aws-sdk-wafv2 1.56.0 → 1.58.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +10 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-wafv2/client.rb +517 -18
- data/lib/aws-sdk-wafv2/client_api.rb +58 -0
- data/lib/aws-sdk-wafv2/errors.rb +16 -0
- data/lib/aws-sdk-wafv2/types.rb +702 -138
- data/lib/aws-sdk-wafv2.rb +1 -1
- metadata +2 -2
data/lib/aws-sdk-wafv2/types.rb
CHANGED
@@ -145,8 +145,8 @@ module Aws::WAFV2
|
|
145
145
|
# web request component that you've identified in your FieldToMatch
|
146
146
|
# specifications.
|
147
147
|
#
|
148
|
-
# This is used
|
149
|
-
#
|
148
|
+
# This is used in the FieldToMatch specification for some web request
|
149
|
+
# component types.
|
150
150
|
#
|
151
151
|
# JSON specification: `"All": \{\}`
|
152
152
|
#
|
@@ -158,8 +158,8 @@ module Aws::WAFV2
|
|
158
158
|
|
159
159
|
# Inspect all query arguments of the web request.
|
160
160
|
#
|
161
|
-
# This is used
|
162
|
-
#
|
161
|
+
# This is used in the FieldToMatch specification for some web request
|
162
|
+
# component types.
|
163
163
|
#
|
164
164
|
# JSON specification: `"AllQueryArguments": \{\}`
|
165
165
|
#
|
@@ -348,8 +348,8 @@ module Aws::WAFV2
|
|
348
348
|
#
|
349
349
|
# The options for oversize handling are the following:
|
350
350
|
#
|
351
|
-
# * `CONTINUE` - Inspect the body normally,
|
352
|
-
# inspection criteria.
|
351
|
+
# * `CONTINUE` - Inspect the available body contents normally,
|
352
|
+
# according to the rule inspection criteria.
|
353
353
|
#
|
354
354
|
# * `MATCH` - Treat the web request as matching the rule statement.
|
355
355
|
# WAF applies the rule action to the request.
|
@@ -393,6 +393,11 @@ module Aws::WAFV2
|
|
393
393
|
# * `UriPath`: The value that you want WAF to search for in the URI
|
394
394
|
# path, for example, `/images/daily-ad.jpg`.
|
395
395
|
#
|
396
|
+
# * `HeaderOrder`: The comma-separated list of header names to match
|
397
|
+
# for. WAF creates a string that contains the ordered list of header
|
398
|
+
# names, from the headers in the web request, and then matches
|
399
|
+
# against that string.
|
400
|
+
#
|
396
401
|
# If `SearchString` includes alphabetic characters A-Z and a-z, note
|
397
402
|
# that the value is case sensitive.
|
398
403
|
#
|
@@ -419,11 +424,14 @@ module Aws::WAFV2
|
|
419
424
|
#
|
420
425
|
# @!attribute [rw] text_transformations
|
421
426
|
# Text transformations eliminate some of the unusual formatting that
|
422
|
-
# attackers use in web requests in an effort to bypass detection.
|
423
|
-
#
|
424
|
-
#
|
425
|
-
#
|
426
|
-
#
|
427
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
428
|
+
# transformations are used in rule match statements, to transform the
|
429
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
430
|
+
# used in rate-based rule statements, to transform request components
|
431
|
+
# before using them as custom aggregation keys. If you specify one or
|
432
|
+
# more transformations to apply, WAF performs all transformations on
|
433
|
+
# the specified content, starting from the lowest priority setting,
|
434
|
+
# and then uses the component contents.
|
427
435
|
# @return [Array<Types::TextTransformation>]
|
428
436
|
#
|
429
437
|
# @!attribute [rw] positional_constraint
|
@@ -809,16 +817,16 @@ module Aws::WAFV2
|
|
809
817
|
# @return [String]
|
810
818
|
#
|
811
819
|
# @!attribute [rw] oversize_handling
|
812
|
-
# What WAF should do if the cookies of the request are
|
813
|
-
# can inspect. WAF does not support inspecting the
|
814
|
-
# request cookies when they exceed 8 KB (8192
|
815
|
-
# cookies. The underlying host service forwards a
|
816
|
-
# cookies and at most 8 KB of cookie contents to WAF.
|
820
|
+
# What WAF should do if the cookies of the request are more numerous
|
821
|
+
# or larger than WAF can inspect. WAF does not support inspecting the
|
822
|
+
# entire contents of request cookies when they exceed 8 KB (8192
|
823
|
+
# bytes) or 200 total cookies. The underlying host service forwards a
|
824
|
+
# maximum of 200 cookies and at most 8 KB of cookie contents to WAF.
|
817
825
|
#
|
818
826
|
# The options for oversize handling are the following:
|
819
827
|
#
|
820
|
-
# * `CONTINUE` - Inspect the cookies normally, according to
|
821
|
-
# inspection criteria.
|
828
|
+
# * `CONTINUE` - Inspect the available cookies normally, according to
|
829
|
+
# the rule inspection criteria.
|
822
830
|
#
|
823
831
|
# * `MATCH` - Treat the web request as matching the rule statement.
|
824
832
|
# WAF applies the rule action to the request.
|
@@ -2110,6 +2118,16 @@ module Aws::WAFV2
|
|
2110
2118
|
# underlying host service.
|
2111
2119
|
# @return [Types::Cookies]
|
2112
2120
|
#
|
2121
|
+
# @!attribute [rw] header_order
|
2122
|
+
# Inspect a string containing the list of the request's header names,
|
2123
|
+
# ordered as they appear in the web request that WAF receives for
|
2124
|
+
# inspection. WAF generates the string and then uses that as the field
|
2125
|
+
# to match component in its inspection. WAF separates the header names
|
2126
|
+
# in the string using commas and no added spaces.
|
2127
|
+
#
|
2128
|
+
# Matches against the header order string are case insensitive.
|
2129
|
+
# @return [Types::HeaderOrder]
|
2130
|
+
#
|
2113
2131
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FieldToMatch AWS API Documentation
|
2114
2132
|
#
|
2115
2133
|
class FieldToMatch < Struct.new(
|
@@ -2122,7 +2140,8 @@ module Aws::WAFV2
|
|
2122
2140
|
:method,
|
2123
2141
|
:json_body,
|
2124
2142
|
:headers,
|
2125
|
-
:cookies
|
2143
|
+
:cookies,
|
2144
|
+
:header_order)
|
2126
2145
|
SENSITIVE = []
|
2127
2146
|
include Aws::Structure
|
2128
2147
|
end
|
@@ -3170,6 +3189,41 @@ module Aws::WAFV2
|
|
3170
3189
|
include Aws::Structure
|
3171
3190
|
end
|
3172
3191
|
|
3192
|
+
# Inspect a string containing the list of the request's header names,
|
3193
|
+
# ordered as they appear in the web request that WAF receives for
|
3194
|
+
# inspection. WAF generates the string and then uses that as the field
|
3195
|
+
# to match component in its inspection. WAF separates the header names
|
3196
|
+
# in the string using commas and no added spaces.
|
3197
|
+
#
|
3198
|
+
# Matches against the header order string are case insensitive.
|
3199
|
+
#
|
3200
|
+
# @!attribute [rw] oversize_handling
|
3201
|
+
# What WAF should do if the headers of the request are more numerous
|
3202
|
+
# or larger than WAF can inspect. WAF does not support inspecting the
|
3203
|
+
# entire contents of request headers when they exceed 8 KB (8192
|
3204
|
+
# bytes) or 200 total headers. The underlying host service forwards a
|
3205
|
+
# maximum of 200 headers and at most 8 KB of header contents to WAF.
|
3206
|
+
#
|
3207
|
+
# The options for oversize handling are the following:
|
3208
|
+
#
|
3209
|
+
# * `CONTINUE` - Inspect the available headers normally, according to
|
3210
|
+
# the rule inspection criteria.
|
3211
|
+
#
|
3212
|
+
# * `MATCH` - Treat the web request as matching the rule statement.
|
3213
|
+
# WAF applies the rule action to the request.
|
3214
|
+
#
|
3215
|
+
# * `NO_MATCH` - Treat the web request as not matching the rule
|
3216
|
+
# statement.
|
3217
|
+
# @return [String]
|
3218
|
+
#
|
3219
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/HeaderOrder AWS API Documentation
|
3220
|
+
#
|
3221
|
+
class HeaderOrder < Struct.new(
|
3222
|
+
:oversize_handling)
|
3223
|
+
SENSITIVE = []
|
3224
|
+
include Aws::Structure
|
3225
|
+
end
|
3226
|
+
|
3173
3227
|
# Inspect all headers in the web request. You can specify the parts of
|
3174
3228
|
# the headers to inspect and you can narrow the set of headers to
|
3175
3229
|
# inspect by including or excluding specific keys.
|
@@ -3200,16 +3254,16 @@ module Aws::WAFV2
|
|
3200
3254
|
# @return [String]
|
3201
3255
|
#
|
3202
3256
|
# @!attribute [rw] oversize_handling
|
3203
|
-
# What WAF should do if the headers of the request are
|
3204
|
-
# can inspect. WAF does not support inspecting the
|
3205
|
-
# request headers when they exceed 8 KB (8192
|
3206
|
-
# headers. The underlying host service forwards a
|
3207
|
-
# headers and at most 8 KB of header contents to WAF.
|
3257
|
+
# What WAF should do if the headers of the request are more numerous
|
3258
|
+
# or larger than WAF can inspect. WAF does not support inspecting the
|
3259
|
+
# entire contents of request headers when they exceed 8 KB (8192
|
3260
|
+
# bytes) or 200 total headers. The underlying host service forwards a
|
3261
|
+
# maximum of 200 headers and at most 8 KB of header contents to WAF.
|
3208
3262
|
#
|
3209
3263
|
# The options for oversize handling are the following:
|
3210
3264
|
#
|
3211
|
-
# * `CONTINUE` - Inspect the headers normally, according to
|
3212
|
-
# inspection criteria.
|
3265
|
+
# * `CONTINUE` - Inspect the available headers normally, according to
|
3266
|
+
# the rule inspection criteria.
|
3213
3267
|
#
|
3214
3268
|
# * `MATCH` - Treat the web request as matching the rule statement.
|
3215
3269
|
# WAF applies the rule action to the request.
|
@@ -3570,8 +3624,8 @@ module Aws::WAFV2
|
|
3570
3624
|
#
|
3571
3625
|
# The options for oversize handling are the following:
|
3572
3626
|
#
|
3573
|
-
# * `CONTINUE` - Inspect the body normally,
|
3574
|
-
# inspection criteria.
|
3627
|
+
# * `CONTINUE` - Inspect the available body contents normally,
|
3628
|
+
# according to the rule inspection criteria.
|
3575
3629
|
#
|
3576
3630
|
# * `MATCH` - Treat the web request as matching the rule statement.
|
3577
3631
|
# WAF applies the rule action to the request.
|
@@ -5077,8 +5131,8 @@ module Aws::WAFV2
|
|
5077
5131
|
# Inspect the HTTP method of the web request. The method indicates the
|
5078
5132
|
# type of operation that the request is asking the origin to perform.
|
5079
5133
|
#
|
5080
|
-
# This is used
|
5081
|
-
#
|
5134
|
+
# This is used in the FieldToMatch specification for some web request
|
5135
|
+
# component types.
|
5082
5136
|
#
|
5083
5137
|
# JSON specification: `"Method": \{\}`
|
5084
5138
|
#
|
@@ -5387,8 +5441,8 @@ module Aws::WAFV2
|
|
5387
5441
|
# Inspect the query string of the web request. This is the part of a URL
|
5388
5442
|
# that appears after a `?` character, if any.
|
5389
5443
|
#
|
5390
|
-
# This is used
|
5391
|
-
#
|
5444
|
+
# This is used in the FieldToMatch specification for some web request
|
5445
|
+
# component types.
|
5392
5446
|
#
|
5393
5447
|
# JSON specification: `"QueryString": \{\}`
|
5394
5448
|
#
|
@@ -5398,11 +5452,86 @@ module Aws::WAFV2
|
|
5398
5452
|
#
|
5399
5453
|
class QueryString < Aws::EmptyStructure; end
|
5400
5454
|
|
5401
|
-
# A rate-based rule
|
5402
|
-
#
|
5403
|
-
#
|
5404
|
-
#
|
5405
|
-
#
|
5455
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
5456
|
+
# when they are coming at too fast a rate. The rule categorizes requests
|
5457
|
+
# according to your aggregation criteria, collects them into aggregation
|
5458
|
+
# instances, and counts and rate limits the requests for each instance.
|
5459
|
+
#
|
5460
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
5461
|
+
# method. You can also specify aggregation key combinations, like IP
|
5462
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
5463
|
+
#
|
5464
|
+
# Each unique set of values for the aggregation keys that you specify is
|
5465
|
+
# a separate aggregation instance, with the value from each key
|
5466
|
+
# contributing to the aggregation instance definition.
|
5467
|
+
#
|
5468
|
+
# For example, assume the rule evaluates web requests with the following
|
5469
|
+
# IP address and HTTP method values:
|
5470
|
+
#
|
5471
|
+
# * IP address 10.1.1.1, HTTP method POST
|
5472
|
+
#
|
5473
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5474
|
+
#
|
5475
|
+
# * IP address 127.0.0.0, HTTP method POST
|
5476
|
+
#
|
5477
|
+
# * IP address 10.1.1.1, HTTP method GET
|
5478
|
+
#
|
5479
|
+
# The rule would create different aggregation instances according to
|
5480
|
+
# your aggregation criteria, for example:
|
5481
|
+
#
|
5482
|
+
# * If the aggregation criteria is just the IP address, then each
|
5483
|
+
# individual address is an aggregation instance, and WAF counts
|
5484
|
+
# requests separately for each. The aggregation instances and request
|
5485
|
+
# counts for our example would be the following:
|
5486
|
+
#
|
5487
|
+
# * IP address 10.1.1.1: count 3
|
5488
|
+
#
|
5489
|
+
# * IP address 127.0.0.0: count 1
|
5490
|
+
#
|
5491
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
5492
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
5493
|
+
# and request counts for our example would be the following:
|
5494
|
+
#
|
5495
|
+
# * HTTP method POST: count 2
|
5496
|
+
#
|
5497
|
+
# * HTTP method GET: count 2
|
5498
|
+
#
|
5499
|
+
# * If the aggregation criteria is IP address and HTTP method, then each
|
5500
|
+
# IP address and each HTTP method would contribute to the combined
|
5501
|
+
# aggregation instance. The aggregation instances and request counts
|
5502
|
+
# for our example would be the following:
|
5503
|
+
#
|
5504
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
5505
|
+
#
|
5506
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
5507
|
+
#
|
5508
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
5509
|
+
#
|
5510
|
+
# For any n-tuple of aggregation keys, each unique combination of values
|
5511
|
+
# for the keys defines a separate aggregation instance, which WAF counts
|
5512
|
+
# and rate-limits individually.
|
5513
|
+
#
|
5514
|
+
# You can optionally nest another statement inside the rate-based
|
5515
|
+
# statement, to narrow the scope of the rule so that it only counts and
|
5516
|
+
# rate limits requests that match the nested statement. You can use this
|
5517
|
+
# nested scope-down statement in conjunction with your aggregation key
|
5518
|
+
# specifications or you can just count and rate limit all requests that
|
5519
|
+
# match the scope-down statement, without additional aggregation. When
|
5520
|
+
# you choose to just manage all requests that match a scope-down
|
5521
|
+
# statement, the aggregation instance is singular for the rule.
|
5522
|
+
#
|
5523
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
5524
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
5525
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5526
|
+
#
|
5527
|
+
# For additional information about the options, see [Rate limiting web
|
5528
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
5529
|
+
#
|
5530
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
5531
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
5532
|
+
# currently rate limiting for a rule through the API call
|
5533
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
5534
|
+
# other aggregation configurations.
|
5406
5535
|
#
|
5407
5536
|
# WAF tracks and manages web requests separately for each instance of a
|
5408
5537
|
# rate-based rule that you use. For example, if you provide the same
|
@@ -5413,58 +5542,80 @@ module Aws::WAFV2
|
|
5413
5542
|
# multiple places, each use creates a separate instance of the
|
5414
5543
|
# rate-based rule that gets its own tracking and management by WAF.
|
5415
5544
|
#
|
5416
|
-
# When the rule action triggers, WAF blocks additional requests from the
|
5417
|
-
# IP address until the request rate falls below the limit.
|
5418
5545
|
#
|
5419
|
-
# You can optionally nest another statement inside the rate-based
|
5420
|
-
# statement, to narrow the scope of the rule so that it only counts
|
5421
|
-
# requests that match the nested statement. For example, based on recent
|
5422
|
-
# requests that you have seen from an attacker, you might create a
|
5423
|
-
# rate-based rule with a nested AND rule statement that contains the
|
5424
|
-
# following nested statements:
|
5425
5546
|
#
|
5426
|
-
#
|
5427
|
-
# 192.0.2.44.
|
5547
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
5428
5548
|
#
|
5429
|
-
#
|
5430
|
-
#
|
5549
|
+
# @!attribute [rw] limit
|
5550
|
+
# The limit on requests per 5-minute period for a single aggregation
|
5551
|
+
# instance for the rate-based rule. If the rate-based statement
|
5552
|
+
# includes a `ScopeDownStatement`, this limit is applied only to the
|
5553
|
+
# requests that match the statement.
|
5431
5554
|
#
|
5432
|
-
#
|
5433
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
5434
|
-
# both of the nested statements are counted. If the count exceeds 1,000
|
5435
|
-
# requests per five minutes, the rule action triggers. Requests that do
|
5436
|
-
# not meet the criteria of both of the nested statements are not counted
|
5437
|
-
# towards the rate limit and are not affected by this rule.
|
5555
|
+
# Examples:
|
5438
5556
|
#
|
5439
|
-
#
|
5440
|
-
#
|
5441
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
5557
|
+
# * If you aggregate on just the IP address, this is the limit on
|
5558
|
+
# requests from any single IP address.
|
5442
5559
|
#
|
5443
|
-
#
|
5444
|
-
#
|
5445
|
-
#
|
5446
|
-
# limit is applied only to the requests that match the statement.
|
5560
|
+
# * If you aggregate on the HTTP method and the query argument name
|
5561
|
+
# "city", then this is the limit on requests for any single
|
5562
|
+
# method, city pair.
|
5447
5563
|
# @return [Integer]
|
5448
5564
|
#
|
5449
5565
|
# @!attribute [rw] aggregate_key_type
|
5450
|
-
# Setting that indicates how to aggregate the request counts.
|
5451
|
-
#
|
5566
|
+
# Setting that indicates how to aggregate the request counts.
|
5567
|
+
#
|
5568
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5569
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5570
|
+
# handling.
|
5452
5571
|
#
|
5453
|
-
#
|
5572
|
+
# </note>
|
5573
|
+
#
|
5574
|
+
# * `CONSTANT` - Count and limit the requests that match the
|
5575
|
+
# rate-based rule's scope-down statement. With this option, the
|
5576
|
+
# counted requests aren't further aggregated. The scope-down
|
5577
|
+
# statement is the only specification used. When the count of all
|
5578
|
+
# requests that satisfy the scope-down statement goes over the
|
5579
|
+
# limit, WAF applies the rule action to all requests that satisfy
|
5580
|
+
# the scope-down statement.
|
5581
|
+
#
|
5582
|
+
# With this option, you must configure the `ScopeDownStatement`
|
5583
|
+
# property.
|
5584
|
+
#
|
5585
|
+
# * `CUSTOM_KEYS` - Aggregate the request counts using one or more web
|
5586
|
+
# request components as the aggregate keys.
|
5587
|
+
#
|
5588
|
+
# With this option, you must specify the aggregate keys in the
|
5589
|
+
# `CustomKeys` property.
|
5590
|
+
#
|
5591
|
+
# To aggregate on only the IP address or only the forwarded IP
|
5592
|
+
# address, don't use custom keys. Instead, set the aggregate key
|
5593
|
+
# type to `IP` or `FORWARDED_IP`.
|
5594
|
+
#
|
5595
|
+
# * `FORWARDED_IP` - Aggregate the request counts on the first IP
|
5596
|
+
# address in an HTTP header.
|
5597
|
+
#
|
5598
|
+
# With this option, you must specify the header to use in the
|
5599
|
+
# `ForwardedIPConfig` property.
|
5600
|
+
#
|
5601
|
+
# To aggregate on a combination of the forwarded IP address with
|
5602
|
+
# other aggregate keys, use `CUSTOM_KEYS`.
|
5603
|
+
#
|
5604
|
+
# * `IP` - Aggregate the request counts on the IP address from the web
|
5454
5605
|
# request origin.
|
5455
5606
|
#
|
5456
|
-
#
|
5457
|
-
#
|
5458
|
-
# `ForwardedIPConfig`, to specify the header to use.
|
5607
|
+
# To aggregate on a combination of the IP address with other
|
5608
|
+
# aggregate keys, use `CUSTOM_KEYS`.
|
5459
5609
|
# @return [String]
|
5460
5610
|
#
|
5461
5611
|
# @!attribute [rw] scope_down_statement
|
5462
5612
|
# An optional nested statement that narrows the scope of the web
|
5463
|
-
# requests that are evaluated by the rate-based statement.
|
5464
|
-
#
|
5465
|
-
#
|
5466
|
-
# scope-down statement, and you
|
5467
|
-
# same as you can for a rule
|
5613
|
+
# requests that are evaluated and managed by the rate-based statement.
|
5614
|
+
# When you use a scope-down statement, the rate-based rule only tracks
|
5615
|
+
# and rate limits requests that match the scope-down statement. You
|
5616
|
+
# can use any nestable Statement in the scope-down statement, and you
|
5617
|
+
# can nest statements at any level, the same as you can for a rule
|
5618
|
+
# statement.
|
5468
5619
|
# @return [Types::Statement]
|
5469
5620
|
#
|
5470
5621
|
# @!attribute [rw] forwarded_ip_config
|
@@ -5478,22 +5629,143 @@ module Aws::WAFV2
|
|
5478
5629
|
#
|
5479
5630
|
# </note>
|
5480
5631
|
#
|
5481
|
-
# This is required if
|
5632
|
+
# This is required if you specify a forwarded IP in the rule's
|
5633
|
+
# aggregate key settings.
|
5482
5634
|
# @return [Types::ForwardedIPConfig]
|
5483
5635
|
#
|
5636
|
+
# @!attribute [rw] custom_keys
|
5637
|
+
# Specifies the aggregate keys to use in a rate-base rule.
|
5638
|
+
# @return [Array<Types::RateBasedStatementCustomKey>]
|
5639
|
+
#
|
5484
5640
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatement AWS API Documentation
|
5485
5641
|
#
|
5486
5642
|
class RateBasedStatement < Struct.new(
|
5487
5643
|
:limit,
|
5488
5644
|
:aggregate_key_type,
|
5489
5645
|
:scope_down_statement,
|
5490
|
-
:forwarded_ip_config
|
5646
|
+
:forwarded_ip_config,
|
5647
|
+
:custom_keys)
|
5648
|
+
SENSITIVE = []
|
5649
|
+
include Aws::Structure
|
5650
|
+
end
|
5651
|
+
|
5652
|
+
# Specifies a single custom aggregate key for a rate-base rule.
|
5653
|
+
#
|
5654
|
+
# <note markdown="1"> Web requests that are missing any of the components specified in the
|
5655
|
+
# aggregation keys are omitted from the rate-based rule evaluation and
|
5656
|
+
# handling.
|
5657
|
+
#
|
5658
|
+
# </note>
|
5659
|
+
#
|
5660
|
+
# @!attribute [rw] header
|
5661
|
+
# Use the value of a header in the request as an aggregate key. Each
|
5662
|
+
# distinct value in the header contributes to the aggregation
|
5663
|
+
# instance. If you use a single header as your custom key, then each
|
5664
|
+
# value fully defines an aggregation instance.
|
5665
|
+
# @return [Types::RateLimitHeader]
|
5666
|
+
#
|
5667
|
+
# @!attribute [rw] cookie
|
5668
|
+
# Use the value of a cookie in the request as an aggregate key. Each
|
5669
|
+
# distinct value in the cookie contributes to the aggregation
|
5670
|
+
# instance. If you use a single cookie as your custom key, then each
|
5671
|
+
# value fully defines an aggregation instance.
|
5672
|
+
# @return [Types::RateLimitCookie]
|
5673
|
+
#
|
5674
|
+
# @!attribute [rw] query_argument
|
5675
|
+
# Use the specified query argument as an aggregate key. Each distinct
|
5676
|
+
# value for the named query argument contributes to the aggregation
|
5677
|
+
# instance. If you use a single query argument as your custom key,
|
5678
|
+
# then each value fully defines an aggregation instance.
|
5679
|
+
# @return [Types::RateLimitQueryArgument]
|
5680
|
+
#
|
5681
|
+
# @!attribute [rw] query_string
|
5682
|
+
# Use the request's query string as an aggregate key. Each distinct
|
5683
|
+
# string contributes to the aggregation instance. If you use just the
|
5684
|
+
# query string as your custom key, then each string fully defines an
|
5685
|
+
# aggregation instance.
|
5686
|
+
# @return [Types::RateLimitQueryString]
|
5687
|
+
#
|
5688
|
+
# @!attribute [rw] http_method
|
5689
|
+
# Use the request's HTTP method as an aggregate key. Each distinct
|
5690
|
+
# HTTP method contributes to the aggregation instance. If you use just
|
5691
|
+
# the HTTP method as your custom key, then each method fully defines
|
5692
|
+
# an aggregation instance.
|
5693
|
+
# @return [Types::RateLimitHTTPMethod]
|
5694
|
+
#
|
5695
|
+
# @!attribute [rw] forwarded_ip
|
5696
|
+
# Use the first IP address in an HTTP header as an aggregate key. Each
|
5697
|
+
# distinct forwarded IP address contributes to the aggregation
|
5698
|
+
# instance.
|
5699
|
+
#
|
5700
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5701
|
+
# you must also specify at least one other key to use. You can
|
5702
|
+
# aggregate on only the forwarded IP address by specifying
|
5703
|
+
# `FORWARDED_IP` in your rate-based statement's `AggregateKeyType`.
|
5704
|
+
#
|
5705
|
+
# With this option, you must specify the header to use in the
|
5706
|
+
# rate-based rule's `ForwardedIPConfig` property.
|
5707
|
+
# @return [Types::RateLimitForwardedIP]
|
5708
|
+
#
|
5709
|
+
# @!attribute [rw] ip
|
5710
|
+
# Use the request's originating IP address as an aggregate key. Each
|
5711
|
+
# distinct IP address contributes to the aggregation instance.
|
5712
|
+
#
|
5713
|
+
# When you specify an IP or forwarded IP in the custom key settings,
|
5714
|
+
# you must also specify at least one other key to use. You can
|
5715
|
+
# aggregate on only the IP address by specifying `IP` in your
|
5716
|
+
# rate-based statement's `AggregateKeyType`.
|
5717
|
+
# @return [Types::RateLimitIP]
|
5718
|
+
#
|
5719
|
+
# @!attribute [rw] label_namespace
|
5720
|
+
# Use the specified label namespace as an aggregate key. Each distinct
|
5721
|
+
# fully qualified label name that has the specified label namespace
|
5722
|
+
# contributes to the aggregation instance. If you use just one label
|
5723
|
+
# namespace as your custom key, then each label name fully defines an
|
5724
|
+
# aggregation instance.
|
5725
|
+
#
|
5726
|
+
# This uses only labels that have been added to the request by rules
|
5727
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5728
|
+
#
|
5729
|
+
# For information about label namespaces and names, see [Label syntax
|
5730
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5731
|
+
#
|
5732
|
+
#
|
5733
|
+
#
|
5734
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5735
|
+
# @return [Types::RateLimitLabelNamespace]
|
5736
|
+
#
|
5737
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateBasedStatementCustomKey AWS API Documentation
|
5738
|
+
#
|
5739
|
+
class RateBasedStatementCustomKey < Struct.new(
|
5740
|
+
:header,
|
5741
|
+
:cookie,
|
5742
|
+
:query_argument,
|
5743
|
+
:query_string,
|
5744
|
+
:http_method,
|
5745
|
+
:forwarded_ip,
|
5746
|
+
:ip,
|
5747
|
+
:label_namespace)
|
5491
5748
|
SENSITIVE = []
|
5492
5749
|
include Aws::Structure
|
5493
5750
|
end
|
5494
5751
|
|
5495
5752
|
# The set of IP addresses that are currently blocked for a
|
5496
|
-
# RateBasedStatement.
|
5753
|
+
# RateBasedStatement. This is only available for rate-based rules that
|
5754
|
+
# aggregate on just the IP address, with the `AggregateKeyType` set to
|
5755
|
+
# `IP` or `FORWARDED_IP`.
|
5756
|
+
#
|
5757
|
+
# A rate-based rule applies its rule action to requests from IP
|
5758
|
+
# addresses that are in the rule's managed keys list and that match the
|
5759
|
+
# rule's scope-down statement. When a rule has no scope-down statement,
|
5760
|
+
# it applies the action to all requests from the IP addresses that are
|
5761
|
+
# in the list. The rule applies its rule action to rate limit the
|
5762
|
+
# matching requests. The action is usually Block but it can be any valid
|
5763
|
+
# rule action except for Allow.
|
5764
|
+
#
|
5765
|
+
# The maximum number of IP addresses that can be rate limited by a
|
5766
|
+
# single rate-based rule instance is 10,000. If more than 10,000
|
5767
|
+
# addresses exceed the rate limit, WAF limits those with the highest
|
5768
|
+
# rates.
|
5497
5769
|
#
|
5498
5770
|
# @!attribute [rw] ip_address_version
|
5499
5771
|
# The version of the IP addresses, either `IPV4` or `IPV6`.
|
@@ -5512,6 +5784,208 @@ module Aws::WAFV2
|
|
5512
5784
|
include Aws::Structure
|
5513
5785
|
end
|
5514
5786
|
|
5787
|
+
# Specifies a cookie as an aggregate key for a rate-based rule. Each
|
5788
|
+
# distinct value in the cookie contributes to the aggregation instance.
|
5789
|
+
# If you use a single cookie as your custom key, then each value fully
|
5790
|
+
# defines an aggregation instance.
|
5791
|
+
#
|
5792
|
+
# @!attribute [rw] name
|
5793
|
+
# The name of the cookie to use.
|
5794
|
+
# @return [String]
|
5795
|
+
#
|
5796
|
+
# @!attribute [rw] text_transformations
|
5797
|
+
# Text transformations eliminate some of the unusual formatting that
|
5798
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5799
|
+
# transformations are used in rule match statements, to transform the
|
5800
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5801
|
+
# used in rate-based rule statements, to transform request components
|
5802
|
+
# before using them as custom aggregation keys. If you specify one or
|
5803
|
+
# more transformations to apply, WAF performs all transformations on
|
5804
|
+
# the specified content, starting from the lowest priority setting,
|
5805
|
+
# and then uses the component contents.
|
5806
|
+
# @return [Array<Types::TextTransformation>]
|
5807
|
+
#
|
5808
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitCookie AWS API Documentation
|
5809
|
+
#
|
5810
|
+
class RateLimitCookie < Struct.new(
|
5811
|
+
:name,
|
5812
|
+
:text_transformations)
|
5813
|
+
SENSITIVE = []
|
5814
|
+
include Aws::Structure
|
5815
|
+
end
|
5816
|
+
|
5817
|
+
# Specifies the first IP address in an HTTP header as an aggregate key
|
5818
|
+
# for a rate-based rule. Each distinct forwarded IP address contributes
|
5819
|
+
# to the aggregation instance.
|
5820
|
+
#
|
5821
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5822
|
+
# specification of a rate-based rule statement. When you specify an IP
|
5823
|
+
# or forwarded IP in the custom key settings, you must also specify at
|
5824
|
+
# least one other key to use. You can aggregate on only the forwarded IP
|
5825
|
+
# address by specifying `FORWARDED_IP` in your rate-based statement's
|
5826
|
+
# `AggregateKeyType`.
|
5827
|
+
#
|
5828
|
+
# This data type supports using the forwarded IP address in the web
|
5829
|
+
# request aggregation for a rate-based rule, in
|
5830
|
+
# `RateBasedStatementCustomKey`. The JSON specification for using the
|
5831
|
+
# forwarded IP address doesn't explicitly use this data type.
|
5832
|
+
#
|
5833
|
+
# JSON specification: `"ForwardedIP": \{\}`
|
5834
|
+
#
|
5835
|
+
# When you use this specification, you must also configure the forwarded
|
5836
|
+
# IP address in the rate-based statement's `ForwardedIPConfig`.
|
5837
|
+
#
|
5838
|
+
# @api private
|
5839
|
+
#
|
5840
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitForwardedIP AWS API Documentation
|
5841
|
+
#
|
5842
|
+
class RateLimitForwardedIP < Aws::EmptyStructure; end
|
5843
|
+
|
5844
|
+
# Specifies the request's HTTP method as an aggregate key for a
|
5845
|
+
# rate-based rule. Each distinct HTTP method contributes to the
|
5846
|
+
# aggregation instance. If you use just the HTTP method as your custom
|
5847
|
+
# key, then each method fully defines an aggregation instance.
|
5848
|
+
#
|
5849
|
+
# JSON specification: `"RateLimitHTTPMethod": \{\}`
|
5850
|
+
#
|
5851
|
+
# @api private
|
5852
|
+
#
|
5853
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHTTPMethod AWS API Documentation
|
5854
|
+
#
|
5855
|
+
class RateLimitHTTPMethod < Aws::EmptyStructure; end
|
5856
|
+
|
5857
|
+
# Specifies a header as an aggregate key for a rate-based rule. Each
|
5858
|
+
# distinct value in the header contributes to the aggregation instance.
|
5859
|
+
# If you use a single header as your custom key, then each value fully
|
5860
|
+
# defines an aggregation instance.
|
5861
|
+
#
|
5862
|
+
# @!attribute [rw] name
|
5863
|
+
# The name of the header to use.
|
5864
|
+
# @return [String]
|
5865
|
+
#
|
5866
|
+
# @!attribute [rw] text_transformations
|
5867
|
+
# Text transformations eliminate some of the unusual formatting that
|
5868
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5869
|
+
# transformations are used in rule match statements, to transform the
|
5870
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5871
|
+
# used in rate-based rule statements, to transform request components
|
5872
|
+
# before using them as custom aggregation keys. If you specify one or
|
5873
|
+
# more transformations to apply, WAF performs all transformations on
|
5874
|
+
# the specified content, starting from the lowest priority setting,
|
5875
|
+
# and then uses the component contents.
|
5876
|
+
# @return [Array<Types::TextTransformation>]
|
5877
|
+
#
|
5878
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitHeader AWS API Documentation
|
5879
|
+
#
|
5880
|
+
class RateLimitHeader < Struct.new(
|
5881
|
+
:name,
|
5882
|
+
:text_transformations)
|
5883
|
+
SENSITIVE = []
|
5884
|
+
include Aws::Structure
|
5885
|
+
end
|
5886
|
+
|
5887
|
+
# Specifies the IP address in the web request as an aggregate key for a
|
5888
|
+
# rate-based rule. Each distinct IP address contributes to the
|
5889
|
+
# aggregation instance.
|
5890
|
+
#
|
5891
|
+
# This setting is used only in the `RateBasedStatementCustomKey`
|
5892
|
+
# specification of a rate-based rule statement. To use this in the
|
5893
|
+
# custom key settings, you must specify at least one other key to use,
|
5894
|
+
# along with the IP address. To aggregate on only the IP address, in
|
5895
|
+
# your rate-based statement's `AggregateKeyType`, specify `IP`.
|
5896
|
+
#
|
5897
|
+
# JSON specification: `"RateLimitIP": \{\}`
|
5898
|
+
#
|
5899
|
+
# @api private
|
5900
|
+
#
|
5901
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitIP AWS API Documentation
|
5902
|
+
#
|
5903
|
+
class RateLimitIP < Aws::EmptyStructure; end
|
5904
|
+
|
5905
|
+
# Specifies a label namespace to use as an aggregate key for a
|
5906
|
+
# rate-based rule. Each distinct fully qualified label name that has the
|
5907
|
+
# specified label namespace contributes to the aggregation instance. If
|
5908
|
+
# you use just one label namespace as your custom key, then each label
|
5909
|
+
# name fully defines an aggregation instance.
|
5910
|
+
#
|
5911
|
+
# This uses only labels that have been added to the request by rules
|
5912
|
+
# that are evaluated before this rate-based rule in the web ACL.
|
5913
|
+
#
|
5914
|
+
# For information about label namespaces and names, see [Label syntax
|
5915
|
+
# and naming requirements][1] in the *WAF Developer Guide*.
|
5916
|
+
#
|
5917
|
+
#
|
5918
|
+
#
|
5919
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html
|
5920
|
+
#
|
5921
|
+
# @!attribute [rw] namespace
|
5922
|
+
# The namespace to use for aggregation.
|
5923
|
+
# @return [String]
|
5924
|
+
#
|
5925
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitLabelNamespace AWS API Documentation
|
5926
|
+
#
|
5927
|
+
class RateLimitLabelNamespace < Struct.new(
|
5928
|
+
:namespace)
|
5929
|
+
SENSITIVE = []
|
5930
|
+
include Aws::Structure
|
5931
|
+
end
|
5932
|
+
|
5933
|
+
# Specifies a query argument in the request as an aggregate key for a
|
5934
|
+
# rate-based rule. Each distinct value for the named query argument
|
5935
|
+
# contributes to the aggregation instance. If you use a single query
|
5936
|
+
# argument as your custom key, then each value fully defines an
|
5937
|
+
# aggregation instance.
|
5938
|
+
#
|
5939
|
+
# @!attribute [rw] name
|
5940
|
+
# The name of the query argument to use.
|
5941
|
+
# @return [String]
|
5942
|
+
#
|
5943
|
+
# @!attribute [rw] text_transformations
|
5944
|
+
# Text transformations eliminate some of the unusual formatting that
|
5945
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5946
|
+
# transformations are used in rule match statements, to transform the
|
5947
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5948
|
+
# used in rate-based rule statements, to transform request components
|
5949
|
+
# before using them as custom aggregation keys. If you specify one or
|
5950
|
+
# more transformations to apply, WAF performs all transformations on
|
5951
|
+
# the specified content, starting from the lowest priority setting,
|
5952
|
+
# and then uses the component contents.
|
5953
|
+
# @return [Array<Types::TextTransformation>]
|
5954
|
+
#
|
5955
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryArgument AWS API Documentation
|
5956
|
+
#
|
5957
|
+
class RateLimitQueryArgument < Struct.new(
|
5958
|
+
:name,
|
5959
|
+
:text_transformations)
|
5960
|
+
SENSITIVE = []
|
5961
|
+
include Aws::Structure
|
5962
|
+
end
|
5963
|
+
|
5964
|
+
# Specifies the request's query string as an aggregate key for a
|
5965
|
+
# rate-based rule. Each distinct string contributes to the aggregation
|
5966
|
+
# instance. If you use just the query string as your custom key, then
|
5967
|
+
# each string fully defines an aggregation instance.
|
5968
|
+
#
|
5969
|
+
# @!attribute [rw] text_transformations
|
5970
|
+
# Text transformations eliminate some of the unusual formatting that
|
5971
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
5972
|
+
# transformations are used in rule match statements, to transform the
|
5973
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
5974
|
+
# used in rate-based rule statements, to transform request components
|
5975
|
+
# before using them as custom aggregation keys. If you specify one or
|
5976
|
+
# more transformations to apply, WAF performs all transformations on
|
5977
|
+
# the specified content, starting from the lowest priority setting,
|
5978
|
+
# and then uses the component contents.
|
5979
|
+
# @return [Array<Types::TextTransformation>]
|
5980
|
+
#
|
5981
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RateLimitQueryString AWS API Documentation
|
5982
|
+
#
|
5983
|
+
class RateLimitQueryString < Struct.new(
|
5984
|
+
:text_transformations)
|
5985
|
+
SENSITIVE = []
|
5986
|
+
include Aws::Structure
|
5987
|
+
end
|
5988
|
+
|
5515
5989
|
# A single regular expression. This is used in a RegexPatternSet.
|
5516
5990
|
#
|
5517
5991
|
# @!attribute [rw] regex_string
|
@@ -5539,11 +6013,14 @@ module Aws::WAFV2
|
|
5539
6013
|
#
|
5540
6014
|
# @!attribute [rw] text_transformations
|
5541
6015
|
# Text transformations eliminate some of the unusual formatting that
|
5542
|
-
# attackers use in web requests in an effort to bypass detection.
|
5543
|
-
#
|
5544
|
-
#
|
5545
|
-
#
|
5546
|
-
#
|
6016
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
6017
|
+
# transformations are used in rule match statements, to transform the
|
6018
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
6019
|
+
# used in rate-based rule statements, to transform request components
|
6020
|
+
# before using them as custom aggregation keys. If you specify one or
|
6021
|
+
# more transformations to apply, WAF performs all transformations on
|
6022
|
+
# the specified content, starting from the lowest priority setting,
|
6023
|
+
# and then uses the component contents.
|
5547
6024
|
# @return [Array<Types::TextTransformation>]
|
5548
6025
|
#
|
5549
6026
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexMatchStatement AWS API Documentation
|
@@ -5620,11 +6097,14 @@ module Aws::WAFV2
|
|
5620
6097
|
#
|
5621
6098
|
# @!attribute [rw] text_transformations
|
5622
6099
|
# Text transformations eliminate some of the unusual formatting that
|
5623
|
-
# attackers use in web requests in an effort to bypass detection.
|
5624
|
-
#
|
5625
|
-
#
|
5626
|
-
#
|
5627
|
-
#
|
6100
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
6101
|
+
# transformations are used in rule match statements, to transform the
|
6102
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
6103
|
+
# used in rate-based rule statements, to transform request components
|
6104
|
+
# before using them as custom aggregation keys. If you specify one or
|
6105
|
+
# more transformations to apply, WAF performs all transformations on
|
6106
|
+
# the specified content, starting from the lowest priority setting,
|
6107
|
+
# and then uses the component contents.
|
5628
6108
|
# @return [Array<Types::TextTransformation>]
|
5629
6109
|
#
|
5630
6110
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
|
@@ -6622,11 +7102,14 @@ module Aws::WAFV2
|
|
6622
7102
|
#
|
6623
7103
|
# @!attribute [rw] text_transformations
|
6624
7104
|
# Text transformations eliminate some of the unusual formatting that
|
6625
|
-
# attackers use in web requests in an effort to bypass detection.
|
6626
|
-
#
|
6627
|
-
#
|
6628
|
-
#
|
6629
|
-
#
|
7105
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7106
|
+
# transformations are used in rule match statements, to transform the
|
7107
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7108
|
+
# used in rate-based rule statements, to transform request components
|
7109
|
+
# before using them as custom aggregation keys. If you specify one or
|
7110
|
+
# more transformations to apply, WAF performs all transformations on
|
7111
|
+
# the specified content, starting from the lowest priority setting,
|
7112
|
+
# and then uses the component contents.
|
6630
7113
|
# @return [Array<Types::TextTransformation>]
|
6631
7114
|
#
|
6632
7115
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
|
@@ -6650,11 +7133,14 @@ module Aws::WAFV2
|
|
6650
7133
|
#
|
6651
7134
|
# @!attribute [rw] text_transformations
|
6652
7135
|
# Text transformations eliminate some of the unusual formatting that
|
6653
|
-
# attackers use in web requests in an effort to bypass detection.
|
6654
|
-
#
|
6655
|
-
#
|
6656
|
-
#
|
6657
|
-
#
|
7136
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
7137
|
+
# transformations are used in rule match statements, to transform the
|
7138
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
7139
|
+
# used in rate-based rule statements, to transform request components
|
7140
|
+
# before using them as custom aggregation keys. If you specify one or
|
7141
|
+
# more transformations to apply, WAF performs all transformations on
|
7142
|
+
# the specified content, starting from the lowest priority setting,
|
7143
|
+
# and then uses the component contents.
|
6658
7144
|
# @return [Array<Types::TextTransformation>]
|
6659
7145
|
#
|
6660
7146
|
# @!attribute [rw] sensitivity_level
|
@@ -6814,11 +7300,88 @@ module Aws::WAFV2
|
|
6814
7300
|
# @return [Types::RegexPatternSetReferenceStatement]
|
6815
7301
|
#
|
6816
7302
|
# @!attribute [rw] rate_based_statement
|
6817
|
-
# A rate-based rule
|
6818
|
-
#
|
6819
|
-
#
|
6820
|
-
#
|
6821
|
-
#
|
7303
|
+
# A rate-based rule counts incoming requests and rate limits requests
|
7304
|
+
# when they are coming at too fast a rate. The rule categorizes
|
7305
|
+
# requests according to your aggregation criteria, collects them into
|
7306
|
+
# aggregation instances, and counts and rate limits the requests for
|
7307
|
+
# each instance.
|
7308
|
+
#
|
7309
|
+
# You can specify individual aggregation keys, like IP address or HTTP
|
7310
|
+
# method. You can also specify aggregation key combinations, like IP
|
7311
|
+
# address and HTTP method, or HTTP method, query argument, and cookie.
|
7312
|
+
#
|
7313
|
+
# Each unique set of values for the aggregation keys that you specify
|
7314
|
+
# is a separate aggregation instance, with the value from each key
|
7315
|
+
# contributing to the aggregation instance definition.
|
7316
|
+
#
|
7317
|
+
# For example, assume the rule evaluates web requests with the
|
7318
|
+
# following IP address and HTTP method values:
|
7319
|
+
#
|
7320
|
+
# * IP address 10.1.1.1, HTTP method POST
|
7321
|
+
#
|
7322
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7323
|
+
#
|
7324
|
+
# * IP address 127.0.0.0, HTTP method POST
|
7325
|
+
#
|
7326
|
+
# * IP address 10.1.1.1, HTTP method GET
|
7327
|
+
#
|
7328
|
+
# The rule would create different aggregation instances according to
|
7329
|
+
# your aggregation criteria, for example:
|
7330
|
+
#
|
7331
|
+
# * If the aggregation criteria is just the IP address, then each
|
7332
|
+
# individual address is an aggregation instance, and WAF counts
|
7333
|
+
# requests separately for each. The aggregation instances and
|
7334
|
+
# request counts for our example would be the following:
|
7335
|
+
#
|
7336
|
+
# * IP address 10.1.1.1: count 3
|
7337
|
+
#
|
7338
|
+
# * IP address 127.0.0.0: count 1
|
7339
|
+
#
|
7340
|
+
# * If the aggregation criteria is HTTP method, then each individual
|
7341
|
+
# HTTP method is an aggregation instance. The aggregation instances
|
7342
|
+
# and request counts for our example would be the following:
|
7343
|
+
#
|
7344
|
+
# * HTTP method POST: count 2
|
7345
|
+
#
|
7346
|
+
# * HTTP method GET: count 2
|
7347
|
+
#
|
7348
|
+
# * If the aggregation criteria is IP address and HTTP method, then
|
7349
|
+
# each IP address and each HTTP method would contribute to the
|
7350
|
+
# combined aggregation instance. The aggregation instances and
|
7351
|
+
# request counts for our example would be the following:
|
7352
|
+
#
|
7353
|
+
# * IP address 10.1.1.1, HTTP method POST: count 1
|
7354
|
+
#
|
7355
|
+
# * IP address 10.1.1.1, HTTP method GET: count 2
|
7356
|
+
#
|
7357
|
+
# * IP address 127.0.0.0, HTTP method POST: count 1
|
7358
|
+
#
|
7359
|
+
# For any n-tuple of aggregation keys, each unique combination of
|
7360
|
+
# values for the keys defines a separate aggregation instance, which
|
7361
|
+
# WAF counts and rate-limits individually.
|
7362
|
+
#
|
7363
|
+
# You can optionally nest another statement inside the rate-based
|
7364
|
+
# statement, to narrow the scope of the rule so that it only counts
|
7365
|
+
# and rate limits requests that match the nested statement. You can
|
7366
|
+
# use this nested scope-down statement in conjunction with your
|
7367
|
+
# aggregation key specifications or you can just count and rate limit
|
7368
|
+
# all requests that match the scope-down statement, without additional
|
7369
|
+
# aggregation. When you choose to just manage all requests that match
|
7370
|
+
# a scope-down statement, the aggregation instance is singular for the
|
7371
|
+
# rule.
|
7372
|
+
#
|
7373
|
+
# You cannot nest a `RateBasedStatement` inside another statement, for
|
7374
|
+
# example inside a `NotStatement` or `OrStatement`. You can define a
|
7375
|
+
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7376
|
+
#
|
7377
|
+
# For additional information about the options, see [Rate limiting web
|
7378
|
+
# requests using rate-based rules][1] in the *WAF Developer Guide*.
|
7379
|
+
#
|
7380
|
+
# If you only aggregate on the individual IP address or forwarded IP
|
7381
|
+
# address, you can retrieve the list of IP addresses that WAF is
|
7382
|
+
# currently rate limiting for a rule through the API call
|
7383
|
+
# `GetRateBasedStatementManagedKeys`. This option is not available for
|
7384
|
+
# other aggregation configurations.
|
6822
7385
|
#
|
6823
7386
|
# WAF tracks and manages web requests separately for each instance of
|
6824
7387
|
# a rate-based rule that you use. For example, if you provide the same
|
@@ -6829,33 +7392,9 @@ module Aws::WAFV2
|
|
6829
7392
|
# multiple places, each use creates a separate instance of the
|
6830
7393
|
# rate-based rule that gets its own tracking and management by WAF.
|
6831
7394
|
#
|
6832
|
-
# When the rule action triggers, WAF blocks additional requests from
|
6833
|
-
# the IP address until the request rate falls below the limit.
|
6834
7395
|
#
|
6835
|
-
# You can optionally nest another statement inside the rate-based
|
6836
|
-
# statement, to narrow the scope of the rule so that it only counts
|
6837
|
-
# requests that match the nested statement. For example, based on
|
6838
|
-
# recent requests that you have seen from an attacker, you might
|
6839
|
-
# create a rate-based rule with a nested AND rule statement that
|
6840
|
-
# contains the following nested statements:
|
6841
|
-
#
|
6842
|
-
# * An IP match statement with an IP set that specifies the address
|
6843
|
-
# 192.0.2.44.
|
6844
|
-
#
|
6845
|
-
# * A string match statement that searches in the User-Agent header
|
6846
|
-
# for the string BadBot.
|
6847
|
-
#
|
6848
|
-
# In this rate-based rule, you also define a rate limit. For this
|
6849
|
-
# example, the rate limit is 1,000. Requests that meet the criteria of
|
6850
|
-
# both of the nested statements are counted. If the count exceeds
|
6851
|
-
# 1,000 requests per five minutes, the rule action triggers. Requests
|
6852
|
-
# that do not meet the criteria of both of the nested statements are
|
6853
|
-
# not counted towards the rate limit and are not affected by this
|
6854
|
-
# rule.
|
6855
7396
|
#
|
6856
|
-
#
|
6857
|
-
# example inside a `NotStatement` or `OrStatement`. You can define a
|
6858
|
-
# `RateBasedStatement` inside a web ACL and inside a rule group.
|
7397
|
+
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html
|
6859
7398
|
# @return [Types::RateBasedStatement]
|
6860
7399
|
#
|
6861
7400
|
# @!attribute [rw] and_statement
|
@@ -7030,11 +7569,10 @@ module Aws::WAFV2
|
|
7030
7569
|
# attackers use in web requests in an effort to bypass detection.
|
7031
7570
|
#
|
7032
7571
|
# @!attribute [rw] priority
|
7033
|
-
# Sets the relative processing order for multiple transformations
|
7034
|
-
#
|
7035
|
-
#
|
7036
|
-
#
|
7037
|
-
# all be different.
|
7572
|
+
# Sets the relative processing order for multiple transformations. WAF
|
7573
|
+
# processes all transformations, from lowest priority to highest,
|
7574
|
+
# before inspecting the transformed content. The priorities don't
|
7575
|
+
# need to be consecutive, but they must all be different.
|
7038
7576
|
# @return [Integer]
|
7039
7577
|
#
|
7040
7578
|
# @!attribute [rw] type
|
@@ -7797,8 +8335,8 @@ module Aws::WAFV2
|
|
7797
8335
|
# part of the web request that identifies a resource. For example,
|
7798
8336
|
# `/images/daily-ad.jpg`.
|
7799
8337
|
#
|
7800
|
-
# This is used
|
7801
|
-
#
|
8338
|
+
# This is used in the FieldToMatch specification for some web request
|
8339
|
+
# component types.
|
7802
8340
|
#
|
7803
8341
|
# JSON specification: `"UriPath": \{\}`
|
7804
8342
|
#
|
@@ -7871,9 +8409,16 @@ module Aws::WAFV2
|
|
7871
8409
|
# to Amazon CloudWatch. For the list of available metrics, see [WAF
|
7872
8410
|
# Metrics][1] in the *WAF Developer Guide*.
|
7873
8411
|
#
|
8412
|
+
# For web ACLs, the metrics are for web requests that have the web ACL
|
8413
|
+
# default action applied. WAF applies the default action to web
|
8414
|
+
# requests that pass the inspection of all rules in the web ACL
|
8415
|
+
# without being either allowed or blocked. For more information, see
|
8416
|
+
# [The web ACL default action][2] in the *WAF Developer Guide*.
|
8417
|
+
#
|
7874
8418
|
#
|
7875
8419
|
#
|
7876
8420
|
# [1]: https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics
|
8421
|
+
# [2]: https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html
|
7877
8422
|
# @return [Boolean]
|
7878
8423
|
#
|
7879
8424
|
# @!attribute [rw] metric_name
|
@@ -8231,6 +8776,22 @@ module Aws::WAFV2
|
|
8231
8776
|
include Aws::Structure
|
8232
8777
|
end
|
8233
8778
|
|
8779
|
+
# The rule that you've named doesn't aggregate solely on the IP
|
8780
|
+
# address or solely on the forwarded IP address. This call is only
|
8781
|
+
# available for rate-based rules with an `AggregateKeyType` setting of
|
8782
|
+
# `IP` or `FORWARDED_IP`.
|
8783
|
+
#
|
8784
|
+
# @!attribute [rw] message
|
8785
|
+
# @return [String]
|
8786
|
+
#
|
8787
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFUnsupportedAggregateKeyTypeException AWS API Documentation
|
8788
|
+
#
|
8789
|
+
class WAFUnsupportedAggregateKeyTypeException < Struct.new(
|
8790
|
+
:message)
|
8791
|
+
SENSITIVE = []
|
8792
|
+
include Aws::Structure
|
8793
|
+
end
|
8794
|
+
|
8234
8795
|
# A web ACL defines a collection of rules to use to inspect and control
|
8235
8796
|
# web requests. Each rule has an action defined (allow, block, or count)
|
8236
8797
|
# for requests that match the statement of the rule. In the web ACL, you
|
@@ -8493,11 +9054,14 @@ module Aws::WAFV2
|
|
8493
9054
|
#
|
8494
9055
|
# @!attribute [rw] text_transformations
|
8495
9056
|
# Text transformations eliminate some of the unusual formatting that
|
8496
|
-
# attackers use in web requests in an effort to bypass detection.
|
8497
|
-
#
|
8498
|
-
#
|
8499
|
-
#
|
8500
|
-
#
|
9057
|
+
# attackers use in web requests in an effort to bypass detection. Text
|
9058
|
+
# transformations are used in rule match statements, to transform the
|
9059
|
+
# `FieldToMatch` request component before inspecting it, and they're
|
9060
|
+
# used in rate-based rule statements, to transform request components
|
9061
|
+
# before using them as custom aggregation keys. If you specify one or
|
9062
|
+
# more transformations to apply, WAF performs all transformations on
|
9063
|
+
# the specified content, starting from the lowest priority setting,
|
9064
|
+
# and then uses the component contents.
|
8501
9065
|
# @return [Array<Types::TextTransformation>]
|
8502
9066
|
#
|
8503
9067
|
# @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation
|