aws-cdk-lib 2.173.4__py3-none-any.whl → 2.174.0__py3-none-any.whl

aws_cdk/aws_wafv2/__init__.py

@@ -7137,7 +7137,7 @@ class CfnRuleGroup(
             AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .
 
             :param aggregate_key_type: Setting that indicates how to aggregate the request counts. .. epigraph:: Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. - ``CONSTANT`` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement. With this option, you must configure the ``ScopeDownStatement`` property. - ``CUSTOM_KEYS`` - Aggregate the request counts using one or more web request components as the aggregate keys. With this option, you must specify the aggregate keys in the ``CustomKeys`` property. To aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to ``IP`` or ``FORWARDED_IP`` . - ``FORWARDED_IP`` - Aggregate the request counts on the first IP address in an HTTP header. With this option, you must specify the header to use in the ``ForwardedIPConfig`` property. To aggregate on a combination of the forwarded IP address with other aggregate keys, use ``CUSTOM_KEYS`` . - ``IP`` - Aggregate the request counts on the IP address from the web request origin. To aggregate on a combination of the IP address with other aggregate keys, use ``CUSTOM_KEYS`` .
-            :param limit: The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
+            :param limit: The limit on requests during the specified evaluation window for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
             :param custom_keys: Specifies the aggregate keys to use in a rate-base rule.
             :param evaluation_window_sec: The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600. This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. Default: ``300`` (5 minutes)
             :param forwarded_ip_config: The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. .. epigraph:: If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. This is required if you specify a forwarded IP in the rule's aggregate key settings.
@@ -7614,7 +7614,7 @@ class CfnRuleGroup(
 
         @builtins.property
         def limit(self) -> jsii.Number:
-            '''The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule.
+            '''The limit on requests during the specified evaluation window for a single aggregation instance for the rate-based rule.
 
             If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement.
 
@@ -8607,7 +8607,7 @@ class CfnRuleGroup(
             :param action: The action that AWS WAF should take on a web request when it matches the rule statement. Settings at the web ACL level can override the rule action setting.
             :param captcha_config: Specifies how AWS WAF should handle ``CAPTCHA`` evaluations. If you don't specify this, AWS WAF uses the ``CAPTCHA`` configuration that's defined for the web ACL.
             :param challenge_config: Specifies how AWS WAF should handle ``Challenge`` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.
-            :param rule_labels: Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace. Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` . For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines: - Separate each component of the label with a colon. - Each namespace or name can have up to 128 characters. - You can specify up to 5 namespaces in a label. - Don't use the following reserved words in your label specification: ``aws`` , ``waf`` , ``managed`` , ``rulegroup`` , ``webacl`` , ``regexpatternset`` , or ``ipset`` . For example, ``myLabelName`` or ``nameSpace1:nameSpace2:myLabelName`` .
+            :param rule_labels: Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace. .. epigraph:: Any rule that isn't a rule group reference statement or managed rule group statement can add labels to matching web requests. Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` . For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines: - Separate each component of the label with a colon. - Each namespace or name can have up to 128 characters. - You can specify up to 5 namespaces in a label. - Don't use the following reserved words in your label specification: ``aws`` , ``waf`` , ``managed`` , ``rulegroup`` , ``webacl`` , ``regexpatternset`` , or ``ipset`` . For example, ``myLabelName`` or ``nameSpace1:nameSpace2:myLabelName`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-rulegroup-rule.html
             :exampleMetadata: fixture=_generated
@@ -9179,6 +9179,9 @@ class CfnRuleGroup(
             '''Labels to apply to web requests that match the rule match statement.
 
             AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.
+            .. epigraph::
+
+               Any rule that isn't a rule group reference statement or managed rule group statement can add labels to matching web requests.
 
             Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` .
 
@@ -15620,7 +15623,7 @@ class CfnWebACL(
             :param vendor_name: The name of the managed rule group vendor. You use this, along with the rule group name, to identify a rule group.
             :param excluded_rules: Rules in the referenced rule group whose actions are set to ``Count`` . .. epigraph:: Instead of this option, use ``RuleActionOverrides`` . It accepts any valid action setting, including ``Count`` .
             :param managed_rule_group_configs: Additional information that's used by a managed rule group. Many managed rule groups don't require this. The rule groups used for intelligent threat mitigation require additional configuration: - Use the ``AWSManagedRulesACFPRuleSet`` configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields. - Use the ``AWSManagedRulesATPRuleSet`` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password. - Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
-            :param rule_action_overrides: Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
+            :param rule_action_overrides: Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. .. epigraph:: Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
             :param scope_down_statement: An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable ``Statement`` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
             :param version: The version of the managed rule group to use. If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.
 
@@ -15718,6 +15721,9 @@ class CfnWebACL(
             '''Action settings to use in the place of the rule actions that are configured inside the rule group.
 
             You specify one override for each rule whose action you want to change.
+            .. epigraph::
+
+               Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting.
 
             You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
 
@@ -16287,7 +16293,7 @@ class CfnWebACL(
             AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .
 
             :param aggregate_key_type: Setting that indicates how to aggregate the request counts. .. epigraph:: Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. - ``CONSTANT`` - Count and limit the requests that match the rate-based rule's scope-down statement. With this option, the counted requests aren't further aggregated. The scope-down statement is the only specification used. When the count of all requests that satisfy the scope-down statement goes over the limit, AWS WAF applies the rule action to all requests that satisfy the scope-down statement. With this option, you must configure the ``ScopeDownStatement`` property. - ``CUSTOM_KEYS`` - Aggregate the request counts using one or more web request components as the aggregate keys. With this option, you must specify the aggregate keys in the ``CustomKeys`` property. To aggregate on only the IP address or only the forwarded IP address, don't use custom keys. Instead, set the aggregate key type to ``IP`` or ``FORWARDED_IP`` . - ``FORWARDED_IP`` - Aggregate the request counts on the first IP address in an HTTP header. With this option, you must specify the header to use in the ``ForwardedIPConfig`` property. To aggregate on a combination of the forwarded IP address with other aggregate keys, use ``CUSTOM_KEYS`` . - ``IP`` - Aggregate the request counts on the IP address from the web request origin. To aggregate on a combination of the IP address with other aggregate keys, use ``CUSTOM_KEYS`` .
-            :param limit: The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
+            :param limit: The limit on requests during the specified evaluation window for a single aggregation instance for the rate-based rule. If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement. Examples: - If you aggregate on just the IP address, this is the limit on requests from any single IP address. - If you aggregate on the HTTP method and the query argument name "city", then this is the limit on requests for any single method, city pair.
             :param custom_keys: Specifies the aggregate keys to use in a rate-base rule.
             :param evaluation_window_sec: The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. For example, for a setting of 120, when AWS WAF checks the rate, it counts the requests for the 2 minutes immediately preceding the current time. Valid settings are 60, 120, 300, and 600. This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. Default: ``300`` (5 minutes)
             :param forwarded_ip_config: The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name. .. epigraph:: If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all. This is required if you specify a forwarded IP in the rule's aggregate key settings.
@@ -16357,7 +16363,7 @@ class CfnWebACL(
 
         @builtins.property
         def limit(self) -> jsii.Number:
-            '''The limit on requests per 5-minute period for a single aggregation instance for the rate-based rule.
+            '''The limit on requests during the specified evaluation window for a single aggregation instance for the rate-based rule.
 
             If the rate-based statement includes a ``ScopeDownStatement`` , this limit is applied only to the requests that match the statement.
 
@@ -18438,7 +18444,7 @@ class CfnWebACL(
 
             :param arn: The Amazon Resource Name (ARN) of the entity.
             :param excluded_rules: Rules in the referenced rule group whose actions are set to ``Count`` . .. epigraph:: Instead of this option, use ``RuleActionOverrides`` . It accepts any valid action setting, including ``Count`` .
-            :param rule_action_overrides: Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
+            :param rule_action_overrides: Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. .. epigraph:: Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-rulegroupreferencestatement.html
             :exampleMetadata: fixture=_generated
@@ -18552,6 +18558,9 @@ class CfnWebACL(
             '''Action settings to use in the place of the rule actions that are configured inside the rule group.
 
             You specify one override for each rule whose action you want to change.
+            .. epigraph::
+
+               Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting.
 
             You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
 
@@ -18612,7 +18621,7 @@ class CfnWebACL(
             :param captcha_config: Specifies how AWS WAF should handle ``CAPTCHA`` evaluations. If you don't specify this, AWS WAF uses the ``CAPTCHA`` configuration that's defined for the web ACL.
             :param challenge_config: Specifies how AWS WAF should handle ``Challenge`` evaluations. If you don't specify this, AWS WAF uses the challenge configuration that's defined for the web ACL.
             :param override_action: The override action to apply to the rules in a rule group, instead of the individual rule action settings. This is used only for rules whose statements reference a rule group. Rule statements that reference a rule group are ``RuleGroupReferenceStatement`` and ``ManagedRuleGroupStatement`` . Set the override action to none to leave the rule group rule actions in effect. Set it to count to only count matches, regardless of the rule action settings. You must set either this ``OverrideAction`` setting or the ``Action`` setting, but not both: - If the rule statement references a rule group, you must set this override action setting and you must not set the rule's action setting. - If the rule statement doesn't reference a rule group, you must set the rule action setting and you must not set the rule's override action setting.
-            :param rule_labels: Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace. Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` . For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines: - Separate each component of the label with a colon. - Each namespace or name can have up to 128 characters. - You can specify up to 5 namespaces in a label. - Don't use the following reserved words in your label specification: ``aws`` , ``waf`` , ``managed`` , ``rulegroup`` , ``webacl`` , ``regexpatternset`` , or ``ipset`` . For example, ``myLabelName`` or ``nameSpace1:nameSpace2:myLabelName`` .
+            :param rule_labels: Labels to apply to web requests that match the rule match statement. AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace. .. epigraph:: Any rule that isn't a rule group reference statement or managed rule group statement can add labels to matching web requests. Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` . For each label, provide a case-sensitive string containing optional namespaces and a label name, according to the following guidelines: - Separate each component of the label with a colon. - Each namespace or name can have up to 128 characters. - You can specify up to 5 namespaces in a label. - Don't use the following reserved words in your label specification: ``aws`` , ``waf`` , ``managed`` , ``rulegroup`` , ``webacl`` , ``regexpatternset`` , or ``ipset`` . For example, ``myLabelName`` or ``nameSpace1:nameSpace2:myLabelName`` .
 
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-rule.html
             :exampleMetadata: fixture=_generated
@@ -18772,6 +18781,9 @@ class CfnWebACL(
             '''Labels to apply to web requests that match the rule match statement.
 
             AWS WAF applies fully qualified labels to matching web requests. A fully qualified label is the concatenation of a label namespace and a rule label. The rule's rule group or web ACL defines the label namespace.
+            .. epigraph::
+
+               Any rule that isn't a rule group reference statement or managed rule group statement can add labels to matching web requests.
 
             Rules that run after this rule in the web ACL can match against these labels using a ``LabelMatchStatement`` .