regional application can be an
1086
1093
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1087
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1088
- # service.
1094
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1095
+ # service, or an Amazon Web Services Verified Access instance.
1089
1096
  #
1090
1097
  # To work with CloudFront, you must also specify the Region US East
1091
1098
  # (N. Virginia) as follows:
@@ -1199,8 +1206,8 @@ module Aws::WAFV2
1199
1206
  # Specifies whether this is for an Amazon CloudFront distribution or
1200
1207
  # for a regional application. A regional application can be an
1201
1208
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1202
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1203
- # service.
1209
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1210
+ # service, or an Amazon Web Services Verified Access instance.
1204
1211
  #
1205
1212
  # To work with CloudFront, you must also specify the Region US East
1206
1213
  # (N. Virginia) as follows:
@@ -1563,8 +1570,8 @@ module Aws::WAFV2
1563
1570
  # Specifies whether this is for an Amazon CloudFront distribution or
1564
1571
  # for a regional application. A regional application can be an
1565
1572
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1566
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1567
- # service.
1573
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1574
+ # service, or an Amazon Web Services Verified Access instance.
1568
1575
  #
1569
1576
  # To work with CloudFront, you must also specify the Region US East
1570
1577
  # (N. Virginia) as follows:
@@ -1653,8 +1660,8 @@ module Aws::WAFV2
1653
1660
  # Specifies whether this is for an Amazon CloudFront distribution or
1654
1661
  # for a regional application. A regional application can be an
1655
1662
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1656
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1657
- # service.
1663
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1664
+ # service, or an Amazon Web Services Verified Access instance.
1658
1665
  #
1659
1666
  # To work with CloudFront, you must also specify the Region US East
1660
1667
  # (N. Virginia) as follows:
@@ -1707,8 +1714,8 @@ module Aws::WAFV2
1707
1714
  # Specifies whether this is for an Amazon CloudFront distribution or
1708
1715
  # for a regional application. A regional application can be an
1709
1716
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1710
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1711
- # service.
1717
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1718
+ # service, or an Amazon Web Services Verified Access instance.
1712
1719
  #
1713
1720
  # To work with CloudFront, you must also specify the Region US East
1714
1721
  # (N. Virginia) as follows:
@@ -1761,8 +1768,8 @@ module Aws::WAFV2
1761
1768
  # Specifies whether this is for an Amazon CloudFront distribution or
1762
1769
  # for a regional application. A regional application can be an
1763
1770
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1764
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1765
- # service.
1771
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1772
+ # service, or an Amazon Web Services Verified Access instance.
1766
1773
  #
1767
1774
  # To work with CloudFront, you must also specify the Region US East
1768
1775
  # (N. Virginia) as follows:
@@ -1820,8 +1827,8 @@ module Aws::WAFV2
1820
1827
  # Specifies whether this is for an Amazon CloudFront distribution or
1821
1828
  # for a regional application. A regional application can be an
1822
1829
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
1823
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
1824
- # service.
1830
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
1831
+ # service, or an Amazon Web Services Verified Access instance.
1825
1832
  #
1826
1833
  # To work with CloudFront, you must also specify the Region US East
1827
1834
  # (N. Virginia) as follows:
@@ -1955,6 +1962,10 @@ module Aws::WAFV2
1955
1962
  # * For an App Runner service:
1956
1963
  # `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
1957
1964
  # `
1965
+ #
1966
+ # * For an Amazon Web Services Verified Access instance:
1967
+ # `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
1968
+ # `
1958
1969
  # @return [String]
1959
1970
  #
1960
1971
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DisassociateWebACLRequest AWS API Documentation
@@ -2388,8 +2399,8 @@ module Aws::WAFV2
2388
2399
  # Specifies whether this is for an Amazon CloudFront distribution or
2389
2400
  # for a regional application. A regional application can be an
2390
2401
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2391
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2392
- # service.
2402
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2403
+ # service, or an Amazon Web Services Verified Access instance.
2393
2404
  #
2394
2405
  # To work with CloudFront, you must also specify the Region US East
2395
2406
  # (N. Virginia) as follows:
@@ -2439,8 +2450,8 @@ module Aws::WAFV2
2439
2450
  # Specifies whether this is for an Amazon CloudFront distribution or
2440
2451
  # for a regional application. A regional application can be an
2441
2452
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2442
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2443
- # service.
2453
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2454
+ # service, or an Amazon Web Services Verified Access instance.
2444
2455
  #
2445
2456
  # To work with CloudFront, you must also specify the Region US East
2446
2457
  # (N. Virginia) as follows:
@@ -2528,8 +2539,8 @@ module Aws::WAFV2
2528
2539
  # Specifies whether this is for an Amazon CloudFront distribution or
2529
2540
  # for a regional application. A regional application can be an
2530
2541
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2531
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2532
- # service.
2542
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2543
+ # service, or an Amazon Web Services Verified Access instance.
2533
2544
  #
2534
2545
  # To work with CloudFront, you must also specify the Region US East
2535
2546
  # (N. Virginia) as follows:
@@ -2641,8 +2652,8 @@ module Aws::WAFV2
2641
2652
  # Specifies whether this is for an Amazon CloudFront distribution or
2642
2653
  # for a regional application. A regional application can be an
2643
2654
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2644
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2645
- # service.
2655
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2656
+ # service, or an Amazon Web Services Verified Access instance.
2646
2657
  #
2647
2658
  # To work with CloudFront, you must also specify the Region US East
2648
2659
  # (N. Virginia) as follows:
@@ -2715,8 +2726,8 @@ module Aws::WAFV2
2715
2726
  # Specifies whether this is for an Amazon CloudFront distribution or
2716
2727
  # for a regional application. A regional application can be an
2717
2728
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2718
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2719
- # service.
2729
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2730
+ # service, or an Amazon Web Services Verified Access instance.
2720
2731
  #
2721
2732
  # To work with CloudFront, you must also specify the Region US East
2722
2733
  # (N. Virginia) as follows:
@@ -2776,8 +2787,8 @@ module Aws::WAFV2
2776
2787
  # Specifies whether this is for an Amazon CloudFront distribution or
2777
2788
  # for a regional application. A regional application can be an
2778
2789
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2779
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2780
- # service.
2790
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2791
+ # service, or an Amazon Web Services Verified Access instance.
2781
2792
  #
2782
2793
  # To work with CloudFront, you must also specify the Region US East
2783
2794
  # (N. Virginia) as follows:
@@ -2847,8 +2858,8 @@ module Aws::WAFV2
2847
2858
  # Specifies whether this is for an Amazon CloudFront distribution or
2848
2859
  # for a regional application. A regional application can be an
2849
2860
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2850
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2851
- # service.
2861
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2862
+ # service, or an Amazon Web Services Verified Access instance.
2852
2863
  #
2853
2864
  # To work with CloudFront, you must also specify the Region US East
2854
2865
  # (N. Virginia) as follows:
@@ -2944,6 +2955,10 @@ module Aws::WAFV2
2944
2955
  # * For an App Runner service:
2945
2956
  # `arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
2946
2957
  # `
2958
+ #
2959
+ # * For an Amazon Web Services Verified Access instance:
2960
+ # `arn:partition:ec2:region:account-id:verified-access-instance/instance-id
2961
+ # `
2947
2962
  # @return [String]
2948
2963
  #
2949
2964
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetWebACLForResourceRequest AWS API Documentation
@@ -2976,8 +2991,8 @@ module Aws::WAFV2
2976
2991
  # Specifies whether this is for an Amazon CloudFront distribution or
2977
2992
  # for a regional application. A regional application can be an
2978
2993
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
2979
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
2980
- # service.
2994
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
2995
+ # service, or an Amazon Web Services Verified Access instance.
2981
2996
  #
2982
2997
  # To work with CloudFront, you must also specify the Region US East
2983
2998
  # (N. Virginia) as follows:
@@ -3731,8 +3746,8 @@ module Aws::WAFV2
3731
3746
  # Specifies whether this is for an Amazon CloudFront distribution or
3732
3747
  # for a regional application. A regional application can be an
3733
3748
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
3734
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
3735
- # service.
3749
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
3750
+ # service, or an Amazon Web Services Verified Access instance.
3736
3751
  #
3737
3752
  # To work with CloudFront, you must also specify the Region US East
3738
3753
  # (N. Virginia) as follows:
@@ -3784,14 +3799,6 @@ module Aws::WAFV2
3784
3799
  # @!attribute [rw] application_integration_url
3785
3800
  # The CAPTCHA application integration URL, for use in your JavaScript
3786
3801
  # implementation.
3787
- #
3788
- # For information about how to use this in your CAPTCHA JavaScript
3789
- # integration, see [WAF client application integration][1] in the *WAF
3790
- # Developer Guide*.
3791
- #
3792
- #
3793
- #
3794
- # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-application-integration.html
3795
3802
  # @return [String]
3796
3803
  #
3797
3804
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/ListAPIKeysResponse AWS API Documentation
@@ -3818,8 +3825,8 @@ module Aws::WAFV2
3818
3825
  # Specifies whether this is for an Amazon CloudFront distribution or
3819
3826
  # for a regional application. A regional application can be an
3820
3827
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
3821
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
3822
- # service.
3828
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
3829
+ # service, or an Amazon Web Services Verified Access instance.
3823
3830
  #
3824
3831
  # To work with CloudFront, you must also specify the Region US East
3825
3832
  # (N. Virginia) as follows:
@@ -3889,8 +3896,8 @@ module Aws::WAFV2
3889
3896
  # Specifies whether this is for an Amazon CloudFront distribution or
3890
3897
  # for a regional application. A regional application can be an
3891
3898
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
3892
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
3893
- # service.
3899
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
3900
+ # service, or an Amazon Web Services Verified Access instance.
3894
3901
  #
3895
3902
  # To work with CloudFront, you must also specify the Region US East
3896
3903
  # (N. Virginia) as follows:
@@ -3952,8 +3959,8 @@ module Aws::WAFV2
3952
3959
  # Specifies whether this is for an Amazon CloudFront distribution or
3953
3960
  # for a regional application. A regional application can be an
3954
3961
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
3955
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
3956
- # service.
3962
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
3963
+ # service, or an Amazon Web Services Verified Access instance.
3957
3964
  #
3958
3965
  # To work with CloudFront, you must also specify the Region US East
3959
3966
  # (N. Virginia) as follows:
@@ -4015,8 +4022,8 @@ module Aws::WAFV2
4015
4022
  # Specifies whether this is for an Amazon CloudFront distribution or
4016
4023
  # for a regional application. A regional application can be an
4017
4024
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
4018
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
4019
- # service.
4025
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
4026
+ # service, or an Amazon Web Services Verified Access instance.
4020
4027
  #
4021
4028
  # To work with CloudFront, you must also specify the Region US East
4022
4029
  # (N. Virginia) as follows:
@@ -4078,8 +4085,8 @@ module Aws::WAFV2
4078
4085
  # Specifies whether this is for an Amazon CloudFront distribution or
4079
4086
  # for a regional application. A regional application can be an
4080
4087
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
4081
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
4082
- # service.
4088
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
4089
+ # service, or an Amazon Web Services Verified Access instance.
4083
4090
  #
4084
4091
  # To work with CloudFront, you must also specify the Region US East
4085
4092
  # (N. Virginia) as follows:
@@ -4193,8 +4200,8 @@ module Aws::WAFV2
4193
4200
  # Specifies whether this is for an Amazon CloudFront distribution or
4194
4201
  # for a regional application. A regional application can be an
4195
4202
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
4196
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
4197
- # service.
4203
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
4204
+ # service, or an Amazon Web Services Verified Access instance.
4198
4205
  #
4199
4206
  # To work with CloudFront, you must also specify the Region US East
4200
4207
  # (N. Virginia) as follows:
@@ -4260,7 +4267,8 @@ module Aws::WAFV2
4260
4267
  # Used for web ACLs that are scoped for regional applications. A
4261
4268
  # regional application can be an Application Load Balancer (ALB), an
4262
4269
  # Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon
4263
- # Cognito user pool, or an App Runner service.
4270
+ # Cognito user pool, an App Runner service, or an Amazon Web Services
4271
+ # Verified Access instance.
4264
4272
  #
4265
4273
  # <note markdown="1"> If you don't provide a resource type, the call uses the resource
4266
4274
  # type `APPLICATION_LOAD_BALANCER`.
@@ -4296,8 +4304,8 @@ module Aws::WAFV2
4296
4304
  # Specifies whether this is for an Amazon CloudFront distribution or
4297
4305
  # for a regional application. A regional application can be an
4298
4306
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
4299
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
4300
- # service.
4307
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
4308
+ # service, or an Amazon Web Services Verified Access instance.
4301
4309
  #
4302
4310
  # To work with CloudFront, you must also specify the Region US East
4303
4311
  # (N. Virginia) as follows:
@@ -4411,8 +4419,8 @@ module Aws::WAFV2
4411
4419
  # Specifies whether this is for an Amazon CloudFront distribution or
4412
4420
  # for a regional application. A regional application can be an
4413
4421
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
4414
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
4415
- # service.
4422
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
4423
+ # service, or an Amazon Web Services Verified Access instance.
4416
4424
  #
4417
4425
  # To work with CloudFront, you must also specify the Region US East
4418
4426
  # (N. Virginia) as follows:
@@ -5262,8 +5270,8 @@ module Aws::WAFV2
5262
5270
  # Specifies whether this is for an Amazon CloudFront distribution or
5263
5271
  # for a regional application. A regional application can be an
5264
5272
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
5265
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
5266
- # service.
5273
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
5274
+ # service, or an Amazon Web Services Verified Access instance.
5267
5275
  #
5268
5276
  # To work with CloudFront, you must also specify the Region US East
5269
5277
  # (N. Virginia) as follows:
@@ -5393,11 +5401,86 @@ module Aws::WAFV2
5393
5401
  #
5394
5402
  class QueryString < Aws::EmptyStructure; end
5395
5403
 
5396
- # A rate-based rule tracks the rate of requests for each originating IP
5397
- # address, and triggers the rule action when the rate exceeds a limit
5398
- # that you specify on the number of requests in any 5-minute time span.
5399
- # You can use this to put a temporary block on requests from an IP
5400
- # address that is sending excessive requests.
5404
+ # A rate-based rule counts incoming requests and rate limits requests
5405
+ # when they are coming at too fast a rate. The rule categorizes requests
5406
+ # according to your aggregation criteria, collects them into aggregation
5407
+ # instances, and counts and rate limits the requests for each instance.
5408
+ #
5409
+ # You can specify individual aggregation keys, like IP address or HTTP
5410
+ # method. You can also specify aggregation key combinations, like IP
5411
+ # address and HTTP method, or HTTP method, query argument, and cookie.
5412
+ #
5413
+ # Each unique set of values for the aggregation keys that you specify is
5414
+ # a separate aggregation instance, with the value from each key
5415
+ # contributing to the aggregation instance definition.
5416
+ #
5417
+ # For example, assume the rule evaluates web requests with the following
5418
+ # IP address and HTTP method values:
5419
+ #
5420
+ # * IP address 10.1.1.1, HTTP method POST
5421
+ #
5422
+ # * IP address 10.1.1.1, HTTP method GET
5423
+ #
5424
+ # * IP address 127.0.0.0, HTTP method POST
5425
+ #
5426
+ # * IP address 10.1.1.1, HTTP method GET
5427
+ #
5428
+ # The rule would create different aggregation instances according to
5429
+ # your aggregation criteria, for example:
5430
+ #
5431
+ # * If the aggregation criteria is just the IP address, then each
5432
+ # individual address is an aggregation instance, and WAF counts
5433
+ # requests separately for each. The aggregation instances and request
5434
+ # counts for our example would be the following:
5435
+ #
5436
+ # * IP address 10.1.1.1: count 3
5437
+ #
5438
+ # * IP address 127.0.0.0: count 1
5439
+ #
5440
+ # * If the aggregation criteria is HTTP method, then each individual
5441
+ # HTTP method is an aggregation instance. The aggregation instances
5442
+ # and request counts for our example would be the following:
5443
+ #
5444
+ # * HTTP method POST: count 2
5445
+ #
5446
+ # * HTTP method GET: count 2
5447
+ #
5448
+ # * If the aggregation criteria is IP address and HTTP method, then each
5449
+ # IP address and each HTTP method would contribute to the combined
5450
+ # aggregation instance. The aggregation instances and request counts
5451
+ # for our example would be the following:
5452
+ #
5453
+ # * IP address 10.1.1.1, HTTP method POST: count 1
5454
+ #
5455
+ # * IP address 10.1.1.1, HTTP method GET: count 2
5456
+ #
5457
+ # * IP address 127.0.0.0, HTTP method POST: count 1
5458
+ #
5459
+ # For any n-tuple of aggregation keys, each unique combination of values
5460
+ # for the keys defines a separate aggregation instance, which WAF counts
5461
+ # and rate-limits individually.
5462
+ #
5463
+ # You can optionally nest another statement inside the rate-based
5464
+ # statement, to narrow the scope of the rule so that it only counts and
5465
+ # rate limits requests that match the nested statement. You can use this
5466
+ # nested scope-down statement in conjunction with your aggregation key
5467
+ # specifications or you can just count and rate limit all requests that
5468
+ # match the scope-down statement, without additional aggregation. When
5469
+ # you choose to just manage all requests that match a scope-down
5470
+ # statement, the aggregation instance is singular for the rule.
5471
+ #
5472
+ # You cannot nest a `RateBasedStatement` inside another statement, for
5473
+ # example inside a `NotStatement` or `OrStatement`. You can define a
5474
+ # `RateBasedStatement` inside a web ACL and inside a rule group.
5475
+ #
5476
+ # For additional information about the options, see [Rate limiting web
5477
+ # requests using rate-based rules][1] in the *WAF Developer Guide*.
5478
+ #
5479
+ # If you only aggregate on the individual IP address or forwarded IP
5480
+ # address, you can retrieve the list of IP addresses that WAF is
5481
+ # currently rate limiting for a rule through the API call
5482
+ # `GetRateBasedStatementManagedKeys`. This option is not available for
5483
+ # other aggregation configurations.
5401
5484
  #
5402
5485
  # WAF tracks and manages web requests separately for each instance of a
5403
5486
  # rate-based rule that you use. For example, if you provide the same
@@ -5408,58 +5491,80 @@ module Aws::WAFV2
5408
5491
  # multiple places, each use creates a separate instance of the
5409
5492
  # rate-based rule that gets its own tracking and management by WAF.
5410
5493
  #
5411
- # When the rule action triggers, WAF blocks additional requests from the
5412
- # IP address until the request rate falls below the limit.
5413
5494
  #
5414
- # You can optionally nest another statement inside the rate-based
5415
- # statement, to narrow the scope of the rule so that it only counts
5416
- # requests that match the nested statement. For example, based on recent
5417
- # requests that you have seen from an attacker, you might create a
5418
- # rate-based rule with a nested AND rule statement that contains the
5419
- # following nested statements:
5420
5495
  #
5421
- # * An IP match statement with an IP set that specifies the address
5422
- # 192.0.2.44.
5496
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
5423
5497
  #
5424
- # * A string match statement that searches in the User-Agent header for
5425
- # the string BadBot.
5498
+ # @!attribute [rw] limit
5499
+ # The limit on requests per 5-minute period for a single aggregation
5500
+ # instance for the rate-based rule. If the rate-based statement
5501
+ # includes a `ScopeDownStatement`, this limit is applied only to the
5502
+ # requests that match the statement.
5426
5503
  #
5427
- # In this rate-based rule, you also define a rate limit. For this
5428
- # example, the rate limit is 1,000. Requests that meet the criteria of
5429
- # both of the nested statements are counted. If the count exceeds 1,000
5430
- # requests per five minutes, the rule action triggers. Requests that do
5431
- # not meet the criteria of both of the nested statements are not counted
5432
- # towards the rate limit and are not affected by this rule.
5504
+ # Examples:
5433
5505
  #
5434
- # You cannot nest a `RateBasedStatement` inside another statement, for
5435
- # example inside a `NotStatement` or `OrStatement`. You can define a
5436
- # `RateBasedStatement` inside a web ACL and inside a rule group.
5506
+ # * If you aggregate on just the IP address, this is the limit on
5507
+ # requests from any single IP address.
5437
5508
  #
5438
- # @!attribute [rw] limit
5439
- # The limit on requests per 5-minute period for a single originating
5440
- # IP address. If the statement includes a `ScopeDownStatement`, this
5441
- # limit is applied only to the requests that match the statement.
5509
+ # * If you aggregate on the HTTP method and the query argument name
5510
+ # "city", then this is the limit on requests for any single
5511
+ # method, city pair.
5442
5512
  # @return [Integer]
5443
5513
  #
5444
5514
  # @!attribute [rw] aggregate_key_type
5445
- # Setting that indicates how to aggregate the request counts. The
5446
- # options are the following:
5515
+ # Setting that indicates how to aggregate the request counts.
5516
+ #
5517
+ # <note markdown="1"> Web requests that are missing any of the components specified in the
5518
+ # aggregation keys are omitted from the rate-based rule evaluation and
5519
+ # handling.
5520
+ #
5521
+ # </note>
5522
+ #
5523
+ # * `CONSTANT` - Count and limit the requests that match the
5524
+ # rate-based rule's scope-down statement. With this option, the
5525
+ # counted requests aren't further aggregated. The scope-down
5526
+ # statement is the only specification used. When the count of all
5527
+ # requests that satisfy the scope-down statement goes over the
5528
+ # limit, WAF applies the rule action to all requests that satisfy
5529
+ # the scope-down statement.
5530
+ #
5531
+ # With this option, you must configure the `ScopeDownStatement`
5532
+ # property.
5533
+ #
5534
+ # * `CUSTOM_KEYS` - Aggregate the request counts using one or more web
5535
+ # request components as the aggregate keys.
5536
+ #
5537
+ # With this option, you must specify the aggregate keys in the
5538
+ # `CustomKeys` property.
5539
+ #
5540
+ # To aggregate on only the IP address or only the forwarded IP
5541
+ # address, don't use custom keys. Instead, set the aggregate key
5542
+ # type to `IP` or `FORWARDED_IP`.
5543
+ #
5544
+ # * `FORWARDED_IP` - Aggregate the request counts on the first IP
5545
+ # address in an HTTP header.
5447
5546
  #
5448
- # * IP - Aggregate the request counts on the IP address from the web
5547
+ # With this option, you must specify the header to use in the
5548
+ # `ForwardedIPConfig` property.
5549
+ #
5550
+ # To aggregate on a combination of the forwarded IP address with
5551
+ # other aggregate keys, use `CUSTOM_KEYS`.
5552
+ #
5553
+ # * `IP` - Aggregate the request counts on the IP address from the web
5449
5554
  # request origin.
5450
5555
  #
5451
- # * FORWARDED\_IP - Aggregate the request counts on the first IP
5452
- # address in an HTTP header. If you use this, configure the
5453
- # `ForwardedIPConfig`, to specify the header to use.
5556
+ # To aggregate on a combination of the IP address with other
5557
+ # aggregate keys, use `CUSTOM_KEYS`.
5454
5558
  # @return [String]
5455
5559
  #
5456
5560
  # @!attribute [rw] scope_down_statement
5457
5561
  # An optional nested statement that narrows the scope of the web
5458
- # requests that are evaluated by the rate-based statement. Requests
5459
- # are only tracked by the rate-based statement if they match the
5460
- # scope-down statement. You can use any nestable Statement in the
5461
- # scope-down statement, and you can nest statements at any level, the
5462
- # same as you can for a rule statement.
5562
+ # requests that are evaluated and managed by the rate-based statement.
5563
+ # When you use a scope-down statement, the rate-based rule only tracks
5564
+ # and rate limits requests that match the scope-down statement. You
5565
+ # can use any nestable Statement in the scope-down statement, and you
5566
+ # can nest statements at any level, the same as you can for a rule
5567
+ # statement.
5463
5568
  # @return [Types::Statement]
5464
5569
  #
5465
5570
  # @!attribute [rw] forwarded_ip_config
@@ -5473,22 +5578,143 @@ module Aws::WAFV2
5473
5578
  #
5474
5579
  # </note>
5475
5580
  #
5476
- # This is required if `AggregateKeyType` is set to `FORWARDED_IP`.
5581
+ # This is required if you specify a forwarded IP in the rule's
5582
+ # aggregate key settings.
5477
5583
  # @return [Types::ForwardedIPConfig]
5478
5584
  #
5585
+ # @!attribute [rw] custom_keys
5586
+ # Specifies the aggregate keys to use in a rate-base rule.
5587
+ # @return [Array<Types::RateBasedStatementCustomKey>]
5588
+ #
5479
5589
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatement AWS API Documentation
5480
5590
  #
5481
5591
  class RateBasedStatement < Struct.new(
5482
5592
  :limit,
5483
5593
  :aggregate_key_type,
5484
5594
  :scope_down_statement,
5485
- :forwarded_ip_config)
5595
+ :forwarded_ip_config,
5596
+ :custom_keys)
5597
+ SENSITIVE = []
5598
+ include Aws::Structure
5599
+ end
5600
+
5601
+ # Specifies a single custom aggregate key for a rate-base rule.
5602
+ #
5603
+ # <note markdown="1"> Web requests that are missing any of the components specified in the
5604
+ # aggregation keys are omitted from the rate-based rule evaluation and
5605
+ # handling.
5606
+ #
5607
+ # </note>
5608
+ #
5609
+ # @!attribute [rw] header
5610
+ # Use the value of a header in the request as an aggregate key. Each
5611
+ # distinct value in the header contributes to the aggregation
5612
+ # instance. If you use a single header as your custom key, then each
5613
+ # value fully defines an aggregation instance.
5614
+ # @return [Types::RateLimitHeader]
5615
+ #
5616
+ # @!attribute [rw] cookie
5617
+ # Use the value of a cookie in the request as an aggregate key. Each
5618
+ # distinct value in the cookie contributes to the aggregation
5619
+ # instance. If you use a single cookie as your custom key, then each
5620
+ # value fully defines an aggregation instance.
5621
+ # @return [Types::RateLimitCookie]
5622
+ #
5623
+ # @!attribute [rw] query_argument
5624
+ # Use the specified query argument as an aggregate key. Each distinct
5625
+ # value for the named query argument contributes to the aggregation
5626
+ # instance. If you use a single query argument as your custom key,
5627
+ # then each value fully defines an aggregation instance.
5628
+ # @return [Types::RateLimitQueryArgument]
5629
+ #
5630
+ # @!attribute [rw] query_string
5631
+ # Use the request's query string as an aggregate key. Each distinct
5632
+ # string contributes to the aggregation instance. If you use just the
5633
+ # query string as your custom key, then each string fully defines an
5634
+ # aggregation instance.
5635
+ # @return [Types::RateLimitQueryString]
5636
+ #
5637
+ # @!attribute [rw] http_method
5638
+ # Use the request's HTTP method as an aggregate key. Each distinct
5639
+ # HTTP method contributes to the aggregation instance. If you use just
5640
+ # the HTTP method as your custom key, then each method fully defines
5641
+ # an aggregation instance.
5642
+ # @return [Types::RateLimitHTTPMethod]
5643
+ #
5644
+ # @!attribute [rw] forwarded_ip
5645
+ # Use the first IP address in an HTTP header as an aggregate key. Each
5646
+ # distinct forwarded IP address contributes to the aggregation
5647
+ # instance.
5648
+ #
5649
+ # When you specify an IP or forwarded IP in the custom key settings,
5650
+ # you must also specify at least one other key to use. You can
5651
+ # aggregate on only the forwarded IP address by specifying
5652
+ # `FORWARDED_IP` in your rate-based statement's `AggregateKeyType`.
5653
+ #
5654
+ # With this option, you must specify the header to use in the
5655
+ # rate-based rule's `ForwardedIPConfig` property.
5656
+ # @return [Types::RateLimitForwardedIP]
5657
+ #
5658
+ # @!attribute [rw] ip
5659
+ # Use the request's originating IP address as an aggregate key. Each
5660
+ # distinct IP address contributes to the aggregation instance.
5661
+ #
5662
+ # When you specify an IP or forwarded IP in the custom key settings,
5663
+ # you must also specify at least one other key to use. You can
5664
+ # aggregate on only the IP address by specifying `IP` in your
5665
+ # rate-based statement's `AggregateKeyType`.
5666
+ # @return [Types::RateLimitIP]
5667
+ #
5668
+ # @!attribute [rw] label_namespace
5669
+ # Use the specified label namespace as an aggregate key. Each distinct
5670
+ # fully qualified label name that has the specified label namespace
5671
+ # contributes to the aggregation instance. If you use just one label
5672
+ # namespace as your custom key, then each label name fully defines an
5673
+ # aggregation instance.
5674
+ #
5675
+ # This uses only labels that have been added to the request by rules
5676
+ # that are evaluated before this rate-based rule in the web ACL.
5677
+ #
5678
+ # For information about label namespaces and names, see [Label syntax
5679
+ # and naming requirements][1] in the *WAF Developer Guide*.
5680
+ #
5681
+ #
5682
+ #
5683
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
5684
+ # @return [Types::RateLimitLabelNamespace]
5685
+ #
5686
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
5687
+ #
5688
+ class RateBasedStatementCustomKey < Struct.new(
5689
+ :header,
5690
+ :cookie,
5691
+ :query_argument,
5692
+ :query_string,
5693
+ :http_method,
5694
+ :forwarded_ip,
5695
+ :ip,
5696
+ :label_namespace)
5486
5697
  SENSITIVE = []
5487
5698
  include Aws::Structure
5488
5699
  end
5489
5700
 
5490
5701
  # The set of IP addresses that are currently blocked for a
5491
- # RateBasedStatement.
5702
+ # RateBasedStatement. This is only available for rate-based rules that
5703
+ # aggregate on just the IP address, with the `AggregateKeyType` set to
5704
+ # `IP` or `FORWARDED_IP`.
5705
+ #
5706
+ # A rate-based rule applies its rule action to requests from IP
5707
+ # addresses that are in the rule's managed keys list and that match the
5708
+ # rule's scope-down statement. When a rule has no scope-down statement,
5709
+ # it applies the action to all requests from the IP addresses that are
5710
+ # in the list. The rule applies its rule action to rate limit the
5711
+ # matching requests. The action is usually Block but it can be any valid
5712
+ # rule action except for Allow.
5713
+ #
5714
+ # The maximum number of IP addresses that can be rate limited by a
5715
+ # single rate-based rule instance is 10,000. If more than 10,000
5716
+ # addresses exceed the rate limit, WAF limits those with the highest
5717
+ # rates.
5492
5718
  #
5493
5719
  # @!attribute [rw] ip_address_version
5494
5720
  # The version of the IP addresses, either `IPV4` or `IPV6`.
@@ -5507,6 +5733,208 @@ module Aws::WAFV2
5507
5733
  include Aws::Structure
5508
5734
  end
5509
5735
 
5736
+ # Specifies a cookie as an aggregate key for a rate-based rule. Each
5737
+ # distinct value in the cookie contributes to the aggregation instance.
5738
+ # If you use a single cookie as your custom key, then each value fully
5739
+ # defines an aggregation instance.
5740
+ #
5741
+ # @!attribute [rw] name
5742
+ # The name of the cookie to use.
5743
+ # @return [String]
5744
+ #
5745
+ # @!attribute [rw] text_transformations
5746
+ # Text transformations eliminate some of the unusual formatting that
5747
+ # attackers use in web requests in an effort to bypass detection. Text
5748
+ # transformations are used in rule match statements, to transform the
5749
+ # `FieldToMatch` request component before inspecting it, and they're
5750
+ # used in rate-based rule statements, to transform request components
5751
+ # before using them as custom aggregation keys. If you specify one or
5752
+ # more transformations to apply, WAF performs all transformations on
5753
+ # the specified content, starting from the lowest priority setting,
5754
+ # and then uses the component contents.
5755
+ # @return [Array<Types::TextTransformation>]
5756
+ #
5757
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitCookie AWS API Documentation
5758
+ #
5759
+ class RateLimitCookie < Struct.new(
5760
+ :name,
5761
+ :text_transformations)
5762
+ SENSITIVE = []
5763
+ include Aws::Structure
5764
+ end
5765
+
5766
+ # Specifies the first IP address in an HTTP header as an aggregate key
5767
+ # for a rate-based rule. Each distinct forwarded IP address contributes
5768
+ # to the aggregation instance.
5769
+ #
5770
+ # This setting is used only in the `RateBasedStatementCustomKey`
5771
+ # specification of a rate-based rule statement. When you specify an IP
5772
+ # or forwarded IP in the custom key settings, you must also specify at
5773
+ # least one other key to use. You can aggregate on only the forwarded IP
5774
+ # address by specifying `FORWARDED_IP` in your rate-based statement's
5775
+ # `AggregateKeyType`.
5776
+ #
5777
+ # This data type supports using the forwarded IP address in the web
5778
+ # request aggregation for a rate-based rule, in
5779
+ # `RateBasedStatementCustomKey`. The JSON specification for using the
5780
+ # forwarded IP address doesn't explicitly use this data type.
5781
+ #
5782
+ # JSON specification: `"ForwardedIP": \{\}`
5783
+ #
5784
+ # When you use this specification, you must also configure the forwarded
5785
+ # IP address in the rate-based statement's `ForwardedIPConfig`.
5786
+ #
5787
+ # @api private
5788
+ #
5789
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitForwardedIP AWS API Documentation
5790
+ #
5791
+ class RateLimitForwardedIP < Aws::EmptyStructure; end
5792
+
5793
+ # Specifies the request's HTTP method as an aggregate key for a
5794
+ # rate-based rule. Each distinct HTTP method contributes to the
5795
+ # aggregation instance. If you use just the HTTP method as your custom
5796
+ # key, then each method fully defines an aggregation instance.
5797
+ #
5798
+ # JSON specification: `"RateLimitHTTPMethod": \{\}`
5799
+ #
5800
+ # @api private
5801
+ #
5802
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHTTPMethod AWS API Documentation
5803
+ #
5804
+ class RateLimitHTTPMethod < Aws::EmptyStructure; end
5805
+
5806
+ # Specifies a header as an aggregate key for a rate-based rule. Each
5807
+ # distinct value in the header contributes to the aggregation instance.
5808
+ # If you use a single header as your custom key, then each value fully
5809
+ # defines an aggregation instance.
5810
+ #
5811
+ # @!attribute [rw] name
5812
+ # The name of the header to use.
5813
+ # @return [String]
5814
+ #
5815
+ # @!attribute [rw] text_transformations
5816
+ # Text transformations eliminate some of the unusual formatting that
5817
+ # attackers use in web requests in an effort to bypass detection. Text
5818
+ # transformations are used in rule match statements, to transform the
5819
+ # `FieldToMatch` request component before inspecting it, and they're
5820
+ # used in rate-based rule statements, to transform request components
5821
+ # before using them as custom aggregation keys. If you specify one or
5822
+ # more transformations to apply, WAF performs all transformations on
5823
+ # the specified content, starting from the lowest priority setting,
5824
+ # and then uses the component contents.
5825
+ # @return [Array<Types::TextTransformation>]
5826
+ #
5827
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHeader AWS API Documentation
5828
+ #
5829
+ class RateLimitHeader < Struct.new(
5830
+ :name,
5831
+ :text_transformations)
5832
+ SENSITIVE = []
5833
+ include Aws::Structure
5834
+ end
5835
+
5836
+ # Specifies the IP address in the web request as an aggregate key for a
5837
+ # rate-based rule. Each distinct IP address contributes to the
5838
+ # aggregation instance.
5839
+ #
5840
+ # This setting is used only in the `RateBasedStatementCustomKey`
5841
+ # specification of a rate-based rule statement. To use this in the
5842
+ # custom key settings, you must specify at least one other key to use,
5843
+ # along with the IP address. To aggregate on only the IP address, in
5844
+ # your rate-based statement's `AggregateKeyType`, specify `IP`.
5845
+ #
5846
+ # JSON specification: `"RateLimitIP": \{\}`
5847
+ #
5848
+ # @api private
5849
+ #
5850
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitIP AWS API Documentation
5851
+ #
5852
+ class RateLimitIP < Aws::EmptyStructure; end
5853
+
5854
+ # Specifies a label namespace to use as an aggregate key for a
5855
+ # rate-based rule. Each distinct fully qualified label name that has the
5856
+ # specified label namespace contributes to the aggregation instance. If
5857
+ # you use just one label namespace as your custom key, then each label
5858
+ # name fully defines an aggregation instance.
5859
+ #
5860
+ # This uses only labels that have been added to the request by rules
5861
+ # that are evaluated before this rate-based rule in the web ACL.
5862
+ #
5863
+ # For information about label namespaces and names, see [Label syntax
5864
+ # and naming requirements][1] in the *WAF Developer Guide*.
5865
+ #
5866
+ #
5867
+ #
5868
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
5869
+ #
5870
+ # @!attribute [rw] namespace
5871
+ # The namespace to use for aggregation.
5872
+ # @return [String]
5873
+ #
5874
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitLabelNamespace AWS API Documentation
5875
+ #
5876
+ class RateLimitLabelNamespace < Struct.new(
5877
+ :namespace)
5878
+ SENSITIVE = []
5879
+ include Aws::Structure
5880
+ end
5881
+
5882
+ # Specifies a query argument in the request as an aggregate key for a
5883
+ # rate-based rule. Each distinct value for the named query argument
5884
+ # contributes to the aggregation instance. If you use a single query
5885
+ # argument as your custom key, then each value fully defines an
5886
+ # aggregation instance.
5887
+ #
5888
+ # @!attribute [rw] name
5889
+ # The name of the query argument to use.
5890
+ # @return [String]
5891
+ #
5892
+ # @!attribute [rw] text_transformations
5893
+ # Text transformations eliminate some of the unusual formatting that
5894
+ # attackers use in web requests in an effort to bypass detection. Text
5895
+ # transformations are used in rule match statements, to transform the
5896
+ # `FieldToMatch` request component before inspecting it, and they're
5897
+ # used in rate-based rule statements, to transform request components
5898
+ # before using them as custom aggregation keys. If you specify one or
5899
+ # more transformations to apply, WAF performs all transformations on
5900
+ # the specified content, starting from the lowest priority setting,
5901
+ # and then uses the component contents.
5902
+ # @return [Array<Types::TextTransformation>]
5903
+ #
5904
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryArgument AWS API Documentation
5905
+ #
5906
+ class RateLimitQueryArgument < Struct.new(
5907
+ :name,
5908
+ :text_transformations)
5909
+ SENSITIVE = []
5910
+ include Aws::Structure
5911
+ end
5912
+
5913
+ # Specifies the request's query string as an aggregate key for a
5914
+ # rate-based rule. Each distinct string contributes to the aggregation
5915
+ # instance. If you use just the query string as your custom key, then
5916
+ # each string fully defines an aggregation instance.
5917
+ #
5918
+ # @!attribute [rw] text_transformations
5919
+ # Text transformations eliminate some of the unusual formatting that
5920
+ # attackers use in web requests in an effort to bypass detection. Text
5921
+ # transformations are used in rule match statements, to transform the
5922
+ # `FieldToMatch` request component before inspecting it, and they're
5923
+ # used in rate-based rule statements, to transform request components
5924
+ # before using them as custom aggregation keys. If you specify one or
5925
+ # more transformations to apply, WAF performs all transformations on
5926
+ # the specified content, starting from the lowest priority setting,
5927
+ # and then uses the component contents.
5928
+ # @return [Array<Types::TextTransformation>]
5929
+ #
5930
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryString AWS API Documentation
5931
+ #
5932
+ class RateLimitQueryString < Struct.new(
5933
+ :text_transformations)
5934
+ SENSITIVE = []
5935
+ include Aws::Structure
5936
+ end
5937
+
5510
5938
  # A single regular expression. This is used in a RegexPatternSet.
5511
5939
  #
5512
5940
  # @!attribute [rw] regex_string
@@ -5534,11 +5962,14 @@ module Aws::WAFV2
5534
5962
  #
5535
5963
  # @!attribute [rw] text_transformations
5536
5964
  # Text transformations eliminate some of the unusual formatting that
5537
- # attackers use in web requests in an effort to bypass detection. If
5538
- # you specify one or more transformations in a rule statement, WAF
5539
- # performs all transformations on the content of the request component
5540
- # identified by `FieldToMatch`, starting from the lowest priority
5541
- # setting, before inspecting the content for a match.
5965
+ # attackers use in web requests in an effort to bypass detection. Text
5966
+ # transformations are used in rule match statements, to transform the
5967
+ # `FieldToMatch` request component before inspecting it, and they're
5968
+ # used in rate-based rule statements, to transform request components
5969
+ # before using them as custom aggregation keys. If you specify one or
5970
+ # more transformations to apply, WAF performs all transformations on
5971
+ # the specified content, starting from the lowest priority setting,
5972
+ # and then uses the component contents.
5542
5973
  # @return [Array<Types::TextTransformation>]
5543
5974
  #
5544
5975
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexMatchStatement AWS API Documentation
@@ -5615,11 +6046,14 @@ module Aws::WAFV2
5615
6046
  #
5616
6047
  # @!attribute [rw] text_transformations
5617
6048
  # Text transformations eliminate some of the unusual formatting that
5618
- # attackers use in web requests in an effort to bypass detection. If
5619
- # you specify one or more transformations in a rule statement, WAF
5620
- # performs all transformations on the content of the request component
5621
- # identified by `FieldToMatch`, starting from the lowest priority
5622
- # setting, before inspecting the content for a match.
6049
+ # attackers use in web requests in an effort to bypass detection. Text
6050
+ # transformations are used in rule match statements, to transform the
6051
+ # `FieldToMatch` request component before inspecting it, and they're
6052
+ # used in rate-based rule statements, to transform request components
6053
+ # before using them as custom aggregation keys. If you specify one or
6054
+ # more transformations to apply, WAF performs all transformations on
6055
+ # the specified content, starting from the lowest priority setting,
6056
+ # and then uses the component contents.
5623
6057
  # @return [Array<Types::TextTransformation>]
5624
6058
  #
5625
6059
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
@@ -6617,11 +7051,14 @@ module Aws::WAFV2
6617
7051
  #
6618
7052
  # @!attribute [rw] text_transformations
6619
7053
  # Text transformations eliminate some of the unusual formatting that
6620
- # attackers use in web requests in an effort to bypass detection. If
6621
- # you specify one or more transformations in a rule statement, WAF
6622
- # performs all transformations on the content of the request component
6623
- # identified by `FieldToMatch`, starting from the lowest priority
6624
- # setting, before inspecting the content for a match.
7054
+ # attackers use in web requests in an effort to bypass detection. Text
7055
+ # transformations are used in rule match statements, to transform the
7056
+ # `FieldToMatch` request component before inspecting it, and they're
7057
+ # used in rate-based rule statements, to transform request components
7058
+ # before using them as custom aggregation keys. If you specify one or
7059
+ # more transformations to apply, WAF performs all transformations on
7060
+ # the specified content, starting from the lowest priority setting,
7061
+ # and then uses the component contents.
6625
7062
  # @return [Array<Types::TextTransformation>]
6626
7063
  #
6627
7064
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
@@ -6645,11 +7082,14 @@ module Aws::WAFV2
6645
7082
  #
6646
7083
  # @!attribute [rw] text_transformations
6647
7084
  # Text transformations eliminate some of the unusual formatting that
6648
- # attackers use in web requests in an effort to bypass detection. If
6649
- # you specify one or more transformations in a rule statement, WAF
6650
- # performs all transformations on the content of the request component
6651
- # identified by `FieldToMatch`, starting from the lowest priority
6652
- # setting, before inspecting the content for a match.
7085
+ # attackers use in web requests in an effort to bypass detection. Text
7086
+ # transformations are used in rule match statements, to transform the
7087
+ # `FieldToMatch` request component before inspecting it, and they're
7088
+ # used in rate-based rule statements, to transform request components
7089
+ # before using them as custom aggregation keys. If you specify one or
7090
+ # more transformations to apply, WAF performs all transformations on
7091
+ # the specified content, starting from the lowest priority setting,
7092
+ # and then uses the component contents.
6653
7093
  # @return [Array<Types::TextTransformation>]
6654
7094
  #
6655
7095
  # @!attribute [rw] sensitivity_level
@@ -6809,11 +7249,88 @@ module Aws::WAFV2
6809
7249
  # @return [Types::RegexPatternSetReferenceStatement]
6810
7250
  #
6811
7251
  # @!attribute [rw] rate_based_statement
6812
- # A rate-based rule tracks the rate of requests for each originating
6813
- # IP address, and triggers the rule action when the rate exceeds a
6814
- # limit that you specify on the number of requests in any 5-minute
6815
- # time span. You can use this to put a temporary block on requests
6816
- # from an IP address that is sending excessive requests.
7252
+ # A rate-based rule counts incoming requests and rate limits requests
7253
+ # when they are coming at too fast a rate. The rule categorizes
7254
+ # requests according to your aggregation criteria, collects them into
7255
+ # aggregation instances, and counts and rate limits the requests for
7256
+ # each instance.
7257
+ #
7258
+ # You can specify individual aggregation keys, like IP address or HTTP
7259
+ # method. You can also specify aggregation key combinations, like IP
7260
+ # address and HTTP method, or HTTP method, query argument, and cookie.
7261
+ #
7262
+ # Each unique set of values for the aggregation keys that you specify
7263
+ # is a separate aggregation instance, with the value from each key
7264
+ # contributing to the aggregation instance definition.
7265
+ #
7266
+ # For example, assume the rule evaluates web requests with the
7267
+ # following IP address and HTTP method values:
7268
+ #
7269
+ # * IP address 10.1.1.1, HTTP method POST
7270
+ #
7271
+ # * IP address 10.1.1.1, HTTP method GET
7272
+ #
7273
+ # * IP address 127.0.0.0, HTTP method POST
7274
+ #
7275
+ # * IP address 10.1.1.1, HTTP method GET
7276
+ #
7277
+ # The rule would create different aggregation instances according to
7278
+ # your aggregation criteria, for example:
7279
+ #
7280
+ # * If the aggregation criteria is just the IP address, then each
7281
+ # individual address is an aggregation instance, and WAF counts
7282
+ # requests separately for each. The aggregation instances and
7283
+ # request counts for our example would be the following:
7284
+ #
7285
+ # * IP address 10.1.1.1: count 3
7286
+ #
7287
+ # * IP address 127.0.0.0: count 1
7288
+ #
7289
+ # * If the aggregation criteria is HTTP method, then each individual
7290
+ # HTTP method is an aggregation instance. The aggregation instances
7291
+ # and request counts for our example would be the following:
7292
+ #
7293
+ # * HTTP method POST: count 2
7294
+ #
7295
+ # * HTTP method GET: count 2
7296
+ #
7297
+ # * If the aggregation criteria is IP address and HTTP method, then
7298
+ # each IP address and each HTTP method would contribute to the
7299
+ # combined aggregation instance. The aggregation instances and
7300
+ # request counts for our example would be the following:
7301
+ #
7302
+ # * IP address 10.1.1.1, HTTP method POST: count 1
7303
+ #
7304
+ # * IP address 10.1.1.1, HTTP method GET: count 2
7305
+ #
7306
+ # * IP address 127.0.0.0, HTTP method POST: count 1
7307
+ #
7308
+ # For any n-tuple of aggregation keys, each unique combination of
7309
+ # values for the keys defines a separate aggregation instance, which
7310
+ # WAF counts and rate-limits individually.
7311
+ #
7312
+ # You can optionally nest another statement inside the rate-based
7313
+ # statement, to narrow the scope of the rule so that it only counts
7314
+ # and rate limits requests that match the nested statement. You can
7315
+ # use this nested scope-down statement in conjunction with your
7316
+ # aggregation key specifications or you can just count and rate limit
7317
+ # all requests that match the scope-down statement, without additional
7318
+ # aggregation. When you choose to just manage all requests that match
7319
+ # a scope-down statement, the aggregation instance is singular for the
7320
+ # rule.
7321
+ #
7322
+ # You cannot nest a `RateBasedStatement` inside another statement, for
7323
+ # example inside a `NotStatement` or `OrStatement`. You can define a
7324
+ # `RateBasedStatement` inside a web ACL and inside a rule group.
7325
+ #
7326
+ # For additional information about the options, see [Rate limiting web
7327
+ # requests using rate-based rules][1] in the *WAF Developer Guide*.
7328
+ #
7329
+ # If you only aggregate on the individual IP address or forwarded IP
7330
+ # address, you can retrieve the list of IP addresses that WAF is
7331
+ # currently rate limiting for a rule through the API call
7332
+ # `GetRateBasedStatementManagedKeys`. This option is not available for
7333
+ # other aggregation configurations.
6817
7334
  #
6818
7335
  # WAF tracks and manages web requests separately for each instance of
6819
7336
  # a rate-based rule that you use. For example, if you provide the same
@@ -6824,33 +7341,9 @@ module Aws::WAFV2
6824
7341
  # multiple places, each use creates a separate instance of the
6825
7342
  # rate-based rule that gets its own tracking and management by WAF.
6826
7343
  #
6827
- # When the rule action triggers, WAF blocks additional requests from
6828
- # the IP address until the request rate falls below the limit.
6829
7344
  #
6830
- # You can optionally nest another statement inside the rate-based
6831
- # statement, to narrow the scope of the rule so that it only counts
6832
- # requests that match the nested statement. For example, based on
6833
- # recent requests that you have seen from an attacker, you might
6834
- # create a rate-based rule with a nested AND rule statement that
6835
- # contains the following nested statements:
6836
- #
6837
- # * An IP match statement with an IP set that specifies the address
6838
- # 192.0.2.44.
6839
- #
6840
- # * A string match statement that searches in the User-Agent header
6841
- # for the string BadBot.
6842
- #
6843
- # In this rate-based rule, you also define a rate limit. For this
6844
- # example, the rate limit is 1,000. Requests that meet the criteria of
6845
- # both of the nested statements are counted. If the count exceeds
6846
- # 1,000 requests per five minutes, the rule action triggers. Requests
6847
- # that do not meet the criteria of both of the nested statements are
6848
- # not counted towards the rate limit and are not affected by this
6849
- # rule.
6850
7345
  #
6851
- # You cannot nest a `RateBasedStatement` inside another statement, for
6852
- # example inside a `NotStatement` or `OrStatement`. You can define a
6853
- # `RateBasedStatement` inside a web ACL and inside a rule group.
7346
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
6854
7347
  # @return [Types::RateBasedStatement]
6855
7348
  #
6856
7349
  # @!attribute [rw] and_statement
@@ -7025,11 +7518,10 @@ module Aws::WAFV2
7025
7518
  # attackers use in web requests in an effort to bypass detection.
7026
7519
  #
7027
7520
  # @!attribute [rw] priority
7028
- # Sets the relative processing order for multiple transformations that
7029
- # are defined for a rule statement. WAF processes all transformations,
7030
- # from lowest priority to highest, before inspecting the transformed
7031
- # content. The priorities don't need to be consecutive, but they must
7032
- # all be different.
7521
+ # Sets the relative processing order for multiple transformations. WAF
7522
+ # processes all transformations, from lowest priority to highest,
7523
+ # before inspecting the transformed content. The priorities don't
7524
+ # need to be consecutive, but they must all be different.
7033
7525
  # @return [Integer]
7034
7526
  #
7035
7527
  # @!attribute [rw] type
@@ -7240,8 +7732,8 @@ module Aws::WAFV2
7240
7732
  # Specifies whether this is for an Amazon CloudFront distribution or
7241
7733
  # for a regional application. A regional application can be an
7242
7734
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
7243
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
7244
- # service.
7735
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
7736
+ # service, or an Amazon Web Services Verified Access instance.
7245
7737
  #
7246
7738
  # To work with CloudFront, you must also specify the Region US East
7247
7739
  # (N. Virginia) as follows:
@@ -7359,8 +7851,8 @@ module Aws::WAFV2
7359
7851
  # Specifies whether this is for an Amazon CloudFront distribution or
7360
7852
  # for a regional application. A regional application can be an
7361
7853
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
7362
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
7363
- # service.
7854
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
7855
+ # service, or an Amazon Web Services Verified Access instance.
7364
7856
  #
7365
7857
  # To work with CloudFront, you must also specify the Region US East
7366
7858
  # (N. Virginia) as follows:
@@ -7458,8 +7950,8 @@ module Aws::WAFV2
7458
7950
  # Specifies whether this is for an Amazon CloudFront distribution or
7459
7951
  # for a regional application. A regional application can be an
7460
7952
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
7461
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
7462
- # service.
7953
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
7954
+ # service, or an Amazon Web Services Verified Access instance.
7463
7955
  #
7464
7956
  # To work with CloudFront, you must also specify the Region US East
7465
7957
  # (N. Virginia) as follows:
@@ -7531,8 +8023,8 @@ module Aws::WAFV2
7531
8023
  # Specifies whether this is for an Amazon CloudFront distribution or
7532
8024
  # for a regional application. A regional application can be an
7533
8025
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
7534
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
7535
- # service.
8026
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
8027
+ # service, or an Amazon Web Services Verified Access instance.
7536
8028
  #
7537
8029
  # To work with CloudFront, you must also specify the Region US East
7538
8030
  # (N. Virginia) as follows:
@@ -7635,8 +8127,8 @@ module Aws::WAFV2
7635
8127
  # Specifies whether this is for an Amazon CloudFront distribution or
7636
8128
  # for a regional application. A regional application can be an
7637
8129
  # Application Load Balancer (ALB), an Amazon API Gateway REST API, an
7638
- # AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner
7639
- # service.
8130
+ # AppSync GraphQL API, an Amazon Cognito user pool, an App Runner
8131
+ # service, or an Amazon Web Services Verified Access instance.
7640
8132
  #
7641
8133
  # To work with CloudFront, you must also specify the Region US East
7642
8134
  # (N. Virginia) as follows:
@@ -8226,6 +8718,22 @@ module Aws::WAFV2
8226
8718
  include Aws::Structure
8227
8719
  end
8228
8720
 
8721
+ # The rule that you've named doesn't aggregate solely on the IP
8722
+ # address or solely on the forwarded IP address. This call is only
8723
+ # available for rate-based rules with an `AggregateKeyType` setting of
8724
+ # `IP` or `FORWARDED_IP`.
8725
+ #
8726
+ # @!attribute [rw] message
8727
+ # @return [String]
8728
+ #
8729
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFUnsupportedAggregateKeyTypeException AWS API Documentation
8730
+ #
8731
+ class WAFUnsupportedAggregateKeyTypeException < Struct.new(
8732
+ :message)
8733
+ SENSITIVE = []
8734
+ include Aws::Structure
8735
+ end
8736
+
8229
8737
  # A web ACL defines a collection of rules to use to inspect and control
8230
8738
  # web requests. Each rule has an action defined (allow, block, or count)
8231
8739
  # for requests that match the statement of the rule. In the web ACL, you
@@ -8235,7 +8743,8 @@ module Aws::WAFV2
8235
8743
  # can associate a web ACL with one or more Amazon Web Services resources
8236
8744
  # to protect. The resources can be an Amazon CloudFront distribution, an
8237
8745
  # Amazon API Gateway REST API, an Application Load Balancer, an AppSync
8238
- # GraphQL API, an Amazon Cognito user pool, or an App Runner service.
8746
+ # GraphQL API, an Amazon Cognito user pool, an App Runner service, or an
8747
+ # Amazon Web Services Verified Access instance.
8239
8748
  #
8240
8749
  # @!attribute [rw] name
8241
8750
  # The name of the web ACL. You cannot change the name of a web ACL
@@ -8487,11 +8996,14 @@ module Aws::WAFV2
8487
8996
  #
8488
8997
  # @!attribute [rw] text_transformations
8489
8998
  # Text transformations eliminate some of the unusual formatting that
8490
- # attackers use in web requests in an effort to bypass detection. If
8491
- # you specify one or more transformations in a rule statement, WAF
8492
- # performs all transformations on the content of the request component
8493
- # identified by `FieldToMatch`, starting from the lowest priority
8494
- # setting, before inspecting the content for a match.
8999
+ # attackers use in web requests in an effort to bypass detection. Text
9000
+ # transformations are used in rule match statements, to transform the
9001
+ # `FieldToMatch` request component before inspecting it, and they're
9002
+ # used in rate-based rule statements, to transform request components
9003
+ # before using them as custom aggregation keys. If you specify one or
9004
+ # more transformations to apply, WAF performs all transformations on
9005
+ # the specified content, starting from the lowest priority setting,
9006
+ # and then uses the component contents.
8495
9007
  # @return [Array<Types::TextTransformation>]
8496
9008
  #
8497
9009
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation