aws-cdk-lib 2.132.1__py3-none-any.whl → 2.134.0__py3-none-any.whl

aws_cdk/aws_wafv2/__init__.py

@@ -517,7 +517,7 @@ class CfnLoggingConfiguration(
         :param log_destination_configs: The logging destination configuration that you want to associate with the web ACL. .. epigraph:: You can associate one logging destination to a web ACL.
         :param resource_arn: The Amazon Resource Name (ARN) of the web ACL that you want to associate with ``LogDestinationConfigs`` .
         :param logging_filter: Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
-        :param redacted_fields: The parts of the request that you want to keep out of the logs. For example, if you redact the ``SingleHeader`` field, the ``HEADER`` field in the logs will be ``REDACTED`` for all rules that use the ``SingleHeader`` ``FieldToMatch`` setting. Redaction applies only to the component that's specified in the rule's ``FieldToMatch`` setting, so the ``SingleHeader`` redaction doesn't apply to rules that use the ``Headers`` ``FieldToMatch`` . .. epigraph:: You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` .
+        :param redacted_fields: The parts of the request that you want to keep out of the logs. For example, if you redact the ``SingleHeader`` field, the ``HEADER`` field in the logs will be ``REDACTED`` for all rules that use the ``SingleHeader`` ``FieldToMatch`` setting. Redaction applies only to the component that's specified in the rule's ``FieldToMatch`` setting, so the ``SingleHeader`` redaction doesn't apply to rules that use the ``Headers`` ``FieldToMatch`` . .. epigraph:: You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` . > This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling in the web ACL visibility configuration.
         '''
         if __debug__:
             type_hints = typing.get_type_hints(_typecheckingstub__8a8c4ba5ee1b98a4ed1dd5001182ec8712406026687793bcb17c7a78771fa41c)
@@ -1412,7 +1412,7 @@ class CfnLoggingConfigurationProps:
         :param log_destination_configs: The logging destination configuration that you want to associate with the web ACL. .. epigraph:: You can associate one logging destination to a web ACL.
         :param resource_arn: The Amazon Resource Name (ARN) of the web ACL that you want to associate with ``LogDestinationConfigs`` .
         :param logging_filter: Filtering that specifies which web requests are kept in the logs and which are dropped. You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.
-        :param redacted_fields: The parts of the request that you want to keep out of the logs. For example, if you redact the ``SingleHeader`` field, the ``HEADER`` field in the logs will be ``REDACTED`` for all rules that use the ``SingleHeader`` ``FieldToMatch`` setting. Redaction applies only to the component that's specified in the rule's ``FieldToMatch`` setting, so the ``SingleHeader`` redaction doesn't apply to rules that use the ``Headers`` ``FieldToMatch`` . .. epigraph:: You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` .
+        :param redacted_fields: The parts of the request that you want to keep out of the logs. For example, if you redact the ``SingleHeader`` field, the ``HEADER`` field in the logs will be ``REDACTED`` for all rules that use the ``SingleHeader`` ``FieldToMatch`` setting. Redaction applies only to the component that's specified in the rule's ``FieldToMatch`` setting, so the ``SingleHeader`` redaction doesn't apply to rules that use the ``Headers`` ``FieldToMatch`` . .. epigraph:: You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` . > This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling in the web ACL visibility configuration.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html
         :exampleMetadata: fixture=_generated
@@ -1506,7 +1506,7 @@ class CfnLoggingConfigurationProps:
         Redaction applies only to the component that's specified in the rule's ``FieldToMatch`` setting, so the ``SingleHeader`` redaction doesn't apply to rules that use the ``Headers`` ``FieldToMatch`` .
         .. epigraph::
 
-           You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` .
+           You can specify only the following fields for redaction: ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` . > This setting has no impact on request sampling. With request sampling, the only way to exclude fields is by disabling sampling in the web ACL visibility configuration.
 
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-loggingconfiguration.html#cfn-wafv2-loggingconfiguration-redactedfields
         '''
@@ -1962,6 +1962,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2062,6 +2065,7 @@ class CfnRuleGroup(
                                 )]
                             )
                         )],
+                        evaluation_window_sec=123,
                         forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                             fallback_behavior="fallbackBehavior",
                             header_name="headerName"
@@ -2092,6 +2096,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2140,6 +2147,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2187,6 +2197,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2234,6 +2247,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2283,6 +2299,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -2747,6 +2766,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -2847,6 +2869,7 @@ class CfnRuleGroup(
                                     )]
                                 )
                             )],
+                            evaluation_window_sec=123,
                             forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                                 fallback_behavior="fallbackBehavior",
                                 header_name="headerName"
@@ -2877,6 +2900,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -2925,6 +2951,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -2972,6 +3001,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -3019,6 +3051,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -3068,6 +3103,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -3206,7 +3244,7 @@ class CfnRuleGroup(
 
             This is used to indicate the web request component to inspect, in the ``FieldToMatch`` specification.
 
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-body.html
             :exampleMetadata: fixture=_generated
@@ -3232,9 +3270,10 @@ class CfnRuleGroup(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
 
-            The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -3334,6 +3373,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -4335,6 +4377,7 @@ class CfnRuleGroup(
             "body": "body",
             "cookies": "cookies",
             "headers": "headers",
+            "ja3_fingerprint": "ja3Fingerprint",
             "json_body": "jsonBody",
             "method": "method",
             "query_string": "queryString",
@@ -4351,6 +4394,7 @@ class CfnRuleGroup(
             body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.BodyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             cookies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.CookiesProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             headers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.HeadersProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            ja3_fingerprint: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.JA3FingerprintProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             json_body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.JsonBodyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             method: typing.Any = None,
             query_string: typing.Any = None,
@@ -4373,12 +4417,14 @@ class CfnRuleGroup(
             - In a logging configuration, this is used in the ``RedactedFields`` property to specify a field to redact from the logging records. For this use case, note the following:
             - Even though all ``FieldToMatch`` settings are available, the only valid settings for field redaction are ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` .
             - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
+            - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :param all_query_arguments: Inspect all query arguments.
-            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
             :param cookies: Inspect the request cookies. You must configure scope and pattern matching filters in the ``Cookies`` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the ``Cookies`` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
             :param headers: Inspect the request headers. You must configure scope and pattern matching filters in the ``Headers`` object, to define the set of headers to and the parts of the headers that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the ``Headers`` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
-            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            :param ja3_fingerprint: Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. .. epigraph:: You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` . You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* . Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
             :param method: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
             :param query_string: Inspect the query string. This is the part of a URL that appears after a ``?`` character, if any.
             :param single_header: Inspect a single header. Provide the name of the header to inspect, for example, ``User-Agent`` or ``Referer`` . This setting isn't case sensitive. Example JSON: ``"SingleHeader": { "Name": "haystack" }`` Alternately, you can filter and inspect all headers with the ``Headers`` ``FieldToMatch`` setting.
@@ -4425,6 +4471,9 @@ class CfnRuleGroup(
                         match_scope="matchScope",
                         oversize_handling="oversizeHandling"
                     ),
+                    ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                        fallback_behavior="fallbackBehavior"
+                    ),
                     json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                         match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                             all=all,
@@ -4449,6 +4498,7 @@ class CfnRuleGroup(
                 check_type(argname="argument body", value=body, expected_type=type_hints["body"])
                 check_type(argname="argument cookies", value=cookies, expected_type=type_hints["cookies"])
                 check_type(argname="argument headers", value=headers, expected_type=type_hints["headers"])
+                check_type(argname="argument ja3_fingerprint", value=ja3_fingerprint, expected_type=type_hints["ja3_fingerprint"])
                 check_type(argname="argument json_body", value=json_body, expected_type=type_hints["json_body"])
                 check_type(argname="argument method", value=method, expected_type=type_hints["method"])
                 check_type(argname="argument query_string", value=query_string, expected_type=type_hints["query_string"])
@@ -4464,6 +4514,8 @@ class CfnRuleGroup(
                 self._values["cookies"] = cookies
             if headers is not None:
                 self._values["headers"] = headers
+            if ja3_fingerprint is not None:
+                self._values["ja3_fingerprint"] = ja3_fingerprint
             if json_body is not None:
                 self._values["json_body"] = json_body
             if method is not None:
@@ -4494,7 +4546,10 @@ class CfnRuleGroup(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
+
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             For information about how to handle oversized request bodies, see the ``Body`` object configuration.
 
@@ -4533,6 +4588,26 @@ class CfnRuleGroup(
             result = self._values.get("headers")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnRuleGroup.HeadersProperty"]], result)
 
+        @builtins.property
+        def ja3_fingerprint(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnRuleGroup.JA3FingerprintProperty"]]:
+            '''Match against the request's JA3 fingerprint.
+
+            The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+            .. epigraph::
+
+               You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` .
+
+            You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* .
+
+            Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-fieldtomatch.html#cfn-wafv2-rulegroup-fieldtomatch-ja3fingerprint
+            '''
+            result = self._values.get("ja3_fingerprint")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnRuleGroup.JA3FingerprintProperty"]], result)
+
         @builtins.property
         def json_body(
             self,
@@ -4541,7 +4616,10 @@ class CfnRuleGroup(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
+
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
 
@@ -5302,6 +5380,72 @@ class CfnRuleGroup(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_wafv2.CfnRuleGroup.JA3FingerprintProperty",
+        jsii_struct_bases=[],
+        name_mapping={"fallback_behavior": "fallbackBehavior"},
+    )
+    class JA3FingerprintProperty:
+        def __init__(self, *, fallback_behavior: builtins.str) -> None:
+            '''Match against the request's JA3 fingerprint.
+
+            The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+            .. epigraph::
+
+               You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` .
+
+            You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* .
+
+            Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+
+            :param fallback_behavior: The match status to assign to the web request if the request doesn't have a JA3 fingerprint. You can specify the following fallback behaviors: - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ja3fingerprint.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_wafv2 as wafv2
+                
+                j_a3_fingerprint_property = wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                    fallback_behavior="fallbackBehavior"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__1cba50229767598d7603bfa317a8bd11cfc2b12ca28d38737119d57d5d04667d)
+                check_type(argname="argument fallback_behavior", value=fallback_behavior, expected_type=type_hints["fallback_behavior"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "fallback_behavior": fallback_behavior,
+            }
+
+        @builtins.property
+        def fallback_behavior(self) -> builtins.str:
+            '''The match status to assign to the web request if the request doesn't have a JA3 fingerprint.
+
+            You can specify the following fallback behaviors:
+
+            - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
+            - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ja3fingerprint.html#cfn-wafv2-rulegroup-ja3fingerprint-fallbackbehavior
+            '''
+            result = self._values.get("fallback_behavior")
+            assert result is not None, "Required property 'fallback_behavior' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "JA3FingerprintProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_wafv2.CfnRuleGroup.JsonBodyProperty",
         jsii_struct_bases=[],
@@ -5332,7 +5476,7 @@ class CfnRuleGroup(
             :param match_pattern: The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.
             :param match_scope: The parts of the JSON to match against using the ``MatchPattern`` . If you specify ``ALL`` , AWS WAF matches against keys and values. ``All`` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical ``AND`` statement to combine two match rules, one that inspects the keys and another that inspects the values.
             :param invalid_fallback_behavior: What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:. - ``EVALUATE_AS_STRING`` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. If you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters. AWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array. AWS WAF parses the JSON in the following examples as two valid key, value pairs: - Missing comma: ``{"key1":"value1""key2":"value2"}`` - Missing colon: ``{"key1":"value1","key2""value2"}`` - Extra colons: ``{"key1"::"value1","key2""value2"}``
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-jsonbody.html
             :exampleMetadata: fixture=_generated
@@ -5427,9 +5571,10 @@ class CfnRuleGroup(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
 
-            The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -5791,6 +5936,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -5889,6 +6037,7 @@ class CfnRuleGroup(
                                     )]
                                 )
                             )],
+                            evaluation_window_sec=123,
                             forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                                 fallback_behavior="fallbackBehavior",
                                 header_name="headerName"
@@ -5919,6 +6068,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -5967,6 +6119,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6014,6 +6169,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6061,6 +6219,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6110,6 +6271,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6235,6 +6399,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6333,6 +6500,7 @@ class CfnRuleGroup(
                                     )]
                                 )
                             )],
+                            evaluation_window_sec=123,
                             forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                                 fallback_behavior="fallbackBehavior",
                                 header_name="headerName"
@@ -6363,6 +6531,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6411,6 +6582,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6458,6 +6632,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6505,6 +6682,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6554,6 +6734,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -6879,6 +7062,7 @@ class CfnRuleGroup(
             "aggregate_key_type": "aggregateKeyType",
             "limit": "limit",
             "custom_keys": "customKeys",
+            "evaluation_window_sec": "evaluationWindowSec",
             "forwarded_ip_config": "forwardedIpConfig",
             "scope_down_statement": "scopeDownStatement",
         },
@@ -6890,6 +7074,7 @@ class CfnRuleGroup(
             aggregate_key_type: builtins.str,
             limit: jsii.Number,
             custom_keys: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.RateBasedStatementCustomKeyProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            evaluation_window_sec: typing.Optional[jsii.Number] = None,
             forwarded_ip_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.ForwardedIPConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             scope_down_statement: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnRuleGroup.StatementProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
@@ -6939,6 +7124,7 @@ class CfnRuleGroup(
             :param aggregate_key_type: Setting that indicates how to aggregate the request counts. .. epigraph:: Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. - ``CONSTANT`` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement. With this option, you must configure the ``ScopeDownStatement`` property. - ``CUSTOM_KEYS`` - Aggregate the request counts using one or more web request components as the aggregate keys. With this option, you must specify the aggregate keys in the ``CustomKeys`` property. To aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to ``IP`` or ``FORWARDED_IP`` . - ``FORWARDED_IP`` - Aggregate the request counts on the first IP address in an HTTP header. With this option, you must specify the header to use in the ``ForwardedIPConfig`` property. To aggregate on a combination of the forwarded IP address with other aggregate keys, use ``CUSTOM_KEYS`` . - ``IP`` - Aggregate the request counts on the IP address from the web request origin. To aggregate on a combination of the IP address with other aggregate keys, use ``CUSTOM_KEYS`` .
             :param limit: The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
             :param custom_keys: Specifies the aggregate keys to use in a rate-base rule.
+            :param evaluation_window_sec: The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600. This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. Default: ``300`` (5 minutes)
             :param forwarded_ip_config: The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. .. epigraph:: If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. This is required if you specify a forwarded IP in the rule's aggregate key settings.
             :param scope_down_statement: An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable ``Statement`` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
 
@@ -7010,6 +7196,7 @@ class CfnRuleGroup(
                             )]
                         )
                     )],
+                    evaluation_window_sec=123,
                     forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                         fallback_behavior="fallbackBehavior",
                         header_name="headerName"
@@ -7042,6 +7229,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7121,6 +7311,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7169,6 +7362,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7216,6 +7412,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7263,6 +7462,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7312,6 +7514,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -7342,6 +7547,7 @@ class CfnRuleGroup(
                 check_type(argname="argument aggregate_key_type", value=aggregate_key_type, expected_type=type_hints["aggregate_key_type"])
                 check_type(argname="argument limit", value=limit, expected_type=type_hints["limit"])
                 check_type(argname="argument custom_keys", value=custom_keys, expected_type=type_hints["custom_keys"])
+                check_type(argname="argument evaluation_window_sec", value=evaluation_window_sec, expected_type=type_hints["evaluation_window_sec"])
                 check_type(argname="argument forwarded_ip_config", value=forwarded_ip_config, expected_type=type_hints["forwarded_ip_config"])
                 check_type(argname="argument scope_down_statement", value=scope_down_statement, expected_type=type_hints["scope_down_statement"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -7350,6 +7556,8 @@ class CfnRuleGroup(
             }
             if custom_keys is not None:
                 self._values["custom_keys"] = custom_keys
+            if evaluation_window_sec is not None:
+                self._values["evaluation_window_sec"] = evaluation_window_sec
             if forwarded_ip_config is not None:
                 self._values["forwarded_ip_config"] = forwarded_ip_config
             if scope_down_statement is not None:
@@ -7417,6 +7625,21 @@ class CfnRuleGroup(
             result = self._values.get("custom_keys")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnRuleGroup.RateBasedStatementCustomKeyProperty"]]]], result)
 
+        @builtins.property
+        def evaluation_window_sec(self) -> typing.Optional[jsii.Number]:
+            '''The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
+
+            For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600.
+
+            This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.
+
+            Default: ``300`` (5 minutes)
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-ratebasedstatement.html#cfn-wafv2-rulegroup-ratebasedstatement-evaluationwindowsec
+            '''
+            result = self._values.get("evaluation_window_sec")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
         @builtins.property
         def forwarded_ip_config(
             self,
@@ -7951,6 +8174,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -8102,6 +8328,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -8422,6 +8651,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -8522,6 +8754,7 @@ class CfnRuleGroup(
                                     )]
                                 )
                             )],
+                            evaluation_window_sec=123,
                             forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                                 fallback_behavior="fallbackBehavior",
                                 header_name="headerName"
@@ -8552,6 +8785,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -8600,6 +8836,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -8647,6 +8886,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -8694,6 +8936,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -8743,6 +8988,9 @@ class CfnRuleGroup(
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -9085,7 +9333,7 @@ class CfnRuleGroup(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -9136,6 +9384,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -9296,6 +9547,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -9435,7 +9689,7 @@ class CfnRuleGroup(
             :param rate_based_statement: A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance. .. epigraph:: If you change any of these settings in a rule that's currently in use, the change resets the rule's rate limiting counts. This can pause the rule's rate limiting activities for up to a minute. You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie. Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition. For example, assume the rule evaluates web requests with the following IP address and HTTP method values: - IP address 10.1.1.1, HTTP method POST - IP address 10.1.1.1, HTTP method GET - IP address 127.0.0.0, HTTP method POST - IP address 10.1.1.1, HTTP method GET The rule would create different aggregation instances according to your aggregation criteria, for example: - If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following: - IP address 10.1.1.1: count 3 - IP address 127.0.0.0: count 1 - If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following: - HTTP method POST: count 2 - HTTP method GET: count 2 - If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following: - IP address 10.1.1.1, HTTP method POST: count 1 - IP address 10.1.1.1, HTTP method GET: count 2 - IP address 127.0.0.0, HTTP method POST: count 1 For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually. You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule. You cannot nest a ``RateBasedStatement`` inside another statement, for example inside a ``NotStatement`` or ``OrStatement`` . You can define a ``RateBasedStatement`` inside a web ACL and inside a rule group. For additional information about the options, see `Rate limiting web requests using rate-based rules <https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html>`_ in the *AWS WAF Developer Guide* . If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call ``GetRateBasedStatementManagedKeys`` . This option is not available for other aggregation configurations. AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .
             :param regex_match_statement: A rule statement used to search web request components for a match against a single regular expression.
             :param regex_pattern_set_reference_statement: A rule statement used to search web request components for matches with regular expressions. To use this, create a ``RegexPatternSet`` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. Each regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.
-            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
+            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
             :param sqli_match_statement: A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.
             :param xss_match_statement: A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.
 
@@ -9488,6 +9742,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -9588,6 +9845,7 @@ class CfnRuleGroup(
                                 )]
                             )
                         )],
+                        evaluation_window_sec=123,
                         forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                             fallback_behavior="fallbackBehavior",
                             header_name="headerName"
@@ -9618,6 +9876,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -9666,6 +9927,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -9713,6 +9977,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -9760,6 +10027,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -9809,6 +10079,9 @@ class CfnRuleGroup(
                                 match_scope="matchScope",
                                 oversize_handling="oversizeHandling"
                             ),
+                            ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                fallback_behavior="fallbackBehavior"
+                            ),
                             json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                 match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                     all=all,
@@ -10066,7 +10339,7 @@ class CfnRuleGroup(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -10201,7 +10474,7 @@ class CfnRuleGroup(
 
             :param cloud_watch_metrics_enabled: Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see `AWS WAF Metrics <https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics>`_ in the *AWS WAF Developer Guide* . For web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information, see `The web ACL default action <https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html>`_ in the *AWS WAF Developer Guide* .
             :param metric_name: A name of the Amazon CloudWatch metric dimension. The name can contain only the characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore). The name can be from one to 128 characters long. It can't contain whitespace or metric names that are reserved for AWS WAF , for example ``All`` and ``Default_Action`` .
-            :param sampled_requests_enabled: Indicates whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.
+            :param sampled_requests_enabled: Indicates whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. .. epigraph:: Request sampling doesn't provide a field redaction option, and any field redaction that you specify in your logging configuration doesn't affect sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-visibilityconfig.html
             :exampleMetadata: fixture=_generated
@@ -10265,6 +10538,9 @@ class CfnRuleGroup(
             '''Indicates whether AWS WAF should store a sampling of the web requests that match the rules.
 
             You can view the sampled requests through the AWS WAF console.
+            .. epigraph::
+
+               Request sampling doesn't provide a field redaction option, and any field redaction that you specify in your logging configuration doesn't affect sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-visibilityconfig.html#cfn-wafv2-rulegroup-visibilityconfig-sampledrequestsenabled
             '''
@@ -10346,6 +10622,9 @@ class CfnRuleGroup(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                             match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                 all=all,
@@ -10541,6 +10820,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -10641,6 +10923,7 @@ class CfnRuleGroupProps:
                                     )]
                                 )
                             )],
+                            evaluation_window_sec=123,
                             forwarded_ip_config=wafv2.CfnRuleGroup.ForwardedIPConfigurationProperty(
                                 fallback_behavior="fallbackBehavior",
                                 header_name="headerName"
@@ -10671,6 +10954,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -10719,6 +11005,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -10766,6 +11055,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -10813,6 +11105,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -10862,6 +11157,9 @@ class CfnRuleGroupProps:
                                     match_scope="matchScope",
                                     oversize_handling="oversizeHandling"
                                 ),
+                                ja3_fingerprint=wafv2.CfnRuleGroup.JA3FingerprintProperty(
+                                    fallback_behavior="fallbackBehavior"
+                                ),
                                 json_body=wafv2.CfnRuleGroup.JsonBodyProperty(
                                     match_pattern=wafv2.CfnRuleGroup.JsonMatchPatternProperty(
                                         all=all,
@@ -11157,7 +11455,7 @@ class CfnWebACL(
         :param default_action: The action to perform if none of the ``Rules`` contained in the ``WebACL`` match.
         :param scope: Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are ``CLOUDFRONT`` and ``REGIONAL`` . .. epigraph:: For ``CLOUDFRONT`` , you must create your WAFv2 resources in the US East (N. Virginia) Region, ``us-east-1`` . For information about how to define the association of the web ACL with your resource, see ``WebACLAssociation`` .
         :param visibility_config: Defines and enables Amazon CloudWatch metrics and web request sample collection.
-        :param association_config: Specifies custom configurations for the associations between the web ACL and protected resources. Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes). .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
+        :param association_config: Specifies custom configurations for the associations between the web ACL and protected resources. Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes). .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ . For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
         :param captcha_config: Specifies how AWS WAF should handle ``CAPTCHA`` evaluations for rules that don't have their own ``CaptchaConfig`` settings. If you don't specify this, AWS WAF uses its default settings for ``CaptchaConfig`` .
         :param challenge_config: Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own ``ChallengeConfig`` settings. If you don't specify this, AWS WAF uses its default settings for ``ChallengeConfig`` .
         :param custom_response_bodies: A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL. For information about customizing web requests and responses, see `Customizing web requests and responses in AWS WAF <https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html>`_ in the *AWS WAF Developer Guide* . For information about the limits on count and size for custom request and response settings, see `AWS WAF quotas <https://docs.aws.amazon.com/waf/latest/developerguide/limits.html>`_ in the *AWS WAF Developer Guide* .
@@ -12028,12 +12326,14 @@ class CfnWebACL(
         ) -> None:
             '''Specifies custom configurations for the associations between the web ACL and protected resources.
 
-            Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).
+            Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).
             .. epigraph::
 
                You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
 
-            :param request_body: Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
+            For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+
+            :param request_body: Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types. .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ . Example JSON: ``{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }`` For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-associationconfig.html
             :exampleMetadata: fixture=_generated
@@ -12063,13 +12363,17 @@ class CfnWebACL(
         def request_body(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Mapping[builtins.str, typing.Union[_IResolvable_da3f097b, "CfnWebACL.RequestBodyAssociatedResourceTypeConfigProperty"]]]]:
-            '''Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection.
+            '''Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection.
 
-            The default size is 16 KB (16,384 bytes).
+            The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.
             .. epigraph::
 
                You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
 
+            Example JSON: ``{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }``
+
+            For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-associationconfig.html#cfn-wafv2-webacl-associationconfig-requestbody
             '''
             result = self._values.get("request_body")
@@ -12171,7 +12475,7 @@ class CfnWebACL(
 
             This is used to indicate the web request component to inspect, in the ``FieldToMatch`` specification.
 
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-body.html
             :exampleMetadata: fixture=_generated
@@ -12197,9 +12501,10 @@ class CfnWebACL(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
 
-            The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -12299,6 +12604,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -13549,6 +13857,7 @@ class CfnWebACL(
             "body": "body",
             "cookies": "cookies",
             "headers": "headers",
+            "ja3_fingerprint": "ja3Fingerprint",
             "json_body": "jsonBody",
             "method": "method",
             "query_string": "queryString",
@@ -13565,6 +13874,7 @@ class CfnWebACL(
             body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.BodyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             cookies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.CookiesProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             headers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.HeadersProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
+            ja3_fingerprint: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.JA3FingerprintProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             json_body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.JsonBodyProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             method: typing.Any = None,
             query_string: typing.Any = None,
@@ -13587,12 +13897,14 @@ class CfnWebACL(
             - In a logging configuration, this is used in the ``RedactedFields`` property to specify a field to redact from the logging records. For this use case, note the following:
             - Even though all ``FieldToMatch`` settings are available, the only valid settings for field redaction are ``UriPath`` , ``QueryString`` , ``SingleHeader`` , and ``Method`` .
             - In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.
+            - If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :param all_query_arguments: Inspect all query arguments.
-            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
+            :param body: Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``Body`` object configuration.
             :param cookies: Inspect the request cookies. You must configure scope and pattern matching filters in the ``Cookies`` object, to define the set of cookies and the parts of the cookies that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's cookies and only the first 200 cookies are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize cookie content in the ``Cookies`` object. AWS WAF applies the pattern matching filters to the cookies that it receives from the underlying host service.
             :param headers: Inspect the request headers. You must configure scope and pattern matching filters in the ``Headers`` object, to define the set of headers to and the parts of the headers that AWS WAF inspects. Only the first 8 KB (8192 bytes) of a request's headers and only the first 200 headers are forwarded to AWS WAF for inspection by the underlying host service. You must configure how to handle any oversize header content in the ``Headers`` object. AWS WAF applies the pattern matching filters to the headers that it receives from the underlying host service.
-            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
+            :param ja3_fingerprint: Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information. .. epigraph:: You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` . You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* . Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+            :param json_body: Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
             :param method: Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.
             :param query_string: Inspect the query string. This is the part of a URL that appears after a ``?`` character, if any.
             :param single_header: Inspect a single header. Provide the name of the header to inspect, for example, ``User-Agent`` or ``Referer`` . This setting isn't case sensitive. Example JSON: ``"SingleHeader": { "Name": "haystack" }`` Alternately, you can filter and inspect all headers with the ``Headers`` ``FieldToMatch`` setting.
@@ -13639,6 +13951,9 @@ class CfnWebACL(
                         match_scope="matchScope",
                         oversize_handling="oversizeHandling"
                     ),
+                    ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                        fallback_behavior="fallbackBehavior"
+                    ),
                     json_body=wafv2.CfnWebACL.JsonBodyProperty(
                         match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                             all=all,
@@ -13663,6 +13978,7 @@ class CfnWebACL(
                 check_type(argname="argument body", value=body, expected_type=type_hints["body"])
                 check_type(argname="argument cookies", value=cookies, expected_type=type_hints["cookies"])
                 check_type(argname="argument headers", value=headers, expected_type=type_hints["headers"])
+                check_type(argname="argument ja3_fingerprint", value=ja3_fingerprint, expected_type=type_hints["ja3_fingerprint"])
                 check_type(argname="argument json_body", value=json_body, expected_type=type_hints["json_body"])
                 check_type(argname="argument method", value=method, expected_type=type_hints["method"])
                 check_type(argname="argument query_string", value=query_string, expected_type=type_hints["query_string"])
@@ -13678,6 +13994,8 @@ class CfnWebACL(
                 self._values["cookies"] = cookies
             if headers is not None:
                 self._values["headers"] = headers
+            if ja3_fingerprint is not None:
+                self._values["ja3_fingerprint"] = ja3_fingerprint
             if json_body is not None:
                 self._values["json_body"] = json_body
             if method is not None:
@@ -13708,7 +14026,10 @@ class CfnWebACL(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
+
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             For information about how to handle oversized request bodies, see the ``Body`` object configuration.
 
@@ -13747,6 +14068,26 @@ class CfnWebACL(
             result = self._values.get("headers")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.HeadersProperty"]], result)
 
+        @builtins.property
+        def ja3_fingerprint(
+            self,
+        ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.JA3FingerprintProperty"]]:
+            '''Match against the request's JA3 fingerprint.
+
+            The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+            .. epigraph::
+
+               You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` .
+
+            You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* .
+
+            Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.html#cfn-wafv2-webacl-fieldtomatch-ja3fingerprint
+            '''
+            result = self._values.get("ja3_fingerprint")
+            return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.JA3FingerprintProperty"]], result)
+
         @builtins.property
         def json_body(
             self,
@@ -13755,7 +14096,10 @@ class CfnWebACL(
 
             The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.
 
-            A limited amount of the request body is forwarded to AWS WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's ``AssociationConfig`` , for additional processing fees.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
+
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             For information about how to handle oversized request bodies, see the ``JsonBody`` object configuration.
 
@@ -14516,6 +14860,72 @@ class CfnWebACL(
                 k + "=" + repr(v) for k, v in self._values.items()
             )
 
+    @jsii.data_type(
+        jsii_type="aws-cdk-lib.aws_wafv2.CfnWebACL.JA3FingerprintProperty",
+        jsii_struct_bases=[],
+        name_mapping={"fallback_behavior": "fallbackBehavior"},
+    )
+    class JA3FingerprintProperty:
+        def __init__(self, *, fallback_behavior: builtins.str) -> None:
+            '''Match against the request's JA3 fingerprint.
+
+            The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+            .. epigraph::
+
+               You can use this choice only with a string match ``ByteMatchStatement`` with the ``PositionalConstraint`` set to ``EXACTLY`` .
+
+            You can obtain the JA3 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see `Log fields <https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html>`_ in the *AWS WAF Developer Guide* .
+
+            Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.
+
+            :param fallback_behavior: The match status to assign to the web request if the request doesn't have a JA3 fingerprint. You can specify the following fallback behaviors: - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ja3fingerprint.html
+            :exampleMetadata: fixture=_generated
+
+            Example::
+
+                # The code below shows an example of how to instantiate this type.
+                # The values are placeholders you should change.
+                from aws_cdk import aws_wafv2 as wafv2
+                
+                j_a3_fingerprint_property = wafv2.CfnWebACL.JA3FingerprintProperty(
+                    fallback_behavior="fallbackBehavior"
+                )
+            '''
+            if __debug__:
+                type_hints = typing.get_type_hints(_typecheckingstub__129b51143b193ce4679091a559f9a4073c03a2bccc1ccb884fe1b4dd3856119e)
+                check_type(argname="argument fallback_behavior", value=fallback_behavior, expected_type=type_hints["fallback_behavior"])
+            self._values: typing.Dict[builtins.str, typing.Any] = {
+                "fallback_behavior": fallback_behavior,
+            }
+
+        @builtins.property
+        def fallback_behavior(self) -> builtins.str:
+            '''The match status to assign to the web request if the request doesn't have a JA3 fingerprint.
+
+            You can specify the following fallback behaviors:
+
+            - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request.
+            - ``NO_MATCH`` - Treat the web request as not matching the rule statement.
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ja3fingerprint.html#cfn-wafv2-webacl-ja3fingerprint-fallbackbehavior
+            '''
+            result = self._values.get("fallback_behavior")
+            assert result is not None, "Required property 'fallback_behavior' is missing"
+            return typing.cast(builtins.str, result)
+
+        def __eq__(self, rhs: typing.Any) -> builtins.bool:
+            return isinstance(rhs, self.__class__) and rhs._values == self._values
+
+        def __ne__(self, rhs: typing.Any) -> builtins.bool:
+            return not (rhs == self)
+
+        def __repr__(self) -> str:
+            return "JA3FingerprintProperty(%s)" % ", ".join(
+                k + "=" + repr(v) for k, v in self._values.items()
+            )
+
     @jsii.data_type(
         jsii_type="aws-cdk-lib.aws_wafv2.CfnWebACL.JsonBodyProperty",
         jsii_struct_bases=[],
@@ -14546,7 +14956,7 @@ class CfnWebACL(
             :param match_pattern: The patterns to look for in the JSON body. AWS WAF inspects the results of these pattern matches against the rule inspection criteria.
             :param match_scope: The parts of the JSON to match against using the ``MatchPattern`` . If you specify ``ALL`` , AWS WAF matches against keys and values. ``All`` does not require a match to be found in the keys and a match to be found in the values. It requires a match to be found in the keys or the values or both. To require a match in the keys and in the values, use a logical ``AND`` statement to combine two match rules, one that inspects the keys and another that inspects the values.
             :param invalid_fallback_behavior: What AWS WAF should do if it fails to completely parse the JSON body. The options are the following:. - ``EVALUATE_AS_STRING`` - Inspect the body as plain text. AWS WAF applies the text transformations and inspection criteria that you defined for the JSON inspection to the body text string. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. If you don't provide this setting, AWS WAF parses and evaluates the content only up to the first parsing failure that it encounters. AWS WAF does its best to parse the entire JSON body, but might be forced to stop for reasons such as invalid characters, duplicate keys, truncation, and any content whose root node isn't an object or an array. AWS WAF parses the JSON in the following examples as two valid key, value pairs: - Missing comma: ``{"key1":"value1""key2":"value2"}`` - Missing colon: ``{"key1":"value1","key2""value2"}`` - Extra colons: ``{"key1"::"value1","key2""value2"}``
-            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection. The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
+            :param oversize_handling: What AWS WAF should do if the body is larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection. - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes). - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees. The options for oversize handling are the following: - ``CONTINUE`` - Inspect the available body contents normally, according to the rule inspection criteria. - ``MATCH`` - Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. - ``NO_MATCH`` - Treat the web request as not matching the rule statement. You can combine the ``MATCH`` or ``NO_MATCH`` settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit. Default: ``CONTINUE``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-jsonbody.html
             :exampleMetadata: fixture=_generated
@@ -14641,9 +15051,10 @@ class CfnWebACL(
         def oversize_handling(self) -> typing.Optional[builtins.str]:
             '''What AWS WAF should do if the body is larger than AWS WAF can inspect.
 
-            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to AWS WAF for inspection.
+            AWS WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to AWS WAF for inspection.
 
-            The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL ``AssociationConfig`` , for additional processing fees.
+            - For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+            - For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB (16,384 bytes), and you can increase the limit for each resource type in the web ACL ``AssociationConfig`` , for additional processing fees.
 
             The options for oversize handling are the following:
 
@@ -15804,6 +16215,7 @@ class CfnWebACL(
             "aggregate_key_type": "aggregateKeyType",
             "limit": "limit",
             "custom_keys": "customKeys",
+            "evaluation_window_sec": "evaluationWindowSec",
             "forwarded_ip_config": "forwardedIpConfig",
             "scope_down_statement": "scopeDownStatement",
         },
@@ -15815,6 +16227,7 @@ class CfnWebACL(
             aggregate_key_type: builtins.str,
             limit: jsii.Number,
             custom_keys: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.RateBasedStatementCustomKeyProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
+            evaluation_window_sec: typing.Optional[jsii.Number] = None,
             forwarded_ip_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.ForwardedIPConfigurationProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             scope_down_statement: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.StatementProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
@@ -15864,6 +16277,7 @@ class CfnWebACL(
             :param aggregate_key_type: Setting that indicates how to aggregate the request counts. .. epigraph:: Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. - ``CONSTANT`` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement. With this option, you must configure the ``ScopeDownStatement`` property. - ``CUSTOM_KEYS`` - Aggregate the request counts using one or more web request components as the aggregate keys. With this option, you must specify the aggregate keys in the ``CustomKeys`` property. To aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to ``IP`` or ``FORWARDED_IP`` . - ``FORWARDED_IP`` - Aggregate the request counts on the first IP address in an HTTP header. With this option, you must specify the header to use in the ``ForwardedIPConfig`` property. To aggregate on a combination of the forwarded IP address with other aggregate keys, use ``CUSTOM_KEYS`` . - ``IP`` - Aggregate the request counts on the IP address from the web request origin. To aggregate on a combination of the IP address with other aggregate keys, use ``CUSTOM_KEYS`` .
             :param limit: The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
             :param custom_keys: Specifies the aggregate keys to use in a rate-base rule.
+            :param evaluation_window_sec: The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600. This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. Default: ``300`` (5 minutes)
             :param forwarded_ip_config: The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. .. epigraph:: If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. This is required if you specify a forwarded IP in the rule's aggregate key settings.
             :param scope_down_statement: An optional nested statement that narrows the scope of the web requests that are evaluated and managed by the rate-based statement. When you use a scope-down statement, the rate-based rule only tracks and rate limits requests that match the scope-down statement. You can use any nestable ``Statement`` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
 
@@ -15879,6 +16293,7 @@ class CfnWebACL(
                 check_type(argname="argument aggregate_key_type", value=aggregate_key_type, expected_type=type_hints["aggregate_key_type"])
                 check_type(argname="argument limit", value=limit, expected_type=type_hints["limit"])
                 check_type(argname="argument custom_keys", value=custom_keys, expected_type=type_hints["custom_keys"])
+                check_type(argname="argument evaluation_window_sec", value=evaluation_window_sec, expected_type=type_hints["evaluation_window_sec"])
                 check_type(argname="argument forwarded_ip_config", value=forwarded_ip_config, expected_type=type_hints["forwarded_ip_config"])
                 check_type(argname="argument scope_down_statement", value=scope_down_statement, expected_type=type_hints["scope_down_statement"])
             self._values: typing.Dict[builtins.str, typing.Any] = {
@@ -15887,6 +16302,8 @@ class CfnWebACL(
             }
             if custom_keys is not None:
                 self._values["custom_keys"] = custom_keys
+            if evaluation_window_sec is not None:
+                self._values["evaluation_window_sec"] = evaluation_window_sec
             if forwarded_ip_config is not None:
                 self._values["forwarded_ip_config"] = forwarded_ip_config
             if scope_down_statement is not None:
@@ -15954,6 +16371,21 @@ class CfnWebACL(
             result = self._values.get("custom_keys")
             return typing.cast(typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnWebACL.RateBasedStatementCustomKeyProperty"]]]], result)
 
+        @builtins.property
+        def evaluation_window_sec(self) -> typing.Optional[jsii.Number]:
+            '''The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time.
+
+            For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600.
+
+            This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.
+
+            Default: ``300`` (5 minutes)
+
+            :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratebasedstatement.html#cfn-wafv2-webacl-ratebasedstatement-evaluationwindowsec
+            '''
+            result = self._values.get("evaluation_window_sec")
+            return typing.cast(typing.Optional[jsii.Number], result)
+
         @builtins.property
         def forwarded_ip_config(
             self,
@@ -16488,6 +16920,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -16639,6 +17074,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -16727,16 +17165,20 @@ class CfnWebACL(
     )
     class RequestBodyAssociatedResourceTypeConfigProperty:
         def __init__(self, *, default_size_inspection_limit: builtins.str) -> None:
-            '''Customizes the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection.
+            '''Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection.
 
-            The default size is 16 KB (16,384 bytes).
+            The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.
             .. epigraph::
 
                You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
 
+            Example JSON: ``{ "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }``
+
+            For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+
             This is used in the ``AssociationConfig`` of the web ACL.
 
-            :param default_size_inspection_limit: Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Default: ``16 KB (16,384 bytes)``
+            :param default_size_inspection_limit: Specifies the maximum size of the web request body component that an associated CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resource should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Default: ``16 KB (16,384 bytes)``
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestbodyassociatedresourcetypeconfig.html
             :exampleMetadata: fixture=_generated
@@ -16760,7 +17202,7 @@ class CfnWebACL(
 
         @builtins.property
         def default_size_inspection_limit(self) -> builtins.str:
-            '''Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to AWS WAF for inspection.
+            '''Specifies the maximum size of the web request body component that an associated CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resource should send to AWS WAF for inspection.
 
             This applies to statements in the web ACL that inspect the body or JSON body.
 
@@ -18487,7 +18929,7 @@ class CfnWebACL(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -18538,6 +18980,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -18698,6 +19143,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -18843,7 +19291,7 @@ class CfnWebACL(
             :param regex_match_statement: A rule statement used to search web request components for a match against a single regular expression.
             :param regex_pattern_set_reference_statement: A rule statement used to search web request components for matches with regular expressions. To use this, create a ``RegexPatternSet`` that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. Each regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.
             :param rule_group_reference_statement: A rule statement used to run the rules that are defined in a ``RuleGroup`` . To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement. You cannot nest a ``RuleGroupReferenceStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.
-            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
+            :param size_constraint_statement: A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes. If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type. If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
             :param sqli_match_statement: A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.
             :param xss_match_statement: A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.
 
@@ -19126,7 +19574,7 @@ class CfnWebACL(
 
             For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
 
-            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL ``AssociationConfig`` , for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
+            If you configure AWS WAF to inspect the request body, AWS WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see ``Body`` and ``JsonBody`` settings for the ``FieldToMatch`` data type.
 
             If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI ``/logo.jpg`` is nine characters long.
 
@@ -19261,7 +19709,7 @@ class CfnWebACL(
 
             :param cloud_watch_metrics_enabled: Indicates whether the associated resource sends metrics to Amazon CloudWatch. For the list of available metrics, see `AWS WAF Metrics <https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics>`_ in the *AWS WAF Developer Guide* . For web ACLs, the metrics are for web requests that have the web ACL default action applied. AWS WAF applies the default action to web requests that pass the inspection of all rules in the web ACL without being either allowed or blocked. For more information, see `The web ACL default action <https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-default-action.html>`_ in the *AWS WAF Developer Guide* .
             :param metric_name: A name of the Amazon CloudWatch metric dimension. The name can contain only the characters: A-Z, a-z, 0-9, - (hyphen), and _ (underscore). The name can be from one to 128 characters long. It can't contain whitespace or metric names that are reserved for AWS WAF , for example ``All`` and ``Default_Action`` .
-            :param sampled_requests_enabled: Indicates whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.
+            :param sampled_requests_enabled: Indicates whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. .. epigraph:: Request sampling doesn't provide a field redaction option, and any field redaction that you specify in your logging configuration doesn't affect sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-visibilityconfig.html
             :exampleMetadata: fixture=_generated
@@ -19325,6 +19773,9 @@ class CfnWebACL(
             '''Indicates whether AWS WAF should store a sampling of the web requests that match the rules.
 
             You can view the sampled requests through the AWS WAF console.
+            .. epigraph::
+
+               Request sampling doesn't provide a field redaction option, and any field redaction that you specify in your logging configuration doesn't affect sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-visibilityconfig.html#cfn-wafv2-webacl-visibilityconfig-sampledrequestsenabled
             '''
@@ -19406,6 +19857,9 @@ class CfnWebACL(
                             match_scope="matchScope",
                             oversize_handling="oversizeHandling"
                         ),
+                        ja3_fingerprint=wafv2.CfnWebACL.JA3FingerprintProperty(
+                            fallback_behavior="fallbackBehavior"
+                        ),
                         json_body=wafv2.CfnWebACL.JsonBodyProperty(
                             match_pattern=wafv2.CfnWebACL.JsonMatchPatternProperty(
                                 all=all,
@@ -19730,7 +20184,7 @@ class CfnWebACLProps:
         :param default_action: The action to perform if none of the ``Rules`` contained in the ``WebACL`` match.
         :param scope: Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AWS AppSync GraphQL API, an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance. Valid Values are ``CLOUDFRONT`` and ``REGIONAL`` . .. epigraph:: For ``CLOUDFRONT`` , you must create your WAFv2 resources in the US East (N. Virginia) Region, ``us-east-1`` . For information about how to define the association of the web ACL with your resource, see ``WebACLAssociation`` .
         :param visibility_config: Defines and enables Amazon CloudWatch metrics and web request sample collection.
-        :param association_config: Specifies custom configurations for the associations between the web ACL and protected resources. Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes). .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
+        :param association_config: Specifies custom configurations for the associations between the web ACL and protected resources. Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes). .. epigraph:: You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ . For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
         :param captcha_config: Specifies how AWS WAF should handle ``CAPTCHA`` evaluations for rules that don't have their own ``CaptchaConfig`` settings. If you don't specify this, AWS WAF uses its default settings for ``CaptchaConfig`` .
         :param challenge_config: Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own ``ChallengeConfig`` settings. If you don't specify this, AWS WAF uses its default settings for ``ChallengeConfig`` .
         :param custom_response_bodies: A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL. For information about customizing web requests and responses, see `Customizing web requests and responses in AWS WAF <https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html>`_ in the *AWS WAF Developer Guide* . For information about the limits on count and size for custom request and response settings, see `AWS WAF quotas <https://docs.aws.amazon.com/waf/latest/developerguide/limits.html>`_ in the *AWS WAF Developer Guide* .
@@ -19832,11 +20286,13 @@ class CfnWebACLProps:
     ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, CfnWebACL.AssociationConfigProperty]]:
         '''Specifies custom configurations for the associations between the web ACL and protected resources.
 
-        Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to AWS WAF for inspection. The default is 16 KB (16,384 bytes).
+        Use this to customize the maximum size of the request body that your protected resources forward to AWS WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).
         .. epigraph::
 
            You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
 
+        For Application Load Balancer and AWS AppSync , the limit is fixed at 8 KB (8,192 bytes).
+
         :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-wafv2-webacl.html#cfn-wafv2-webacl-associationconfig
         '''
         result = self._values.get("association_config")
@@ -20464,6 +20920,7 @@ def _typecheckingstub__dcb790c3130e52c64e6b7cf00db86b37d1b54427689c46b6c9e6a7122
     body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.BodyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     cookies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.CookiesProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     headers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.HeadersProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ja3_fingerprint: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.JA3FingerprintProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     json_body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.JsonBodyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     method: typing.Any = None,
     query_string: typing.Any = None,
@@ -20532,6 +20989,13 @@ def _typecheckingstub__f31a0b3f57889411d82cd445b651ca6964104416a165d4f1341a7386e
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__1cba50229767598d7603bfa317a8bd11cfc2b12ca28d38737119d57d5d04667d(
+    *,
+    fallback_behavior: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__602ab3bf019e524b1f85e0a2cdb3225626316719b294dfa66fcfd8b7fc9e7a09(
     *,
     match_pattern: typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.JsonMatchPatternProperty, typing.Dict[builtins.str, typing.Any]]],
@@ -20606,6 +21070,7 @@ def _typecheckingstub__39e60064f8f4286866d2fa7f3c5494f2a2f33a4179f5370836b825ab3
     aggregate_key_type: builtins.str,
     limit: jsii.Number,
     custom_keys: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.RateBasedStatementCustomKeyProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    evaluation_window_sec: typing.Optional[jsii.Number] = None,
     forwarded_ip_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.ForwardedIPConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     scope_down_statement: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnRuleGroup.StatementProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None:
@@ -21085,6 +21550,7 @@ def _typecheckingstub__25d147c856e9a8fd64f4cc05856e4813e584f37ef787792ad3c4e0790
     body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.BodyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     cookies: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.CookiesProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     headers: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.HeadersProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
+    ja3_fingerprint: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.JA3FingerprintProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     json_body: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.JsonBodyProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     method: typing.Any = None,
     query_string: typing.Any = None,
@@ -21153,6 +21619,13 @@ def _typecheckingstub__4ebec44af1e8d72b72f8c361dc8efc545a044cf914ee07c895cf4c1d1
     """Type checking stubs"""
     pass
 
+def _typecheckingstub__129b51143b193ce4679091a559f9a4073c03a2bccc1ccb884fe1b4dd3856119e(
+    *,
+    fallback_behavior: builtins.str,
+) -> None:
+    """Type checking stubs"""
+    pass
+
 def _typecheckingstub__b371d01e6e192e377c25d061f5a40b73b3aca7d15781a83f612151eddebe6fa2(
     *,
     match_pattern: typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.JsonMatchPatternProperty, typing.Dict[builtins.str, typing.Any]]],
@@ -21254,6 +21727,7 @@ def _typecheckingstub__d49b8cc0c82261f5510afab04b955c5ca035f3eea109c82126189a502
     aggregate_key_type: builtins.str,
     limit: jsii.Number,
     custom_keys: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.RateBasedStatementCustomKeyProperty, typing.Dict[builtins.str, typing.Any]]]]]] = None,
+    evaluation_window_sec: typing.Optional[jsii.Number] = None,
     forwarded_ip_config: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.ForwardedIPConfigurationProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
     scope_down_statement: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union[CfnWebACL.StatementProperty, typing.Dict[builtins.str, typing.Any]]]] = None,
 ) -> None: