aws-sdk-wafv2 1.56.0 → 1.57.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +5 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-wafv2/client.rb +379 -18
- data/lib/aws-sdk-wafv2/client_api.rb +53 -0
- data/lib/aws-sdk-wafv2/errors.rb +16 -0
- data/lib/aws-sdk-wafv2/types.rb +615 -109
- data/lib/aws-sdk-wafv2.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-wafv2/types.rb
CHANGED
@@ -419,11 +419,14 @@ module Aws::WAFV2
|
|
419
419
|
#
|
420
420
|
# @!attribute [rw] text_transformations
|
421
421
|
# Text transformations eliminate some of the unusual formatting that
|
422
|
-
# attackers use in web requests in an effort to bypass detection.
|
423
|
-
#
|
424
|
-
#
|
425
|
-
#
|
426
|
-
#
|
422
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
423
|
+
# transformations are used in rule match statements, to transform the
|
424
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
425
|
+
# used in rate-based rule statements, to transform request components
|
426
|
+
# before using them as custom aggregation keys. If you specify one or
|
427
|
+
# more transformations to apply, WAF performs all transformations on
|
428
|
+
# the specified content, starting from the lowest priority setting,
|
429
|
+
# and then uses the component contents.
|
427
430
|
# @return [Array<Types::TextTransformation>]
|
428
431
|
#
|
429
432
|
# @!attribute [rw] positional_constraint
|
@@ -5398,11 +5401,86 @@ module Aws::WAFV2
|
|
5398
5401
|
#
|
5399
5402
|
class QueryString < Aws::EmptyStructure; end
|
5400
5403
|
|
5401
|
-
# A rate-based rule
|
5402
|
-
#
|
5403
|
-
#
|
5404
|
-
#
|
5405
|
-
#
|
5404
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
5405
|
+
# when they are coming at too fast a rate. The rule categorizes requests
|
5406
|
+
# according to your aggregation criteria, collects them into aggregation
|
5407
|
+
# instances, and counts and rate limits the requests for each instance.
|
5408
|
+
#
|
5409
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
5410
|
+
# method. You can also specify aggregation key combinations, like IP
|
5411
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
5412
|
+
#
|
5413
|
+
# Each unique set of values for the aggregation keys that you specify is
|
5414
|
+
# a separate aggregation instance, with the value from each key
|
5415
|
+
# contributing to the aggregation instance definition.
|
5416
|
+
#
|
5417
|
+
# For example, assume the rule evaluates web requests with the following
|
5418
|
+
# IP address and HTTP method values:
|
5419
|
+
#
|
5420
|
+
# * IP address 10.1.1.1, HTTP method POST
|
5421
|
+
#
|
5422
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5423
|
+
#
|
5424
|
+
# * IP address 127.0.0.0, HTTP method POST
|
5425
|
+
#
|
5426
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5427
|
+
#
|
5428
|
+
# The rule would create different aggregation instances according to
|
5429
|
+
# your aggregation criteria, for example:
|
5430
|
+
#
|
5431
|
+
# * If the aggregation criteria is just the IP address, then each
|
5432
|
+
# individual address is an aggregation instance, and WAF counts
|
5433
|
+
# requests separately for each. The aggregation instances and request
|
5434
|
+
# counts for our example would be the following:
|
5435
|
+
#
|
5436
|
+
# * IP address 10.1.1.1: count 3
|
5437
|
+
#
|
5438
|
+
# * IP address 127.0.0.0: count 1
|
5439
|
+
#
|
5440
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
5441
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
5442
|
+
# and request counts for our example would be the following:
|
5443
|
+
#
|
5444
|
+
# * HTTP method POST: count 2
|
5445
|
+
#
|
5446
|
+
# * HTTP method GET: count 2
|
5447
|
+
#
|
5448
|
+
# * If the aggregation criteria is IP address and HTTP method, then each
|
5449
|
+
# IP address and each HTTP method would contribute to the combined
|
5450
|
+
# aggregation instance. The aggregation instances and request counts
|
5451
|
+
# for our example would be the following:
|
5452
|
+
#
|
5453
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
5454
|
+
#
|
5455
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
5456
|
+
#
|
5457
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
5458
|
+
#
|
5459
|
+
# For any n-tuple of aggregation keys, each unique combination of values
|
5460
|
+
# for the keys defines a separate aggregation instance, which WAF counts
|
5461
|
+
# and rate-limits individually.
|
5462
|
+
#
|
5463
|
+
# You can optionally nest another statement inside the rate-based
|
5464
|
+
# statement, to narrow the scope of the rule so that it only counts and
|
5465
|
+
# rate limits requests that match the nested statement. You can use this
|
5466
|
+
# nested scope-down statement in conjunction with your aggregation key
|
5467
|
+
# specifications or you can just count and rate limit all requests that
|
5468
|
+
# match the scope-down statement, without additional aggregation. When
|
5469
|
+
# you choose to just manage all requests that match a scope-down
|
5470
|
+
# statement, the aggregation instance is singular for the rule.
|
5471
|
+
#
|
5472
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
5473
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
5474
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5475
|
+
#
|
5476
|
+
# For additional information about the options, see [Rate limiting web
|
5477
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
5478
|
+
#
|
5479
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
5480
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
5481
|
+
# currently rate limiting for a rule through the API call
|
5482
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
5483
|
+
# other aggregation configurations.
|
5406
5484
|
#
|
5407
5485
|
# WAF tracks and manages web requests separately for each instance of a
|
5408
5486
|
# rate-based rule that you use. For example, if you provide the same
|
@@ -5413,58 +5491,80 @@ module Aws::WAFV2
|
|
5413
5491
|
# multiple places, each use creates a separate instance of the
|
5414
5492
|
# rate-based rule that gets its own tracking and management by WAF.
|
5415
5493
|
#
|
5416
|
-
# When the rule action triggers, WAF blocks additional requests from the
|
5417
|
-
# IP address until the request rate falls below the limit.
|
5418
5494
|
#
|
5419
|
-
# You can optionally nest another statement inside the rate-based
|
5420
|
-
# statement, to narrow the scope of the rule so that it only counts
|
5421
|
-
# requests that match the nested statement. For example, based on recent
|
5422
|
-
# requests that you have seen from an attacker, you might create a
|
5423
|
-
# rate-based rule with a nested AND rule statement that contains the
|
5424
|
-
# following nested statements:
|
5425
5495
|
#
|
5426
|
-
#
|
5427
|
-
# 192.0.2.44.
|
5496
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
5428
5497
|
#
|
5429
|
-
#
|
5430
|
-
#
|
5498
|
+
# @!attribute [rw] limit
|
5499
|
+
# The limit on requests per 5-minute period for a single aggregation
|
5500
|
+
# instance for the rate-based rule. If the rate-based statement
|
5501
|
+
# includes a `ScopeDownStatement`, this limit is applied only to the
|
5502
|
+
# requests that match the statement.
|
5431
5503
|
#
|
5432
|
-
#
|
5433
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
5434
|
-
# both of the nested statements are counted. If the count exceeds 1,000
|
5435
|
-
# requests per five minutes, the rule action triggers. Requests that do
|
5436
|
-
# not meet the criteria of both of the nested statements are not counted
|
5437
|
-
# towards the rate limit and are not affected by this rule.
|
5504
|
+
# Examples:
|
5438
5505
|
#
|
5439
|
-
#
|
5440
|
-
#
|
5441
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5506
|
+
# * If you aggregate on just the IP address, this is the limit on
|
5507
|
+
# requests from any single IP address.
|
5442
5508
|
#
|
5443
|
-
#
|
5444
|
-
#
|
5445
|
-
#
|
5446
|
-
# limit is applied only to the requests that match the statement.
|
5509
|
+
# * If you aggregate on the HTTP method and the query argument name
|
5510
|
+
# "city", then this is the limit on requests for any single
|
5511
|
+
# method, city pair.
|
5447
5512
|
# @return [Integer]
|
5448
5513
|
#
|
5449
5514
|
# @!attribute [rw] aggregate_key_type
|
5450
|
-
# Setting that indicates how to aggregate the request counts.
|
5451
|
-
#
|
5515
|
+
# Setting that indicates how to aggregate the request counts.
|
5516
|
+
#
|
5517
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5518
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5519
|
+
# handling.
|
5520
|
+
#
|
5521
|
+
# </note>
|
5522
|
+
#
|
5523
|
+
# * `CONSTANT` - Count and limit the requests that match the
|
5524
|
+
# rate-based rule's scope-down statement. With this option, the
|
5525
|
+
# counted requests aren't further aggregated. The scope-down
|
5526
|
+
# statement is the only specification used. When the count of all
|
5527
|
+
# requests that satisfy the scope-down statement goes over the
|
5528
|
+
# limit, WAF applies the rule action to all requests that satisfy
|
5529
|
+
# the scope-down statement.
|
5530
|
+
#
|
5531
|
+
# With this option, you must configure the `ScopeDownStatement`
|
5532
|
+
# property.
|
5533
|
+
#
|
5534
|
+
# * `CUSTOM_KEYS` - Aggregate the request counts using one or more web
|
5535
|
+
# request components as the aggregate keys.
|
5452
5536
|
#
|
5453
|
-
#
|
5537
|
+
# With this option, you must specify the aggregate keys in the
|
5538
|
+
# `CustomKeys` property.
|
5539
|
+
#
|
5540
|
+
# To aggregate on only the IP address or only the forwarded IP
|
5541
|
+
# address, don't use custom keys. Instead, set the aggregate key
|
5542
|
+
# type to `IP` or `FORWARDED_IP`.
|
5543
|
+
#
|
5544
|
+
# * `FORWARDED_IP` - Aggregate the request counts on the first IP
|
5545
|
+
# address in an HTTP header.
|
5546
|
+
#
|
5547
|
+
# With this option, you must specify the header to use in the
|
5548
|
+
# `ForwardedIPConfig` property.
|
5549
|
+
#
|
5550
|
+
# To aggregate on a combination of the forwarded IP address with
|
5551
|
+
# other aggregate keys, use `CUSTOM_KEYS`.
|
5552
|
+
#
|
5553
|
+
# * `IP` - Aggregate the request counts on the IP address from the web
|
5454
5554
|
# request origin.
|
5455
5555
|
#
|
5456
|
-
#
|
5457
|
-
#
|
5458
|
-
# `ForwardedIPConfig`, to specify the header to use.
|
5556
|
+
# To aggregate on a combination of the IP address with other
|
5557
|
+
# aggregate keys, use `CUSTOM_KEYS`.
|
5459
5558
|
# @return [String]
|
5460
5559
|
#
|
5461
5560
|
# @!attribute [rw] scope_down_statement
|
5462
5561
|
# An optional nested statement that narrows the scope of the web
|
5463
|
-
# requests that are evaluated by the rate-based statement.
|
5464
|
-
#
|
5465
|
-
#
|
5466
|
-
# scope-down statement, and you
|
5467
|
-
# same as you can for a rule
|
5562
|
+
# requests that are evaluated and managed by the rate-based statement.
|
5563
|
+
# When you use a scope-down statement, the rate-based rule only tracks
|
5564
|
+
# and rate limits requests that match the scope-down statement. You
|
5565
|
+
# can use any nestable Statement in the scope-down statement, and you
|
5566
|
+
# can nest statements at any level, the same as you can for a rule
|
5567
|
+
# statement.
|
5468
5568
|
# @return [Types::Statement]
|
5469
5569
|
#
|
5470
5570
|
# @!attribute [rw] forwarded_ip_config
|
@@ -5478,22 +5578,143 @@ module Aws::WAFV2
|
|
5478
5578
|
#
|
5479
5579
|
# </note>
|
5480
5580
|
#
|
5481
|
-
# This is required if
|
5581
|
+
# This is required if you specify a forwarded IP in the rule's
|
5582
|
+
# aggregate key settings.
|
5482
5583
|
# @return [Types::ForwardedIPConfig]
|
5483
5584
|
#
|
5585
|
+
# @!attribute [rw] custom_keys
|
5586
|
+
# Specifies the aggregate keys to use in a rate-base rule.
|
5587
|
+
# @return [Array<Types::RateBasedStatementCustomKey>]
|
5588
|
+
#
|
5484
5589
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatement AWS API Documentation
|
5485
5590
|
#
|
5486
5591
|
class RateBasedStatement < Struct.new(
|
5487
5592
|
:limit,
|
5488
5593
|
:aggregate_key_type,
|
5489
5594
|
:scope_down_statement,
|
5490
|
-
:forwarded_ip_config
|
5595
|
+
:forwarded_ip_config,
|
5596
|
+
:custom_keys)
|
5597
|
+
SENSITIVE = []
|
5598
|
+
include Aws::Structure
|
5599
|
+
end
|
5600
|
+
|
5601
|
+
# Specifies a single custom aggregate key for a rate-base rule.
|
5602
|
+
#
|
5603
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5604
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5605
|
+
# handling.
|
5606
|
+
#
|
5607
|
+
# </note>
|
5608
|
+
#
|
5609
|
+
# @!attribute [rw] header
|
5610
|
+
# Use the value of a header in the request as an aggregate key. Each
|
5611
|
+
# distinct value in the header contributes to the aggregation
|
5612
|
+
# instance. If you use a single header as your custom key, then each
|
5613
|
+
# value fully defines an aggregation instance.
|
5614
|
+
# @return [Types::RateLimitHeader]
|
5615
|
+
#
|
5616
|
+
# @!attribute [rw] cookie
|
5617
|
+
# Use the value of a cookie in the request as an aggregate key. Each
|
5618
|
+
# distinct value in the cookie contributes to the aggregation
|
5619
|
+
# instance. If you use a single cookie as your custom key, then each
|
5620
|
+
# value fully defines an aggregation instance.
|
5621
|
+
# @return [Types::RateLimitCookie]
|
5622
|
+
#
|
5623
|
+
# @!attribute [rw] query_argument
|
5624
|
+
# Use the specified query argument as an aggregate key. Each distinct
|
5625
|
+
# value for the named query argument contributes to the aggregation
|
5626
|
+
# instance. If you use a single query argument as your custom key,
|
5627
|
+
# then each value fully defines an aggregation instance.
|
5628
|
+
# @return [Types::RateLimitQueryArgument]
|
5629
|
+
#
|
5630
|
+
# @!attribute [rw] query_string
|
5631
|
+
# Use the request's query string as an aggregate key. Each distinct
|
5632
|
+
# string contributes to the aggregation instance. If you use just the
|
5633
|
+
# query string as your custom key, then each string fully defines an
|
5634
|
+
# aggregation instance.
|
5635
|
+
# @return [Types::RateLimitQueryString]
|
5636
|
+
#
|
5637
|
+
# @!attribute [rw] http_method
|
5638
|
+
# Use the request's HTTP method as an aggregate key. Each distinct
|
5639
|
+
# HTTP method contributes to the aggregation instance. If you use just
|
5640
|
+
# the HTTP method as your custom key, then each method fully defines
|
5641
|
+
# an aggregation instance.
|
5642
|
+
# @return [Types::RateLimitHTTPMethod]
|
5643
|
+
#
|
5644
|
+
# @!attribute [rw] forwarded_ip
|
5645
|
+
# Use the first IP address in an HTTP header as an aggregate key. Each
|
5646
|
+
# distinct forwarded IP address contributes to the aggregation
|
5647
|
+
# instance.
|
5648
|
+
#
|
5649
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5650
|
+
# you must also specify at least one other key to use. You can
|
5651
|
+
# aggregate on only the forwarded IP address by specifying
|
5652
|
+
# `FORWARDED_IP` in your rate-based statement's `AggregateKeyType`.
|
5653
|
+
#
|
5654
|
+
# With this option, you must specify the header to use in the
|
5655
|
+
# rate-based rule's `ForwardedIPConfig` property.
|
5656
|
+
# @return [Types::RateLimitForwardedIP]
|
5657
|
+
#
|
5658
|
+
# @!attribute [rw] ip
|
5659
|
+
# Use the request's originating IP address as an aggregate key. Each
|
5660
|
+
# distinct IP address contributes to the aggregation instance.
|
5661
|
+
#
|
5662
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5663
|
+
# you must also specify at least one other key to use. You can
|
5664
|
+
# aggregate on only the IP address by specifying `IP` in your
|
5665
|
+
# rate-based statement's `AggregateKeyType`.
|
5666
|
+
# @return [Types::RateLimitIP]
|
5667
|
+
#
|
5668
|
+
# @!attribute [rw] label_namespace
|
5669
|
+
# Use the specified label namespace as an aggregate key. Each distinct
|
5670
|
+
# fully qualified label name that has the specified label namespace
|
5671
|
+
# contributes to the aggregation instance. If you use just one label
|
5672
|
+
# namespace as your custom key, then each label name fully defines an
|
5673
|
+
# aggregation instance.
|
5674
|
+
#
|
5675
|
+
# This uses only labels that have been added to the request by rules
|
5676
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5677
|
+
#
|
5678
|
+
# For information about label namespaces and names, see [Label syntax
|
5679
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5680
|
+
#
|
5681
|
+
#
|
5682
|
+
#
|
5683
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5684
|
+
# @return [Types::RateLimitLabelNamespace]
|
5685
|
+
#
|
5686
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
|
5687
|
+
#
|
5688
|
+
class RateBasedStatementCustomKey < Struct.new(
|
5689
|
+
:header,
|
5690
|
+
:cookie,
|
5691
|
+
:query_argument,
|
5692
|
+
:query_string,
|
5693
|
+
:http_method,
|
5694
|
+
:forwarded_ip,
|
5695
|
+
:ip,
|
5696
|
+
:label_namespace)
|
5491
5697
|
SENSITIVE = []
|
5492
5698
|
include Aws::Structure
|
5493
5699
|
end
|
5494
5700
|
|
5495
5701
|
# The set of IP addresses that are currently blocked for a
|
5496
|
-
# RateBasedStatement.
|
5702
|
+
# RateBasedStatement. This is only available for rate-based rules that
|
5703
|
+
# aggregate on just the IP address, with the `AggregateKeyType` set to
|
5704
|
+
# `IP` or `FORWARDED_IP`.
|
5705
|
+
#
|
5706
|
+
# A rate-based rule applies its rule action to requests from IP
|
5707
|
+
# addresses that are in the rule's managed keys list and that match the
|
5708
|
+
# rule's scope-down statement. When a rule has no scope-down statement,
|
5709
|
+
# it applies the action to all requests from the IP addresses that are
|
5710
|
+
# in the list. The rule applies its rule action to rate limit the
|
5711
|
+
# matching requests. The action is usually Block but it can be any valid
|
5712
|
+
# rule action except for Allow.
|
5713
|
+
#
|
5714
|
+
# The maximum number of IP addresses that can be rate limited by a
|
5715
|
+
# single rate-based rule instance is 10,000. If more than 10,000
|
5716
|
+
# addresses exceed the rate limit, WAF limits those with the highest
|
5717
|
+
# rates.
|
5497
5718
|
#
|
5498
5719
|
# @!attribute [rw] ip_address_version
|
5499
5720
|
# The version of the IP addresses, either `IPV4` or `IPV6`.
|
@@ -5512,6 +5733,208 @@ module Aws::WAFV2
|
|
5512
5733
|
include Aws::Structure
|
5513
5734
|
end
|
5514
5735
|
|
5736
|
+
# Specifies a cookie as an aggregate key for a rate-based rule. Each
|
5737
|
+
# distinct value in the cookie contributes to the aggregation instance.
|
5738
|
+
# If you use a single cookie as your custom key, then each value fully
|
5739
|
+
# defines an aggregation instance.
|
5740
|
+
#
|
5741
|
+
# @!attribute [rw] name
|
5742
|
+
# The name of the cookie to use.
|
5743
|
+
# @return [String]
|
5744
|
+
#
|
5745
|
+
# @!attribute [rw] text_transformations
|
5746
|
+
# Text transformations eliminate some of the unusual formatting that
|
5747
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5748
|
+
# transformations are used in rule match statements, to transform the
|
5749
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5750
|
+
# used in rate-based rule statements, to transform request components
|
5751
|
+
# before using them as custom aggregation keys. If you specify one or
|
5752
|
+
# more transformations to apply, WAF performs all transformations on
|
5753
|
+
# the specified content, starting from the lowest priority setting,
|
5754
|
+
# and then uses the component contents.
|
5755
|
+
# @return [Array<Types::TextTransformation>]
|
5756
|
+
#
|
5757
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitCookie AWS API Documentation
|
5758
|
+
#
|
5759
|
+
class RateLimitCookie < Struct.new(
|
5760
|
+
:name,
|
5761
|
+
:text_transformations)
|
5762
|
+
SENSITIVE = []
|
5763
|
+
include Aws::Structure
|
5764
|
+
end
|
5765
|
+
|
5766
|
+
# Specifies the first IP address in an HTTP header as an aggregate key
|
5767
|
+
# for a rate-based rule. Each distinct forwarded IP address contributes
|
5768
|
+
# to the aggregation instance.
|
5769
|
+
#
|
5770
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5771
|
+
# specification of a rate-based rule statement. When you specify an IP
|
5772
|
+
# or forwarded IP in the custom key settings, you must also specify at
|
5773
|
+
# least one other key to use. You can aggregate on only the forwarded IP
|
5774
|
+
# address by specifying `FORWARDED_IP` in your rate-based statement's
|
5775
|
+
# `AggregateKeyType`.
|
5776
|
+
#
|
5777
|
+
# This data type supports using the forwarded IP address in the web
|
5778
|
+
# request aggregation for a rate-based rule, in
|
5779
|
+
# `RateBasedStatementCustomKey`. The JSON specification for using the
|
5780
|
+
# forwarded IP address doesn't explicitly use this data type.
|
5781
|
+
#
|
5782
|
+
# JSON specification: `"ForwardedIP": \{\}`
|
5783
|
+
#
|
5784
|
+
# When you use this specification, you must also configure the forwarded
|
5785
|
+
# IP address in the rate-based statement's `ForwardedIPConfig`.
|
5786
|
+
#
|
5787
|
+
# @api private
|
5788
|
+
#
|
5789
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitForwardedIP AWS API Documentation
|
5790
|
+
#
|
5791
|
+
class RateLimitForwardedIP < Aws::EmptyStructure; end
|
5792
|
+
|
5793
|
+
# Specifies the request's HTTP method as an aggregate key for a
|
5794
|
+
# rate-based rule. Each distinct HTTP method contributes to the
|
5795
|
+
# aggregation instance. If you use just the HTTP method as your custom
|
5796
|
+
# key, then each method fully defines an aggregation instance.
|
5797
|
+
#
|
5798
|
+
# JSON specification: `"RateLimitHTTPMethod": \{\}`
|
5799
|
+
#
|
5800
|
+
# @api private
|
5801
|
+
#
|
5802
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHTTPMethod AWS API Documentation
|
5803
|
+
#
|
5804
|
+
class RateLimitHTTPMethod < Aws::EmptyStructure; end
|
5805
|
+
|
5806
|
+
# Specifies a header as an aggregate key for a rate-based rule. Each
|
5807
|
+
# distinct value in the header contributes to the aggregation instance.
|
5808
|
+
# If you use a single header as your custom key, then each value fully
|
5809
|
+
# defines an aggregation instance.
|
5810
|
+
#
|
5811
|
+
# @!attribute [rw] name
|
5812
|
+
# The name of the header to use.
|
5813
|
+
# @return [String]
|
5814
|
+
#
|
5815
|
+
# @!attribute [rw] text_transformations
|
5816
|
+
# Text transformations eliminate some of the unusual formatting that
|
5817
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5818
|
+
# transformations are used in rule match statements, to transform the
|
5819
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5820
|
+
# used in rate-based rule statements, to transform request components
|
5821
|
+
# before using them as custom aggregation keys. If you specify one or
|
5822
|
+
# more transformations to apply, WAF performs all transformations on
|
5823
|
+
# the specified content, starting from the lowest priority setting,
|
5824
|
+
# and then uses the component contents.
|
5825
|
+
# @return [Array<Types::TextTransformation>]
|
5826
|
+
#
|
5827
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHeader AWS API Documentation
|
5828
|
+
#
|
5829
|
+
class RateLimitHeader < Struct.new(
|
5830
|
+
:name,
|
5831
|
+
:text_transformations)
|
5832
|
+
SENSITIVE = []
|
5833
|
+
include Aws::Structure
|
5834
|
+
end
|
5835
|
+
|
5836
|
+
# Specifies the IP address in the web request as an aggregate key for a
|
5837
|
+
# rate-based rule. Each distinct IP address contributes to the
|
5838
|
+
# aggregation instance.
|
5839
|
+
#
|
5840
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5841
|
+
# specification of a rate-based rule statement. To use this in the
|
5842
|
+
# custom key settings, you must specify at least one other key to use,
|
5843
|
+
# along with the IP address. To aggregate on only the IP address, in
|
5844
|
+
# your rate-based statement's `AggregateKeyType`, specify `IP`.
|
5845
|
+
#
|
5846
|
+
# JSON specification: `"RateLimitIP": \{\}`
|
5847
|
+
#
|
5848
|
+
# @api private
|
5849
|
+
#
|
5850
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitIP AWS API Documentation
|
5851
|
+
#
|
5852
|
+
class RateLimitIP < Aws::EmptyStructure; end
|
5853
|
+
|
5854
|
+
# Specifies a label namespace to use as an aggregate key for a
|
5855
|
+
# rate-based rule. Each distinct fully qualified label name that has the
|
5856
|
+
# specified label namespace contributes to the aggregation instance. If
|
5857
|
+
# you use just one label namespace as your custom key, then each label
|
5858
|
+
# name fully defines an aggregation instance.
|
5859
|
+
#
|
5860
|
+
# This uses only labels that have been added to the request by rules
|
5861
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5862
|
+
#
|
5863
|
+
# For information about label namespaces and names, see [Label syntax
|
5864
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5865
|
+
#
|
5866
|
+
#
|
5867
|
+
#
|
5868
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5869
|
+
#
|
5870
|
+
# @!attribute [rw] namespace
|
5871
|
+
# The namespace to use for aggregation.
|
5872
|
+
# @return [String]
|
5873
|
+
#
|
5874
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitLabelNamespace AWS API Documentation
|
5875
|
+
#
|
5876
|
+
class RateLimitLabelNamespace < Struct.new(
|
5877
|
+
:namespace)
|
5878
|
+
SENSITIVE = []
|
5879
|
+
include Aws::Structure
|
5880
|
+
end
|
5881
|
+
|
5882
|
+
# Specifies a query argument in the request as an aggregate key for a
|
5883
|
+
# rate-based rule. Each distinct value for the named query argument
|
5884
|
+
# contributes to the aggregation instance. If you use a single query
|
5885
|
+
# argument as your custom key, then each value fully defines an
|
5886
|
+
# aggregation instance.
|
5887
|
+
#
|
5888
|
+
# @!attribute [rw] name
|
5889
|
+
# The name of the query argument to use.
|
5890
|
+
# @return [String]
|
5891
|
+
#
|
5892
|
+
# @!attribute [rw] text_transformations
|
5893
|
+
# Text transformations eliminate some of the unusual formatting that
|
5894
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5895
|
+
# transformations are used in rule match statements, to transform the
|
5896
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5897
|
+
# used in rate-based rule statements, to transform request components
|
5898
|
+
# before using them as custom aggregation keys. If you specify one or
|
5899
|
+
# more transformations to apply, WAF performs all transformations on
|
5900
|
+
# the specified content, starting from the lowest priority setting,
|
5901
|
+
# and then uses the component contents.
|
5902
|
+
# @return [Array<Types::TextTransformation>]
|
5903
|
+
#
|
5904
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryArgument AWS API Documentation
|
5905
|
+
#
|
5906
|
+
class RateLimitQueryArgument < Struct.new(
|
5907
|
+
:name,
|
5908
|
+
:text_transformations)
|
5909
|
+
SENSITIVE = []
|
5910
|
+
include Aws::Structure
|
5911
|
+
end
|
5912
|
+
|
5913
|
+
# Specifies the request's query string as an aggregate key for a
|
5914
|
+
# rate-based rule. Each distinct string contributes to the aggregation
|
5915
|
+
# instance. If you use just the query string as your custom key, then
|
5916
|
+
# each string fully defines an aggregation instance.
|
5917
|
+
#
|
5918
|
+
# @!attribute [rw] text_transformations
|
5919
|
+
# Text transformations eliminate some of the unusual formatting that
|
5920
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5921
|
+
# transformations are used in rule match statements, to transform the
|
5922
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5923
|
+
# used in rate-based rule statements, to transform request components
|
5924
|
+
# before using them as custom aggregation keys. If you specify one or
|
5925
|
+
# more transformations to apply, WAF performs all transformations on
|
5926
|
+
# the specified content, starting from the lowest priority setting,
|
5927
|
+
# and then uses the component contents.
|
5928
|
+
# @return [Array<Types::TextTransformation>]
|
5929
|
+
#
|
5930
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryString AWS API Documentation
|
5931
|
+
#
|
5932
|
+
class RateLimitQueryString < Struct.new(
|
5933
|
+
:text_transformations)
|
5934
|
+
SENSITIVE = []
|
5935
|
+
include Aws::Structure
|
5936
|
+
end
|
5937
|
+
|
5515
5938
|
# A single regular expression. This is used in a RegexPatternSet.
|
5516
5939
|
#
|
5517
5940
|
# @!attribute [rw] regex_string
|
@@ -5539,11 +5962,14 @@ module Aws::WAFV2
|
|
5539
5962
|
#
|
5540
5963
|
# @!attribute [rw] text_transformations
|
5541
5964
|
# Text transformations eliminate some of the unusual formatting that
|
5542
|
-
# attackers use in web requests in an effort to bypass detection.
|
5543
|
-
#
|
5544
|
-
#
|
5545
|
-
#
|
5546
|
-
#
|
5965
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5966
|
+
# transformations are used in rule match statements, to transform the
|
5967
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5968
|
+
# used in rate-based rule statements, to transform request components
|
5969
|
+
# before using them as custom aggregation keys. If you specify one or
|
5970
|
+
# more transformations to apply, WAF performs all transformations on
|
5971
|
+
# the specified content, starting from the lowest priority setting,
|
5972
|
+
# and then uses the component contents.
|
5547
5973
|
# @return [Array<Types::TextTransformation>]
|
5548
5974
|
#
|
5549
5975
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexMatchStatement AWS API Documentation
|
@@ -5620,11 +6046,14 @@ module Aws::WAFV2
|
|
5620
6046
|
#
|
5621
6047
|
# @!attribute [rw] text_transformations
|
5622
6048
|
# Text transformations eliminate some of the unusual formatting that
|
5623
|
-
# attackers use in web requests in an effort to bypass detection.
|
5624
|
-
#
|
5625
|
-
#
|
5626
|
-
#
|
5627
|
-
#
|
6049
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
6050
|
+
# transformations are used in rule match statements, to transform the
|
6051
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
6052
|
+
# used in rate-based rule statements, to transform request components
|
6053
|
+
# before using them as custom aggregation keys. If you specify one or
|
6054
|
+
# more transformations to apply, WAF performs all transformations on
|
6055
|
+
# the specified content, starting from the lowest priority setting,
|
6056
|
+
# and then uses the component contents.
|
5628
6057
|
# @return [Array<Types::TextTransformation>]
|
5629
6058
|
#
|
5630
6059
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
|
@@ -6622,11 +7051,14 @@ module Aws::WAFV2
|
|
6622
7051
|
#
|
6623
7052
|
# @!attribute [rw] text_transformations
|
6624
7053
|
# Text transformations eliminate some of the unusual formatting that
|
6625
|
-
# attackers use in web requests in an effort to bypass detection.
|
6626
|
-
#
|
6627
|
-
#
|
6628
|
-
#
|
6629
|
-
#
|
7054
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7055
|
+
# transformations are used in rule match statements, to transform the
|
7056
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7057
|
+
# used in rate-based rule statements, to transform request components
|
7058
|
+
# before using them as custom aggregation keys. If you specify one or
|
7059
|
+
# more transformations to apply, WAF performs all transformations on
|
7060
|
+
# the specified content, starting from the lowest priority setting,
|
7061
|
+
# and then uses the component contents.
|
6630
7062
|
# @return [Array<Types::TextTransformation>]
|
6631
7063
|
#
|
6632
7064
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
|
@@ -6650,11 +7082,14 @@ module Aws::WAFV2
|
|
6650
7082
|
#
|
6651
7083
|
# @!attribute [rw] text_transformations
|
6652
7084
|
# Text transformations eliminate some of the unusual formatting that
|
6653
|
-
# attackers use in web requests in an effort to bypass detection.
|
6654
|
-
#
|
6655
|
-
#
|
6656
|
-
#
|
6657
|
-
#
|
7085
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7086
|
+
# transformations are used in rule match statements, to transform the
|
7087
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7088
|
+
# used in rate-based rule statements, to transform request components
|
7089
|
+
# before using them as custom aggregation keys. If you specify one or
|
7090
|
+
# more transformations to apply, WAF performs all transformations on
|
7091
|
+
# the specified content, starting from the lowest priority setting,
|
7092
|
+
# and then uses the component contents.
|
6658
7093
|
# @return [Array<Types::TextTransformation>]
|
6659
7094
|
#
|
6660
7095
|
# @!attribute [rw] sensitivity_level
|
@@ -6814,11 +7249,88 @@ module Aws::WAFV2
|
|
6814
7249
|
# @return [Types::RegexPatternSetReferenceStatement]
|
6815
7250
|
#
|
6816
7251
|
# @!attribute [rw] rate_based_statement
|
6817
|
-
# A rate-based rule
|
6818
|
-
#
|
6819
|
-
#
|
6820
|
-
#
|
6821
|
-
#
|
7252
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
7253
|
+
# when they are coming at too fast a rate. The rule categorizes
|
7254
|
+
# requests according to your aggregation criteria, collects them into
|
7255
|
+
# aggregation instances, and counts and rate limits the requests for
|
7256
|
+
# each instance.
|
7257
|
+
#
|
7258
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
7259
|
+
# method. You can also specify aggregation key combinations, like IP
|
7260
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
7261
|
+
#
|
7262
|
+
# Each unique set of values for the aggregation keys that you specify
|
7263
|
+
# is a separate aggregation instance, with the value from each key
|
7264
|
+
# contributing to the aggregation instance definition.
|
7265
|
+
#
|
7266
|
+
# For example, assume the rule evaluates web requests with the
|
7267
|
+
# following IP address and HTTP method values:
|
7268
|
+
#
|
7269
|
+
# * IP address 10.1.1.1, HTTP method POST
|
7270
|
+
#
|
7271
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7272
|
+
#
|
7273
|
+
# * IP address 127.0.0.0, HTTP method POST
|
7274
|
+
#
|
7275
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7276
|
+
#
|
7277
|
+
# The rule would create different aggregation instances according to
|
7278
|
+
# your aggregation criteria, for example:
|
7279
|
+
#
|
7280
|
+
# * If the aggregation criteria is just the IP address, then each
|
7281
|
+
# individual address is an aggregation instance, and WAF counts
|
7282
|
+
# requests separately for each. The aggregation instances and
|
7283
|
+
# request counts for our example would be the following:
|
7284
|
+
#
|
7285
|
+
# * IP address 10.1.1.1: count 3
|
7286
|
+
#
|
7287
|
+
# * IP address 127.0.0.0: count 1
|
7288
|
+
#
|
7289
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
7290
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
7291
|
+
# and request counts for our example would be the following:
|
7292
|
+
#
|
7293
|
+
# * HTTP method POST: count 2
|
7294
|
+
#
|
7295
|
+
# * HTTP method GET: count 2
|
7296
|
+
#
|
7297
|
+
# * If the aggregation criteria is IP address and HTTP method, then
|
7298
|
+
# each IP address and each HTTP method would contribute to the
|
7299
|
+
# combined aggregation instance. The aggregation instances and
|
7300
|
+
# request counts for our example would be the following:
|
7301
|
+
#
|
7302
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
7303
|
+
#
|
7304
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
7305
|
+
#
|
7306
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
7307
|
+
#
|
7308
|
+
# For any n-tuple of aggregation keys, each unique combination of
|
7309
|
+
# values for the keys defines a separate aggregation instance, which
|
7310
|
+
# WAF counts and rate-limits individually.
|
7311
|
+
#
|
7312
|
+
# You can optionally nest another statement inside the rate-based
|
7313
|
+
# statement, to narrow the scope of the rule so that it only counts
|
7314
|
+
# and rate limits requests that match the nested statement. You can
|
7315
|
+
# use this nested scope-down statement in conjunction with your
|
7316
|
+
# aggregation key specifications or you can just count and rate limit
|
7317
|
+
# all requests that match the scope-down statement, without additional
|
7318
|
+
# aggregation. When you choose to just manage all requests that match
|
7319
|
+
# a scope-down statement, the aggregation instance is singular for the
|
7320
|
+
# rule.
|
7321
|
+
#
|
7322
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
7323
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
7324
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7325
|
+
#
|
7326
|
+
# For additional information about the options, see [Rate limiting web
|
7327
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
7328
|
+
#
|
7329
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
7330
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
7331
|
+
# currently rate limiting for a rule through the API call
|
7332
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
7333
|
+
# other aggregation configurations.
|
6822
7334
|
#
|
6823
7335
|
# WAF tracks and manages web requests separately for each instance of
|
6824
7336
|
# a rate-based rule that you use. For example, if you provide the same
|
@@ -6829,33 +7341,9 @@ module Aws::WAFV2
|
|
6829
7341
|
# multiple places, each use creates a separate instance of the
|
6830
7342
|
# rate-based rule that gets its own tracking and management by WAF.
|
6831
7343
|
#
|
6832
|
-
# When the rule action triggers, WAF blocks additional requests from
|
6833
|
-
# the IP address until the request rate falls below the limit.
|
6834
7344
|
#
|
6835
|
-
# You can optionally nest another statement inside the rate-based
|
6836
|
-
# statement, to narrow the scope of the rule so that it only counts
|
6837
|
-
# requests that match the nested statement. For example, based on
|
6838
|
-
# recent requests that you have seen from an attacker, you might
|
6839
|
-
# create a rate-based rule with a nested AND rule statement that
|
6840
|
-
# contains the following nested statements:
|
6841
|
-
#
|
6842
|
-
# * An IP match statement with an IP set that specifies the address
|
6843
|
-
# 192.0.2.44.
|
6844
|
-
#
|
6845
|
-
# * A string match statement that searches in the User-Agent header
|
6846
|
-
# for the string BadBot.
|
6847
|
-
#
|
6848
|
-
# In this rate-based rule, you also define a rate limit. For this
|
6849
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
6850
|
-
# both of the nested statements are counted. If the count exceeds
|
6851
|
-
# 1,000 requests per five minutes, the rule action triggers. Requests
|
6852
|
-
# that do not meet the criteria of both of the nested statements are
|
6853
|
-
# not counted towards the rate limit and are not affected by this
|
6854
|
-
# rule.
|
6855
7345
|
#
|
6856
|
-
#
|
6857
|
-
# example inside a `NotStatement` or `OrStatement`. You can define a
|
6858
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7346
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
6859
7347
|
# @return [Types::RateBasedStatement]
|
6860
7348
|
#
|
6861
7349
|
# @!attribute [rw] and_statement
|
@@ -7030,11 +7518,10 @@ module Aws::WAFV2
|
|
7030
7518
|
# attackers use in web requests in an effort to bypass detection.
|
7031
7519
|
#
|
7032
7520
|
# @!attribute [rw] priority
|
7033
|
-
# Sets the relative processing order for multiple transformations
|
7034
|
-
#
|
7035
|
-
#
|
7036
|
-
#
|
7037
|
-
# all be different.
|
7521
|
+
# Sets the relative processing order for multiple transformations. WAF
|
7522
|
+
# processes all transformations, from lowest priority to highest,
|
7523
|
+
# before inspecting the transformed content. The priorities don't
|
7524
|
+
# need to be consecutive, but they must all be different.
|
7038
7525
|
# @return [Integer]
|
7039
7526
|
#
|
7040
7527
|
# @!attribute [rw] type
|
@@ -8231,6 +8718,22 @@ module Aws::WAFV2
|
|
8231
8718
|
include Aws::Structure
|
8232
8719
|
end
|
8233
8720
|
|
8721
|
+
# The rule that you've named doesn't aggregate solely on the IP
|
8722
|
+
# address or solely on the forwarded IP address. This call is only
|
8723
|
+
# available for rate-based rules with an `AggregateKeyType` setting of
|
8724
|
+
# `IP` or `FORWARDED_IP`.
|
8725
|
+
#
|
8726
|
+
# @!attribute [rw] message
|
8727
|
+
# @return [String]
|
8728
|
+
#
|
8729
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFUnsupportedAggregateKeyTypeException AWS API Documentation
|
8730
|
+
#
|
8731
|
+
class WAFUnsupportedAggregateKeyTypeException < Struct.new(
|
8732
|
+
:message)
|
8733
|
+
SENSITIVE = []
|
8734
|
+
include Aws::Structure
|
8735
|
+
end
|
8736
|
+
|
8234
8737
|
# A web ACL defines a collection of rules to use to inspect and control
|
8235
8738
|
# web requests. Each rule has an action defined (allow, block, or count)
|
8236
8739
|
# for requests that match the statement of the rule. In the web ACL, you
|
@@ -8493,11 +8996,14 @@ module Aws::WAFV2
|
|
8493
8996
|
#
|
8494
8997
|
# @!attribute [rw] text_transformations
|
8495
8998
|
# Text transformations eliminate some of the unusual formatting that
|
8496
|
-
# attackers use in web requests in an effort to bypass detection.
|
8497
|
-
#
|
8498
|
-
#
|
8499
|
-
#
|
8500
|
-
#
|
8999
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
9000
|
+
# transformations are used in rule match statements, to transform the
|
9001
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
9002
|
+
# used in rate-based rule statements, to transform request components
|
9003
|
+
# before using them as custom aggregation keys. If you specify one or
|
9004
|
+
# more transformations to apply, WAF performs all transformations on
|
9005
|
+
# the specified content, starting from the lowest priority setting,
|
9006
|
+
# and then uses the component contents.
|
8501
9007
|
# @return [Array<Types::TextTransformation>]
|
8502
9008
|
#
|
8503
9009
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation
|