PyPI - aws-cdk-lib - Versions diffs - 2.91.0__py3-none-any.whl → 2.92.0__py3-none-any.whl - Mend

aws-cdk-lib 2.91.0py3-none-any.whl → 2.92.0py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of aws-cdk-lib might be problematic. Click here for more details.

Files changed (32) hide show

aws_cdk/_jsii/__init__.py +2 -2
aws_cdk/_jsii/{aws-cdk-lib@2.91.0.jsii.tgz → aws-cdk-lib@2.92.0.jsii.tgz} +0 -0
aws_cdk/aws_appstream/__init__.py +29 -21
aws_cdk/aws_batch/__init__.py +22 -10
aws_cdk/aws_billingconductor/__init__.py +14 -11
aws_cdk/aws_cloudwatch/__init__.py +3 -3
aws_cdk/aws_dms/__init__.py +117 -58
aws_cdk/aws_ec2/__init__.py +12 -14
aws_cdk/aws_ecs/__init__.py +24 -12
aws_cdk/aws_evidently/__init__.py +3 -3
aws_cdk/aws_fsx/__init__.py +6 -5
aws_cdk/aws_guardduty/__init__.py +60 -17
aws_cdk/aws_iam/__init__.py +6 -8
aws_cdk/aws_internetmonitor/__init__.py +43 -20
aws_cdk/aws_kms/__init__.py +95 -47
aws_cdk/aws_mwaa/__init__.py +13 -8
aws_cdk/aws_neptune/__init__.py +5 -2
aws_cdk/aws_omics/__init__.py +5 -3
aws_cdk/aws_opensearchservice/__init__.py +247 -14
aws_cdk/aws_organizations/__init__.py +17 -17
aws_cdk/aws_route53/__init__.py +3 -1
aws_cdk/aws_sns/__init__.py +8 -8
aws_cdk/aws_sqs/__init__.py +13 -9
aws_cdk/aws_transfer/__init__.py +40 -12
aws_cdk/aws_vpclattice/__init__.py +10 -6
aws_cdk/aws_wafv2/__init__.py +118 -84
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/METADATA +3 -3
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/RECORD +32 -32
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/LICENSE +0 -0
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/NOTICE +0 -0
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/WHEEL +0 -0
{aws_cdk_lib-2.91.0.dist-info → aws_cdk_lib-2.92.0.dist-info}/top_level.txt +0 -0

aws_cdk/aws_wafv2/__init__.py CHANGED Viewed

@@ -11553,12 +11553,13 @@ class CfnWebACL(
             enable_regex_in_path: typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]] = None,
             response_inspection: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.ResponseInspectionProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''
-            :param creation_path:
-            :param registration_page_path:
-            :param request_inspection:
-            :param enable_regex_in_path:
-            :param response_inspection:
+            '''Not currently supported by AWS CloudFormation .
+            :param creation_path: Not currently supported by AWS CloudFormation .
+            :param registration_page_path: Not currently supported by AWS CloudFormation .
+            :param request_inspection: Not currently supported by AWS CloudFormation .
+            :param enable_regex_in_path: Not currently supported by AWS CloudFormation .
+            :param response_inspection: Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html
             :exampleMetadata: fixture=_generated
@@ -11636,7 +11637,8 @@ class CfnWebACL(
         @builtins.property
         def creation_path(self) -> builtins.str:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html#cfn-wafv2-webacl-awsmanagedrulesacfpruleset-creationpath
             '''
             result = self._values.get("creation_path")
@@ -11645,7 +11647,8 @@ class CfnWebACL(
         @builtins.property
         def registration_page_path(self) -> builtins.str:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html#cfn-wafv2-webacl-awsmanagedrulesacfpruleset-registrationpagepath
             '''
             result = self._values.get("registration_page_path")
@@ -11656,7 +11659,8 @@ class CfnWebACL(
         def request_inspection(
             self,
         ) -> typing.Union[_IResolvable_da3f097b, "CfnWebACL.RequestInspectionACFPProperty"]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html#cfn-wafv2-webacl-awsmanagedrulesacfpruleset-requestinspection
             '''
             result = self._values.get("request_inspection")
@@ -11667,7 +11671,8 @@ class CfnWebACL(
         def enable_regex_in_path(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html#cfn-wafv2-webacl-awsmanagedrulesacfpruleset-enableregexinpath
             '''
             result = self._values.get("enable_regex_in_path")
@@ -11677,7 +11682,8 @@ class CfnWebACL(
         def response_inspection(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionProperty"]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesacfpruleset.html#cfn-wafv2-webacl-awsmanagedrulesacfpruleset-responseinspection
             '''
             result = self._values.get("response_inspection")
@@ -11718,9 +11724,9 @@ class CfnWebACL(
             This configuration is used in ``ManagedRuleGroupConfig`` .
             :param login_path: The path of the login endpoint for your application. For example, for the URL ``https://example.com/web/login`` , you would provide the path ``/web/login`` . The rule group inspects only HTTP ``POST`` requests to your specified login endpoint.
-            :param enable_regex_in_path:
+            :param enable_regex_in_path: Not currently supported by AWS CloudFormation .
             :param request_inspection: The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
-            :param response_inspection: The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time. .. epigraph:: Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
+            :param response_inspection: The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. .. epigraph:: Response inspection is available only in web ACLs that protect Amazon CloudFront distributions. The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html
             :exampleMetadata: fixture=_generated
@@ -11801,7 +11807,8 @@ class CfnWebACL(
         def enable_regex_in_path(
             self,
         ) -> typing.Optional[typing.Union[builtins.bool, _IResolvable_da3f097b]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html#cfn-wafv2-webacl-awsmanagedrulesatpruleset-enableregexinpath
             '''
             result = self._values.get("enable_regex_in_path")
@@ -11824,11 +11831,12 @@ class CfnWebACL(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionProperty"]]:
             '''The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
-            The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
             .. epigraph::
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
+            The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesatpruleset.html#cfn-wafv2-webacl-awsmanagedrulesatpruleset-responseinspection
             '''
             result = self._values.get("response_inspection")
@@ -11852,9 +11860,11 @@ class CfnWebACL(
     )
     class AWSManagedRulesBotControlRuleSetProperty:
         def __init__(self, *, inspection_level: builtins.str) -> None:
-            '''Details for your use of the Bot Control managed rule group, used in ``ManagedRuleGroupConfig`` .
+            '''Details for your use of the Bot Control managed rule group, ``AWSManagedRulesBotControlRuleSet`` .
+            This configuration is used in ``ManagedRuleGroupConfig`` .
-            :param inspection_level: The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see `AWS WAF Bot Control rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html>`_ .
+            :param inspection_level: The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see `AWS WAF Bot Control rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html>`_ in the *AWS WAF Developer Guide* .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html
             :exampleMetadata: fixture=_generated
@@ -11880,7 +11890,7 @@ class CfnWebACL(
         def inspection_level(self) -> builtins.str:
             '''The inspection level to use for the Bot Control rule group.
-            The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see `AWS WAF Bot Control rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html>`_ .
+            The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see `AWS WAF Bot Control rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html>`_ in the *AWS WAF Developer Guide* .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-awsmanagedrulesbotcontrolruleset.html#cfn-wafv2-webacl-awsmanagedrulesbotcontrolruleset-inspectionlevel
             '''
@@ -13490,9 +13500,11 @@ class CfnWebACL(
     )
     class FieldIdentifierProperty:
         def __init__(self, *, identifier: builtins.str) -> None:
-            '''The identifier of the username or password field, used in the ``ManagedRuleGroupConfig`` settings.
+            '''The identifier of a field in the web request payload that contains customer data.
-            :param identifier: The name of the username or password field, used in the ``ManagedRuleGroupConfig`` settings. When the ``PayloadType`` is ``JSON`` , the identifier must be in JSON pointer syntax. For example ``/form/username`` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation `JavaScript Object Notation (JSON) Pointer <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901>`_ . When the ``PayloadType`` is ``FORM_ENCODED`` , use the HTML form names. For example, ``username`` .
+            This data type is used to specify fields in the ``RequestInspection`` configurations, for the managed rule group configuration ``AWSManagedRulesATPRuleSet`` .
+            :param identifier: The name of the field. When the ``PayloadType`` in the request inspection is ``JSON`` , this identifier must be in JSON pointer syntax. For example ``/form/username`` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation `JavaScript Object Notation (JSON) Pointer <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901>`_ . When the ``PayloadType`` is ``FORM_ENCODED`` , use the HTML form names. For example, ``username`` . For more information, see the descriptions for each field type in the request inspection properties.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldidentifier.html
             :exampleMetadata: fixture=_generated
@@ -13516,12 +13528,14 @@ class CfnWebACL(
         @builtins.property
         def identifier(self) -> builtins.str:
-            '''The name of the username or password field, used in the ``ManagedRuleGroupConfig`` settings.
+            '''The name of the field.
-            When the ``PayloadType`` is ``JSON`` , the identifier must be in JSON pointer syntax. For example ``/form/username`` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation `JavaScript Object Notation (JSON) Pointer <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901>`_ .
+            When the ``PayloadType`` in the request inspection is ``JSON`` , this identifier must be in JSON pointer syntax. For example ``/form/username`` . For information about the JSON Pointer syntax, see the Internet Engineering Task Force (IETF) documentation `JavaScript Object Notation (JSON) Pointer <https://docs.aws.amazon.com/https://tools.ietf.org/html/rfc6901>`_ .
             When the ``PayloadType`` is ``FORM_ENCODED`` , use the HTML form names. For example, ``username`` .
+            For more information, see the descriptions for each field type in the request inspection properties.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldidentifier.html#cfn-wafv2-webacl-fieldidentifier-identifier
             '''
             result = self._values.get("identifier")
@@ -14898,15 +14912,18 @@ class CfnWebACL(
         ) -> None:
             '''Additional information that's used by a managed rule group. Many managed rule groups don't require this.
-            Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
+            The rule groups used for intelligent threat mitigation require additional configuration:
+            - Use the ``AWSManagedRulesATPRuleSet`` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.
+            - Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
-            :param aws_managed_rules_acfp_rule_set:
+            :param aws_managed_rules_acfp_rule_set: Not currently supported by AWS CloudFormation .
             :param aws_managed_rules_atp_rule_set: Additional configuration for using the account takeover prevention (ATP) managed rule group, ``AWSManagedRulesATPRuleSet`` . Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide the information about how your distribution responds to login requests. This configuration replaces the individual configuration fields in ``ManagedRuleGroupConfig`` and provides additional feature configuration. For information about using the ATP managed rule group, see `AWS WAF Fraud Control account takeover prevention (ATP) rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-atp.html>`_ and `AWS WAF Fraud Control account takeover prevention (ATP) <https://docs.aws.amazon.com/waf/latest/developerguide/waf-atp.html>`_ in the *AWS WAF Developer Guide* .
             :param aws_managed_rules_bot_control_rule_set: Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. For information about using the Bot Control managed rule group, see `AWS WAF Bot Control rule group <https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-bot.html>`_ and `AWS WAF Bot Control <https://docs.aws.amazon.com/waf/latest/developerguide/waf-bot-control.html>`_ in the *AWS WAF Developer Guide* .
             :param login_path: .. epigraph:: Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` .
-            :param password_field: .. epigraph:: Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
-            :param payload_type: .. epigraph:: Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
-            :param username_field: .. epigraph:: Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
+            :param password_field: .. epigraph:: Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
+            :param payload_type: .. epigraph:: Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
+            :param username_field: .. epigraph:: Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupconfig.html
             :exampleMetadata: fixture=_generated
@@ -15042,7 +15059,8 @@ class CfnWebACL(
         def aws_managed_rules_acfp_rule_set(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.AWSManagedRulesACFPRuleSetProperty"]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupconfig.html#cfn-wafv2-webacl-managedrulegroupconfig-awsmanagedrulesacfpruleset
             '''
             result = self._values.get("aws_managed_rules_acfp_rule_set")
@@ -15095,7 +15113,7 @@ class CfnWebACL(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]:
             '''.. epigraph::
-   Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
+   Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupconfig.html#cfn-wafv2-webacl-managedrulegroupconfig-passwordfield
             '''
@@ -15106,7 +15124,7 @@ class CfnWebACL(
         def payload_type(self) -> typing.Optional[builtins.str]:
             '''.. epigraph::
-   Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
+   Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupconfig.html#cfn-wafv2-webacl-managedrulegroupconfig-payloadtype
             '''
@@ -15119,7 +15137,7 @@ class CfnWebACL(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]:
             '''.. epigraph::
-   Instead of this setting, provide your configuration under ``AWSManagedRulesATPRuleSet`` ``RequestInspection`` .
+   Instead of this setting, provide your configuration under the request inspection configuration for ``AWSManagedRulesATPRuleSet`` .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupconfig.html#cfn-wafv2-webacl-managedrulegroupconfig-usernamefield
             '''
@@ -15164,14 +15182,17 @@ class CfnWebACL(
         ) -> None:
             '''A rule statement used to run the rules that are defined in a managed rule group.
-            To use this, provide the vendor name and the name of the rule group in this statement.
+            To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ``ListAvailableManagedRuleGroups`` .
             You cannot nest a ``ManagedRuleGroupStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . It can only be referenced as a top-level statement within a rule.
+            .. epigraph::
+               You are charged additional fees when you use the AWS WAF Bot Control managed rule group ``AWSManagedRulesBotControlRuleSet`` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group ``AWSManagedRulesATPRuleSet`` . For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
             :param name: The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
             :param vendor_name: The name of the managed rule group vendor. You use this, along with the rule group name, to identify a rule group.
             :param excluded_rules: Rules in the referenced rule group whose actions are set to ``Count`` . .. epigraph:: Instead of this option, use ``RuleActionOverrides`` . It accepts any valid action setting, including ``Count`` .
-            :param managed_rule_group_configs: Additional information that's used by a managed rule group. Many managed rule groups don't require this. Use the ``AWSManagedRulesATPRuleSet`` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client. Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
+            :param managed_rule_group_configs: Additional information that's used by a managed rule group. Many managed rule groups don't require this. The rule groups used for intelligent threat mitigation require additional configuration: - Use the ``AWSManagedRulesATPRuleSet`` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password. - Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
             :param rule_action_overrides: Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. You can use overrides for testing, for example you can override all of rule actions to ``Count`` and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
             :param scope_down_statement: An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable ``Statement`` in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
             :param version: The version of the managed rule group to use. If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.
@@ -15252,9 +15273,10 @@ class CfnWebACL(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ManagedRuleGroupConfigProperty"]]]]:
             '''Additional information that's used by a managed rule group. Many managed rule groups don't require this.
-            Use the ``AWSManagedRulesATPRuleSet`` configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.
+            The rule groups used for intelligent threat mitigation require additional configuration:
-            Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
+            - Use the ``AWSManagedRulesATPRuleSet`` configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.
+            - Use the ``AWSManagedRulesBotControlRuleSet`` configuration object to configure the protection level that you want the Bot Control rule group to use.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-managedrulegroupstatement.html#cfn-wafv2-webacl-managedrulegroupstatement-managedrulegroupconfigs
             '''
@@ -16776,13 +16798,14 @@ class CfnWebACL(
             phone_number_fields: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Sequence[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.FieldIdentifierProperty", typing.Dict[builtins.str, typing.Any]]]]]] = None,
             username_field: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.FieldIdentifierProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''
-            :param payload_type:
-            :param address_fields:
-            :param email_field:
-            :param password_field:
-            :param phone_number_fields:
-            :param username_field:
+            '''Not currently supported by AWS CloudFormation .
+            :param payload_type: Not currently supported by AWS CloudFormation .
+            :param address_fields: Not currently supported by AWS CloudFormation .
+            :param email_field: Not currently supported by AWS CloudFormation .
+            :param password_field: Not currently supported by AWS CloudFormation .
+            :param phone_number_fields: Not currently supported by AWS CloudFormation .
+            :param username_field: Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html
             :exampleMetadata: fixture=_generated
@@ -16838,7 +16861,8 @@ class CfnWebACL(
         @builtins.property
         def payload_type(self) -> builtins.str:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-payloadtype
             '''
             result = self._values.get("payload_type")
@@ -16849,7 +16873,8 @@ class CfnWebACL(
         def address_fields(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-addressfields
             '''
             result = self._values.get("address_fields")
@@ -16859,7 +16884,8 @@ class CfnWebACL(
         def email_field(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-emailfield
             '''
             result = self._values.get("email_field")
@@ -16869,7 +16895,8 @@ class CfnWebACL(
         def password_field(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-passwordfield
             '''
             result = self._values.get("password_field")
@@ -16879,7 +16906,8 @@ class CfnWebACL(
         def phone_number_fields(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, typing.List[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-phonenumberfields
             '''
             result = self._values.get("phone_number_fields")
@@ -16889,7 +16917,8 @@ class CfnWebACL(
         def username_field(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.FieldIdentifierProperty"]]:
-            '''
+            '''Not currently supported by AWS CloudFormation .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-requestinspectionacfp.html#cfn-wafv2-webacl-requestinspectionacfp-usernamefield
             '''
             result = self._values.get("username_field")
@@ -17050,8 +17079,8 @@ class CfnWebACL(
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
-            :param failure_strings: Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings. JSON example: ``"FailureStrings": [ "Login failed" ]``
-            :param success_strings: Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings. JSON example: ``"SuccessStrings": [ "Login successful", "Welcome to our site!" ]``
+            :param failure_strings: Strings in the body of the response that indicate a failed login attempt. To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings. JSON example: ``"FailureStrings": [ "Request failed" ]``
+            :param success_strings: Strings in the body of the response that indicate a successful login attempt. To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings. JSON example: ``"SuccessStrings": [ "Login successful" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionbodycontains.html
             :exampleMetadata: fixture=_generated
@@ -17080,9 +17109,9 @@ class CfnWebACL(
         def failure_strings(self) -> typing.List[builtins.str]:
             '''Strings in the body of the response that indicate a failed login attempt.
-            To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
+            To be counted as a failure, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
-            JSON example: ``"FailureStrings": [ "Login failed" ]``
+            JSON example: ``"FailureStrings": [ "Request failed" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionbodycontains.html#cfn-wafv2-webacl-responseinspectionbodycontains-failurestrings
             '''
@@ -17094,9 +17123,9 @@ class CfnWebACL(
         def success_strings(self) -> typing.List[builtins.str]:
             '''Strings in the body of the response that indicate a successful login attempt.
-            To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
+            To be counted as a success, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
-            JSON example: ``"SuccessStrings": [ "Login successful", "Welcome to our site!" ]``
+            JSON example: ``"SuccessStrings": [ "Login successful" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionbodycontains.html#cfn-wafv2-webacl-responseinspectionbodycontains-successstrings
             '''
@@ -17138,9 +17167,9 @@ class CfnWebACL(
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
-            :param failure_values: Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"FailureValues": [ "LoginFailed", "Failed login" ]``
-            :param name: The name of the header to match against. The name must be an exact match, including case. JSON example: ``"Name": [ "LoginResult" ]``
-            :param success_values: Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"SuccessValues": [ "LoginPassed", "Successful login" ]``
+            :param failure_values: Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"FailureValues": [ "LoginFailed", "Failed login" ]``
+            :param name: The name of the header to match against. The name must be an exact match, including case. JSON example: ``"Name": [ "RequestResult" ]``
+            :param success_values: Values in the response header with the specified name that indicate a successful login attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"SuccessValues": [ "LoginPassed", "Successful login" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionheader.html
             :exampleMetadata: fixture=_generated
@@ -17172,7 +17201,7 @@ class CfnWebACL(
         def failure_values(self) -> typing.List[builtins.str]:
             '''Values in the response header with the specified name that indicate a failed login attempt.
-            To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+            To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.
             JSON example: ``"FailureValues": [ "LoginFailed", "Failed login" ]``
@@ -17186,7 +17215,7 @@ class CfnWebACL(
         def name(self) -> builtins.str:
             '''The name of the header to match against. The name must be an exact match, including case.
-            JSON example: ``"Name": [ "LoginResult" ]``
+            JSON example: ``"Name": [ "RequestResult" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionheader.html#cfn-wafv2-webacl-responseinspectionheader-name
             '''
@@ -17198,7 +17227,7 @@ class CfnWebACL(
         def success_values(self) -> typing.List[builtins.str]:
             '''Values in the response header with the specified name that indicate a successful login attempt.
-            To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+            To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.
             JSON example: ``"SuccessValues": [ "LoginPassed", "Successful login" ]``
@@ -17243,9 +17272,9 @@ class CfnWebACL(
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
-            :param failure_values: Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"FailureValues": [ "False", "Failed" ]``
+            :param failure_values: Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"FailureValues": [ "False", "Failed" ]``
             :param identifier: The identifier for the value to match against in the JSON. The identifier must be an exact match, including case. JSON example: ``"Identifier": [ "/login/success" ]``
-            :param success_values: Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"SuccessValues": [ "True", "Succeeded" ]``
+            :param success_values: Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values. JSON example: ``"SuccessValues": [ "True", "Succeeded" ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionjson.html
             :exampleMetadata: fixture=_generated
@@ -17277,7 +17306,7 @@ class CfnWebACL(
         def failure_values(self) -> typing.List[builtins.str]:
             '''Values for the specified identifier in the response JSON that indicate a failed login attempt.
-            To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+            To be counted as a failure, the value must be an exact match, including case. Each value must be unique among the success and failure values.
             JSON example: ``"FailureValues": [ "False", "Failed" ]``
@@ -17305,7 +17334,7 @@ class CfnWebACL(
         def success_values(self) -> typing.List[builtins.str]:
             '''Values for the specified identifier in the response JSON that indicate a successful login attempt.
-            To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+            To be counted as a success, the value must be an exact match, including case. Each value must be unique among the success and failure values.
             JSON example: ``"SuccessValues": [ "True", "Succeeded" ]``
@@ -17345,21 +17374,22 @@ class CfnWebACL(
             json: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.ResponseInspectionJsonProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
             status_code: typing.Optional[typing.Union[_IResolvable_da3f097b, typing.Union["CfnWebACL.ResponseInspectionStatusCodeProperty", typing.Dict[builtins.str, typing.Any]]]] = None,
         ) -> None:
-            '''The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
+            '''The criteria for inspecting responses to login requests, used by the ATP rule group to track login success and failure rates.
-            The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
             .. epigraph::
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
+            The rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses with too much suspicious activity in a short amount of time.
             This is part of the ``AWSManagedRulesATPRuleSet`` configuration in ``ManagedRuleGroupConfig`` .
-            Enable login response inspection by configuring exactly one component of the response to inspect. You can't configure more than one. If you don't configure any of the response inspection options, response inspection is disabled.
+            Enable response inspection by configuring exactly one component of the response to inspect, for example, ``Header`` or ``StatusCode`` . You can't configure more than one component for inspection. If you don't configure any of the response inspection options, response inspection is disabled.
-            :param body_contains: Configures inspection of the response body. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.
-            :param header: Configures inspection of the response header.
-            :param json: Configures inspection of the response JSON. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.
-            :param status_code: Configures inspection of the response status code.
+            :param body_contains: Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.
+            :param header: Configures inspection of the response header for success and failure indicators.
+            :param json: Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.
+            :param status_code: Configures inspection of the response status code for success and failure indicators.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspection.html
             :exampleMetadata: fixture=_generated
@@ -17411,7 +17441,7 @@ class CfnWebACL(
         def body_contains(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionBodyContainsProperty"]]:
-            '''Configures inspection of the response body.
+            '''Configures inspection of the response body for success and failure indicators.
             AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.
@@ -17424,7 +17454,7 @@ class CfnWebACL(
         def header(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionHeaderProperty"]]:
-            '''Configures inspection of the response header.
+            '''Configures inspection of the response header for success and failure indicators.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspection.html#cfn-wafv2-webacl-responseinspection-header
             '''
@@ -17435,7 +17465,7 @@ class CfnWebACL(
         def json(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionJsonProperty"]]:
-            '''Configures inspection of the response JSON.
+            '''Configures inspection of the response JSON for success and failure indicators.
             AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.
@@ -17448,7 +17478,7 @@ class CfnWebACL(
         def status_code(
             self,
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ResponseInspectionStatusCodeProperty"]]:
-            '''Configures inspection of the response status code.
+            '''Configures inspection of the response status code for success and failure indicators.
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspection.html#cfn-wafv2-webacl-responseinspection-statuscode
             '''
@@ -17481,14 +17511,15 @@ class CfnWebACL(
             failure_codes: typing.Union[typing.Sequence[jsii.Number], _IResolvable_da3f097b],
             success_codes: typing.Union[typing.Sequence[jsii.Number], _IResolvable_da3f097b],
         ) -> None:
-            '''Configures inspection of the response status code. This is part of the ``ResponseInspection`` configuration for ``AWSManagedRulesATPRuleSet`` .
+            '''Configures inspection of the response status code for success and failure indicators.
+            This is part of the ``ResponseInspection`` configuration for ``AWSManagedRulesATPRuleSet`` .
             .. epigraph::
                Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
-            :param failure_codes: Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes. JSON example: ``"FailureCodes": [ 400, 404 ]``
-            :param success_codes: Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes. JSON example: ``"SuccessCodes": [ 200, 201 ]``
+            :param failure_codes: Status codes in the response that indicate a failed login or account creation attempt. To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes. JSON example: ``"FailureCodes": [ 400, 404 ]``
+            :param success_codes: Status codes in the response that indicate a successful login or account creation attempt. To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes. JSON example: ``"SuccessCodes": [ 200, 201 ]``
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-responseinspectionstatuscode.html
             :exampleMetadata: fixture=_generated
@@ -17517,9 +17548,9 @@ class CfnWebACL(
         def failure_codes(
             self,
         ) -> typing.Union[typing.List[jsii.Number], _IResolvable_da3f097b]:
-            '''Status codes in the response that indicate a failed login attempt.
+            '''Status codes in the response that indicate a failed login or account creation attempt.
-            To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
+            To be counted as a failure, the response status code must match one of these. Each code must be unique among the success and failure status codes.
             JSON example: ``"FailureCodes": [ 400, 404 ]``
@@ -17533,9 +17564,9 @@ class CfnWebACL(
         def success_codes(
             self,
         ) -> typing.Union[typing.List[jsii.Number], _IResolvable_da3f097b]:
-            '''Status codes in the response that indicate a successful login attempt.
+            '''Status codes in the response that indicate a successful login or account creation attempt.
-            To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
+            To be counted as a success, the response status code must match one of these. Each code must be unique among the success and failure status codes.
             JSON example: ``"SuccessCodes": [ 200, 201 ]``
@@ -18740,7 +18771,7 @@ class CfnWebACL(
             :param geo_match_statement: A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match. - To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the ``CountryCodes`` array. - Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed. AWS WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. AWS WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match ``ForwardedIPConfig`` . If you use the web request origin, the label formats are ``awswaf:clientip:geo:region:<ISO country code>-<ISO region code>`` and ``awswaf:clientip:geo:country:<ISO country code>`` . If you use a forwarded IP address, the label formats are ``awswaf:forwardedip:geo:region:<ISO country code>-<ISO region code>`` and ``awswaf:forwardedip:geo:country:<ISO country code>`` . For additional details, see `Geographic match rule statement <https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html>`_ in the `AWS WAF Developer Guide <https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html>`_ .
             :param ip_set_reference_statement: A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an ``IPSet`` that specifies the addresses you want to detect, then use the ARN of that set in this statement. Each IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, AWS WAF automatically updates all rules that reference it.
             :param label_match_statement: A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL. The label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, AWS WAF performs the search for labels that were added in the same context as the label match statement.
-            :param managed_rule_group_statement: A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You cannot nest a ``ManagedRuleGroupStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . It can only be referenced as a top-level statement within a rule.
+            :param managed_rule_group_statement: A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ``ListAvailableManagedRuleGroups`` . You cannot nest a ``ManagedRuleGroupStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . It can only be referenced as a top-level statement within a rule. .. epigraph:: You are charged additional fees when you use the AWS WAF Bot Control managed rule group ``AWSManagedRulesBotControlRuleSet`` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group ``AWSManagedRulesATPRuleSet`` . For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
             :param not_statement: A logical rule statement used to negate the results of another rule statement. You provide one ``Statement`` within the ``NotStatement`` .
             :param or_statement: A logical rule statement used to combine other rule statements with OR logic. You provide more than one ``Statement`` within the ``OrStatement`` .
             :param rate_based_statement: A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance. You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie. Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition. For example, assume the rule evaluates web requests with the following IP address and HTTP method values: - IP address 10.1.1.1, HTTP method POST - IP address 10.1.1.1, HTTP method GET - IP address 127.0.0.0, HTTP method POST - IP address 10.1.1.1, HTTP method GET The rule would create different aggregation instances according to your aggregation criteria, for example: - If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and AWS WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following: - IP address 10.1.1.1: count 3 - IP address 127.0.0.0: count 1 - If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following: - HTTP method POST: count 2 - HTTP method GET: count 2 - If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following: - IP address 10.1.1.1, HTTP method POST: count 1 - IP address 10.1.1.1, HTTP method GET: count 2 - IP address 127.0.0.0, HTTP method POST: count 1 For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which AWS WAF counts and rate-limits individually. You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule. You cannot nest a ``RateBasedStatement`` inside another statement, for example inside a ``NotStatement`` or ``OrStatement`` . You can define a ``RateBasedStatement`` inside a web ACL and inside a rule group. For additional information about the options, see `Rate limiting web requests using rate-based rules <https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html>`_ in the *AWS WAF Developer Guide* . If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that AWS WAF is currently rate limiting for a rule through the API call ``GetRateBasedStatementManagedKeys`` . This option is not available for other aggregation configurations. AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .
@@ -18891,9 +18922,12 @@ class CfnWebACL(
         ) -> typing.Optional[typing.Union[_IResolvable_da3f097b, "CfnWebACL.ManagedRuleGroupStatementProperty"]]:
             '''A rule statement used to run the rules that are defined in a managed rule group.
-            To use this, provide the vendor name and the name of the rule group in this statement.
+            To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ``ListAvailableManagedRuleGroups`` .
             You cannot nest a ``ManagedRuleGroupStatement`` , for example for use inside a ``NotStatement`` or ``OrStatement`` . It can only be referenced as a top-level statement within a rule.
+            .. epigraph::
+               You are charged additional fees when you use the AWS WAF Bot Control managed rule group ``AWSManagedRulesBotControlRuleSet`` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group ``AWSManagedRulesATPRuleSet`` . For more information, see `AWS WAF Pricing <https://docs.aws.amazon.com/waf/pricing/>`_ .
             :see: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-statement.html#cfn-wafv2-webacl-statement-managedrulegroupstatement
             '''

aws-cdk-lib 2.91.0__py3-none-any.whl → 2.92.0__py3-none-any.whl

Potentially problematic release.

aws-cdk-lib 2.91.0py3-none-any.whl → 2.92.0py3-none-any.whl