From c1663108a87381d574f557320c00d3e7c3fc802d Mon Sep 17 00:00:00 2001 From: ack-bot Date: Sat, 12 Oct 2024 00:22:19 +0000 Subject: [PATCH] ack-wafv2-controller artifacts for version 0.0.4 Signed-off-by: ack-bot --- .../0.0.4/bundle.Dockerfile | 21 + ...afv2-controller.clusterserviceversion.yaml | 283 ++ .../ack-wafv2-metrics-service_v1_service.yaml | 16 + ...der_rbac.authorization.k8s.io_v1_role.yaml | 16 + ...ter_rbac.authorization.k8s.io_v1_role.yaml | 30 + .../wafv2.services.k8s.aws_ipsets.yaml | 238 + .../wafv2.services.k8s.aws_rulegroups.yaml | 3825 ++++++++++++++++ .../wafv2.services.k8s.aws_webacls.yaml | 3978 +++++++++++++++++ .../0.0.4/metadata/annotations.yaml | 15 + .../0.0.4/tests/scorecard/config.yaml | 50 + 10 files changed, 8472 insertions(+) create mode 100644 operators/ack-wafv2-controller/0.0.4/bundle.Dockerfile create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-controller.clusterserviceversion.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-metrics-service_v1_service.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-reader_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-writer_rbac.authorization.k8s.io_v1_role.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_ipsets.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_rulegroups.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_webacls.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/metadata/annotations.yaml create mode 100644 operators/ack-wafv2-controller/0.0.4/tests/scorecard/config.yaml diff --git a/operators/ack-wafv2-controller/0.0.4/bundle.Dockerfile b/operators/ack-wafv2-controller/0.0.4/bundle.Dockerfile new file mode 100644 index 00000000000..c80642e37ec --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/bundle.Dockerfile @@ -0,0 +1,21 @@ +FROM scratch + +# Core bundle labels. +LABEL operators.operatorframework.io.bundle.mediatype.v1=registry+v1 +LABEL operators.operatorframework.io.bundle.manifests.v1=manifests/ +LABEL operators.operatorframework.io.bundle.metadata.v1=metadata/ +LABEL operators.operatorframework.io.bundle.package.v1=ack-wafv2-controller +LABEL operators.operatorframework.io.bundle.channels.v1=alpha +LABEL operators.operatorframework.io.bundle.channel.default.v1=alpha +LABEL operators.operatorframework.io.metrics.builder=operator-sdk-v1.28.0 +LABEL operators.operatorframework.io.metrics.mediatype.v1=metrics+v1 +LABEL operators.operatorframework.io.metrics.project_layout=unknown + +# Labels for testing. +LABEL operators.operatorframework.io.test.mediatype.v1=scorecard+v1 +LABEL operators.operatorframework.io.test.config.v1=tests/scorecard/ + +# Copy files to locations specified by labels. +COPY bundle/manifests /manifests/ +COPY bundle/metadata /metadata/ +COPY bundle/tests/scorecard /tests/scorecard/ diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-controller.clusterserviceversion.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-controller.clusterserviceversion.yaml new file mode 100644 index 00000000000..6eaf33261c0 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-controller.clusterserviceversion.yaml @@ -0,0 +1,283 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: ClusterServiceVersion +metadata: + annotations: + alm-examples: |- + [ + { + "apiVersion": "wafv2.services.k8s.aws/v1alpha1", + "kind": "IPSet", + "metadata": { + "name": "example" + }, + "spec": {} + } + ] + capabilities: Basic Install + categories: Cloud Provider + certified: "false" + containerImage: public.ecr.aws/aws-controllers-k8s/wafv2-controller:0.0.4 + createdAt: "2024-10-12T00:21:51Z" + description: AWS WAFV2 controller is a service controller for managing WAFV2 resources + in Kubernetes + operatorframework.io/suggested-namespace: ack-system + operators.operatorframework.io/builder: operator-sdk-v1.28.0 + operators.operatorframework.io/project_layout: unknown + repository: https://github.com/aws-controllers-k8s + support: Community + labels: + operatorframework.io/arch.amd64: supported + operatorframework.io/arch.arm64: supported + operatorframework.io/os.linux: supported + name: ack-wafv2-controller.v0.0.4 + namespace: placeholder +spec: + apiservicedefinitions: {} + customresourcedefinitions: + owned: + - description: IPSet represents the state of an AWS wafv2 IPSet resource. + displayName: IPSet + kind: IPSet + name: ipsets.wafv2.services.k8s.aws + version: v1alpha1 + - description: RuleGroup represents the state of an AWS wafv2 RuleGroup resource. + displayName: RuleGroup + kind: RuleGroup + name: rulegroups.wafv2.services.k8s.aws + version: v1alpha1 + - description: WebACL represents the state of an AWS wafv2 WebACL resource. + displayName: WebACL + kind: WebACL + name: webacls.wafv2.services.k8s.aws + version: v1alpha1 + description: |- + Manage Amazon Web Application Firewall (Amazon WAFV2) resources in AWS from within your Kubernetes cluster. + + **About Amazon WAFV2** + + AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests that are forwarded to your protected web application resources. You can protect the following resource types: + - Amazon CloudFront distribution + - Amazon API Gateway REST API + - Application Load Balancer + - AWS AppSync GraphQL API + - Amazon Cognito user pool + - AWS App Runner service + - AWS Verified Access instance + + **About the AWS Controllers for Kubernetes** + + This controller is a component of the [AWS Controller for Kubernetes](https://github.com/aws/aws-controllers-k8s) project. This project is currently in **developer preview**. + + **Pre-Installation Steps** + + Please follow the following link: [Red Hat OpenShift](https://aws-controllers-k8s.github.io/community/docs/user-docs/openshift/) + displayName: AWS Controllers for Kubernetes - Amazon WAFV2 + icon: + - base64data: PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz4KPCEtLSBHZW5lcmF0b3I6IEFkb2JlIElsbHVzdHJhdG9yIDE5LjAuMSwgU1ZHIEV4cG9ydCBQbHVnLUluIC4gU1ZHIFZlcnNpb246IDYuMDAgQnVpbGQgMCkgIC0tPgo8c3ZnIHZlcnNpb249IjEuMSIgaWQ9IkxheWVyXzEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgeG1sbnM6eGxpbms9Imh0dHA6Ly93d3cudzMub3JnLzE5OTkveGxpbmsiIHg9IjBweCIgeT0iMHB4IiB2aWV3Qm94PSIwIDAgMzA0IDE4MiIgc3R5bGU9ImVuYWJsZS1iYWNrZ3JvdW5kOm5ldyAwIDAgMzA0IDE4MjsiIHhtbDpzcGFjZT0icHJlc2VydmUiPgo8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgoJLnN0MHtmaWxsOiMyNTJGM0U7fQoJLnN0MXtmaWxsLXJ1bGU6ZXZlbm9kZDtjbGlwLXJ1bGU6ZXZlbm9kZDtmaWxsOiNGRjk5MDA7fQo8L3N0eWxlPgo8Zz4KCTxwYXRoIGNsYXNzPSJzdDAiIGQ9Ik04Ni40LDY2LjRjMCwzLjcsMC40LDYuNywxLjEsOC45YzAuOCwyLjIsMS44LDQuNiwzLjIsNy4yYzAuNSwwLjgsMC43LDEuNiwwLjcsMi4zYzAsMS0wLjYsMi0xLjksM2wtNi4zLDQuMiAgIGMtMC45LDAuNi0xLjgsMC45LTIuNiwwLjljLTEsMC0yLTAuNS0zLTEuNEM3Ni4yLDkwLDc1LDg4LjQsNzQsODYuOGMtMS0xLjctMi0zLjYtMy4xLTUuOWMtNy44LDkuMi0xNy42LDEzLjgtMjkuNCwxMy44ICAgYy04LjQsMC0xNS4xLTIuNC0yMC03LjJjLTQuOS00LjgtNy40LTExLjItNy40LTE5LjJjMC04LjUsMy0xNS40LDkuMS0yMC42YzYuMS01LjIsMTQuMi03LjgsMjQuNS03LjhjMy40LDAsNi45LDAuMywxMC42LDAuOCAgIGMzLjcsMC41LDcuNSwxLjMsMTEuNSwyLjJ2LTcuM2MwLTcuNi0xLjYtMTIuOS00LjctMTZjLTMuMi0zLjEtOC42LTQuNi0xNi4zLTQuNmMtMy41LDAtNy4xLDAuNC0xMC44LDEuM2MtMy43LDAuOS03LjMsMi0xMC44LDMuNCAgIGMtMS42LDAuNy0yLjgsMS4xLTMuNSwxLjNjLTAuNywwLjItMS4yLDAuMy0xLjYsMC4zYy0xLjQsMC0yLjEtMS0yLjEtMy4xdi00LjljMC0xLjYsMC4yLTIuOCwwLjctMy41YzAuNS0wLjcsMS40LTEuNCwyLjgtMi4xICAgYzMuNS0xLjgsNy43LTMuMywxMi42LTQuNWM0LjktMS4zLDEwLjEtMS45LDE1LjYtMS45YzExLjksMCwyMC42LDIuNywyNi4yLDguMWM1LjUsNS40LDguMywxMy42LDguMywyNC42VjY2LjR6IE00NS44LDgxLjYgICBjMy4zLDAsNi43LTAuNiwxMC4zLTEuOGMzLjYtMS4yLDYuOC0zLjQsOS41LTYuNGMxLjYtMS45LDIuOC00LDMuNC02LjRjMC42LTIuNCwxLTUuMywxLTguN3YtNC4yYy0yLjktMC43LTYtMS4zLTkuMi0xLjcgICBjLTMuMi0wLjQtNi4zLTAuNi05LjQtMC42Yy02LjcsMC0xMS42LDEuMy0xNC45LDRjLTMuMywyLjctNC45LDYuNS00LjksMTEuNWMwLDQuNywxLjIsOC4yLDMuNywxMC42ICAgQzM3LjcsODAuNCw0MS4yLDgxLjYsNDUuOCw4MS42eiBNMTI2LjEsOTIuNGMtMS44LDAtMy0wLjMtMy44LTFjLTAuOC0wLjYtMS41LTItMi4xLTMuOUw5Ni43LDEwLjJjLTAuNi0yLTAuOS0zLjMtMC45LTQgICBjMC0xLjYsMC44LTIuNSwyLjQtMi41aDkuOGMxLjksMCwzLjIsMC4zLDMuOSwxYzAuOCwwLjYsMS40LDIsMiwzLjlsMTYuOCw2Ni4ybDE1LjYtNjYuMmMwLjUtMiwxLjEtMy4zLDEuOS0zLjljMC44LTAuNiwyLjItMSw0LTEgICBoOGMxLjksMCwzLjIsMC4zLDQsMWMwLjgsMC42LDEuNSwyLDEuOSwzLjlsMTUuOCw2N2wxNy4zLTY3YzAuNi0yLDEuMy0zLjMsMi0zLjljMC44LTAuNiwyLjEtMSwzLjktMWg5LjNjMS42LDAsMi41LDAuOCwyLjUsMi41ICAgYzAsMC41LTAuMSwxLTAuMiwxLjZjLTAuMSwwLjYtMC4zLDEuNC0wLjcsMi41bC0yNC4xLDc3LjNjLTAuNiwyLTEuMywzLjMtMi4xLDMuOWMtMC44LDAuNi0yLjEsMS0zLjgsMWgtOC42Yy0xLjksMC0zLjItMC4zLTQtMSAgIGMtMC44LTAuNy0xLjUtMi0xLjktNEwxNTYsMjNsLTE1LjQsNjQuNGMtMC41LDItMS4xLDMuMy0xLjksNGMtMC44LDAuNy0yLjIsMS00LDFIMTI2LjF6IE0yNTQuNiw5NS4xYy01LjIsMC0xMC40LTAuNi0xNS40LTEuOCAgIGMtNS0xLjItOC45LTIuNS0xMS41LTRjLTEuNi0wLjktMi43LTEuOS0zLjEtMi44Yy0wLjQtMC45LTAuNi0xLjktMC42LTIuOHYtNS4xYzAtMi4xLDAuOC0zLjEsMi4zLTMuMWMwLjYsMCwxLjIsMC4xLDEuOCwwLjMgICBjMC42LDAuMiwxLjUsMC42LDIuNSwxYzMuNCwxLjUsNy4xLDIuNywxMSwzLjVjNCwwLjgsNy45LDEuMiwxMS45LDEuMmM2LjMsMCwxMS4yLTEuMSwxNC42LTMuM2MzLjQtMi4yLDUuMi01LjQsNS4yLTkuNSAgIGMwLTIuOC0wLjktNS4xLTIuNy03Yy0xLjgtMS45LTUuMi0zLjYtMTAuMS01LjJMMjQ2LDUyYy03LjMtMi4zLTEyLjctNS43LTE2LTEwLjJjLTMuMy00LjQtNS05LjMtNS0xNC41YzAtNC4yLDAuOS03LjksMi43LTExLjEgICBjMS44LTMuMiw0LjItNiw3LjItOC4yYzMtMi4zLDYuNC00LDEwLjQtNS4yYzQtMS4yLDguMi0xLjcsMTIuNi0xLjdjMi4yLDAsNC41LDAuMSw2LjcsMC40YzIuMywwLjMsNC40LDAuNyw2LjUsMS4xICAgYzIsMC41LDMuOSwxLDUuNywxLjZjMS44LDAuNiwzLjIsMS4yLDQuMiwxLjhjMS40LDAuOCwyLjQsMS42LDMsMi41YzAuNiwwLjgsMC45LDEuOSwwLjksMy4zdjQuN2MwLDIuMS0wLjgsMy4yLTIuMywzLjIgICBjLTAuOCwwLTIuMS0wLjQtMy44LTEuMmMtNS43LTIuNi0xMi4xLTMuOS0xOS4yLTMuOWMtNS43LDAtMTAuMiwwLjktMTMuMywyLjhjLTMuMSwxLjktNC43LDQuOC00LjcsOC45YzAsMi44LDEsNS4yLDMsNy4xICAgYzIsMS45LDUuNywzLjgsMTEsNS41bDE0LjIsNC41YzcuMiwyLjMsMTIuNCw1LjUsMTUuNSw5LjZjMy4xLDQuMSw0LjYsOC44LDQuNiwxNGMwLDQuMy0wLjksOC4yLTIuNiwxMS42ICAgYy0xLjgsMy40LTQuMiw2LjQtNy4zLDguOGMtMy4xLDIuNS02LjgsNC4zLTExLjEsNS42QzI2NC40LDk0LjQsMjU5LjcsOTUuMSwyNTQuNiw5NS4xeiIvPgoJPGc+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI3My41LDE0My43Yy0zMi45LDI0LjMtODAuNywzNy4yLTEyMS44LDM3LjJjLTU3LjYsMC0xMDkuNS0yMS4zLTE0OC43LTU2LjdjLTMuMS0yLjgtMC4zLTYuNiwzLjQtNC40ICAgIGM0Mi40LDI0LjYsOTQuNywzOS41LDE0OC44LDM5LjVjMzYuNSwwLDc2LjYtNy42LDExMy41LTIzLjJDMjc0LjIsMTMzLjYsMjc4LjksMTM5LjcsMjczLjUsMTQzLjd6Ii8+CgkJPHBhdGggY2xhc3M9InN0MSIgZD0iTTI4Ny4yLDEyOC4xYy00LjItNS40LTI3LjgtMi42LTM4LjUtMS4zYy0zLjIsMC40LTMuNy0yLjQtMC44LTQuNWMxOC44LTEzLjIsNDkuNy05LjQsNTMuMy01ICAgIGMzLjYsNC41LTEsMzUuNC0xOC42LDUwLjJjLTIuNywyLjMtNS4zLDEuMS00LjEtMS45QzI4Mi41LDE1NS43LDI5MS40LDEzMy40LDI4Ny4yLDEyOC4xeiIvPgoJPC9nPgo8L2c+Cjwvc3ZnPg== + mediatype: image/svg+xml + install: + spec: + clusterPermissions: + - rules: + - apiGroups: + - "" + resources: + - configmaps + - secrets + verbs: + - get + - list + - patch + - watch + - apiGroups: + - "" + resources: + - namespaces + verbs: + - get + - list + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources + - fieldexports + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - services.k8s.aws + resources: + - adoptedresources/status + - fieldexports/status + verbs: + - get + - patch + - update + - apiGroups: + - wafv2.services.k8s.aws + resources: + - ipsets + - rulegroups + - webacls + verbs: + - create + - delete + - get + - list + - patch + - update + - watch + - apiGroups: + - wafv2.services.k8s.aws + resources: + - ipsets/status + - rulegroups/status + - webacls/status + verbs: + - get + - patch + - update + serviceAccountName: ack-wafv2-controller + deployments: + - label: + app.kubernetes.io/name: ack-wafv2-controller + app.kubernetes.io/part-of: ack-system + name: ack-wafv2-controller + spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ack-wafv2-controller + strategy: {} + template: + metadata: + labels: + app.kubernetes.io/name: ack-wafv2-controller + spec: + containers: + - args: + - --aws-region + - $(AWS_REGION) + - --aws-endpoint-url + - $(AWS_ENDPOINT_URL) + - --enable-development-logging=$(ACK_ENABLE_DEVELOPMENT_LOGGING) + - --log-level + - $(ACK_LOG_LEVEL) + - --resource-tags + - $(ACK_RESOURCE_TAGS) + - --watch-namespace + - $(ACK_WATCH_NAMESPACE) + - --enable-leader-election=$(ENABLE_LEADER_ELECTION) + - --leader-election-namespace + - $(LEADER_ELECTION_NAMESPACE) + - --reconcile-default-max-concurrent-syncs + - $(RECONCILE_DEFAULT_MAX_CONCURRENT_SYNCS) + command: + - ./bin/controller + env: + - name: ACK_SYSTEM_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + envFrom: + - configMapRef: + name: ack-wafv2-user-config + optional: false + - secretRef: + name: ack-wafv2-user-secrets + optional: true + image: public.ecr.aws/aws-controllers-k8s/wafv2-controller:0.0.4 + livenessProbe: + httpGet: + path: /healthz + port: 8081 + initialDelaySeconds: 15 + periodSeconds: 20 + name: controller + ports: + - containerPort: 8080 + name: http + readinessProbe: + httpGet: + path: /readyz + port: 8081 + initialDelaySeconds: 5 + periodSeconds: 10 + resources: + limits: + cpu: 100m + memory: 300Mi + requests: + cpu: 100m + memory: 200Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + runAsNonRoot: true + dnsPolicy: ClusterFirst + securityContext: + seccompProfile: + type: RuntimeDefault + serviceAccountName: ack-wafv2-controller + terminationGracePeriodSeconds: 10 + permissions: + - rules: + - apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - get + - list + - watch + - create + - update + - patch + - delete + - apiGroups: + - "" + resources: + - events + verbs: + - create + - patch + serviceAccountName: ack-wafv2-controller + strategy: deployment + installModes: + - supported: true + type: OwnNamespace + - supported: true + type: SingleNamespace + - supported: true + type: MultiNamespace + - supported: true + type: AllNamespaces + keywords: + - wafv2 + - aws + - amazon + - ack + links: + - name: AWS Controllers for Kubernetes + url: https://github.com/aws-controllers-k8s/community + - name: Documentation + url: https://aws-controllers-k8s.github.io/community/ + - name: Amazon WAFV2 Developer Resources + url: https://aws.amazon.com/waf/resources/ + maintainers: + - email: ack-maintainers@amazon.com + name: wafv2 maintainer team + maturity: alpha + provider: + name: Amazon, Inc. + url: https://aws.amazon.com + version: 0.0.4 diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-metrics-service_v1_service.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-metrics-service_v1_service.yaml new file mode 100644 index 00000000000..785c554ad26 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-metrics-service_v1_service.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: Service +metadata: + creationTimestamp: null + name: ack-wafv2-metrics-service +spec: + ports: + - name: metricsport + port: 8080 + protocol: TCP + targetPort: http + selector: + app.kubernetes.io/name: ack-wafv2-controller + type: NodePort +status: + loadBalancer: {} diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-reader_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-reader_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..4e6270d8f15 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-reader_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,16 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-wafv2-reader +rules: +- apiGroups: + - wafv2.services.k8s.aws + resources: + - ipsets + - rulegroups + - webacls + verbs: + - get + - list + - watch diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-writer_rbac.authorization.k8s.io_v1_role.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-writer_rbac.authorization.k8s.io_v1_role.yaml new file mode 100644 index 00000000000..81767d79055 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/ack-wafv2-writer_rbac.authorization.k8s.io_v1_role.yaml @@ -0,0 +1,30 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + creationTimestamp: null + name: ack-wafv2-writer +rules: +- apiGroups: + - wafv2.services.k8s.aws + resources: + - ipsets + - rulegroups + - webacls + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - wafv2.services.k8s.aws + resources: + - ipsets + - rulegroups + - webacls + verbs: + - get + - patch + - update diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_ipsets.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_ipsets.yaml new file mode 100644 index 00000000000..3f14b4515a6 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_ipsets.yaml @@ -0,0 +1,238 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: ipsets.wafv2.services.k8s.aws +spec: + group: wafv2.services.k8s.aws + names: + kind: IPSet + listKind: IPSetList + plural: ipsets + singular: ipset + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: IPSet is the Schema for the IPSets API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + IPSetSpec defines the desired state of IPSet. + + Contains zero or more IP addresses or blocks of IP addresses specified in + Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and + IPv6 CIDR ranges except for /0. For information about CIDR notation, see + the Wikipedia entry Classless Inter-Domain Routing (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). + + WAF assigns an ARN to each IPSet that you create. To use an IP set in a rule, + you provide the ARN to the Rule statement IPSetReferenceStatement. + properties: + addresses: + description: |- + Contains an array of strings that specifies zero or more IP addresses or + blocks of IP addresses that you want WAF to inspect for in incoming requests. + All addresses must be specified using Classless Inter-Domain Routing (CIDR) + notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0. + + Example address strings: + + * For requests that originated from the IP address 192.0.2.44, specify + 192.0.2.44/32. + + * For requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, + specify 192.0.2.0/24. + + * For requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, + specify 1111:0000:0000:0000:0000:0000:0000:0111/128. + + * For requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 + to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64. + + For more information about CIDR notation, see the Wikipedia entry Classless + Inter-Domain Routing (https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). + + Example JSON Addresses specifications: + + * Empty array: "Addresses": [] + + * Array with one address: "Addresses": ["192.0.2.44/32"] + + * Array with three addresses: "Addresses": ["192.0.2.44/32", "192.0.2.0/24", + "192.0.0.0/16"] + + * INVALID specification: "Addresses": [""] INVALID + items: + type: string + type: array + description: + description: A description of the IP set that helps with identification. + type: string + ipAddressVersion: + description: The version of the IP addresses, either IPV4 or IPV6. + type: string + name: + description: |- + The name of the IP set. You cannot change the name of an IPSet after you + create it. + type: string + scope: + description: |- + Specifies whether this is for an Amazon CloudFront distribution or for a + regional application. A regional application can be an Application Load Balancer + (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon + Cognito user pool, an App Runner service, or an Amazon Web Services Verified + Access instance. + + To work with CloudFront, you must also specify the Region US East (N. Virginia) + as follows: + + * CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT + --region=us-east-1. + + * API and SDKs - For all calls, use the Region endpoint us-east-1. + type: string + tags: + description: An array of key:value pairs to associate with the resource. + items: + description: |- + A tag associated with an Amazon Web Services resource. Tags are key:value + pairs that you can use to categorize and manage your resources, for purposes + like billing or other management. Typically, the tag key represents a category, + such as "environment", and the tag value represents a specific value within + that category, such as "test," "development," or "production". Or you might + set the tag key to "customer" and the value to the customer name or ID. You + can specify one or more tags to add to each Amazon Web Services resource, + up to 50 tags for a resource. + + You can tag the Amazon Web Services resources that you manage through WAF: + web ACLs, rule groups, IP sets, and regex pattern sets. You can't manage + or view tags through the WAF console. + properties: + key: + type: string + value: + type: string + type: object + type: array + required: + - addresses + - ipAddressVersion + - name + - scope + type: object + status: + description: IPSetStatus defines the observed state of IPSet + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + id: + description: |- + A unique identifier for the set. This ID is returned in the responses to + create and list commands. You provide it to operations like update and delete. + type: string + lockToken: + description: |- + A token used for optimistic locking. WAF returns a token to your get and + list requests, to mark the state of the entity at the time of the request. + To make changes to the entity associated with the token, you provide the + token to operations like update and delete. WAF uses the token to ensure + that no changes have been made to the entity since you last retrieved it. + If a change has been made, the update fails with a WAFOptimisticLockException. + If this happens, perform another get, and use the new token returned by that + operation. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_rulegroups.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_rulegroups.yaml new file mode 100644 index 00000000000..a232ce2fb45 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_rulegroups.yaml @@ -0,0 +1,3825 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: rulegroups.wafv2.services.k8s.aws +spec: + group: wafv2.services.k8s.aws + names: + kind: RuleGroup + listKind: RuleGroupList + plural: rulegroups + singular: rulegroup + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: RuleGroup is the Schema for the RuleGroups API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + RuleGroupSpec defines the desired state of RuleGroup. + + A rule group defines a collection of rules to inspect and control web requests + that you can use in a WebACL. When you create a rule group, you define an + immutable capacity limit. If you update a rule group, you must stay within + the capacity. This allows others to reuse the rule group with confidence + in its capacity requirements. + properties: + capacity: + description: |- + The web ACL capacity units (WCUs) required for this rule group. + + When you create your own rule group, you define this, and you cannot change + it after creation. When you add or modify the rules in a rule group, WAF + enforces this limit. You can check the capacity for a set of rules using + CheckCapacity. + + WAF uses WCUs to calculate and control the operating resources that are used + to run your rules, rule groups, and web ACLs. WAF calculates capacity differently + for each rule type, to reflect the relative cost of each rule. Simple rules + that cost little to run use fewer WCUs than more complex rules that use more + processing power. Rule group capacity is fixed at creation, which helps users + plan their web ACL WCU usage when they use a rule group. For more information, + see WAF web ACL capacity units (WCU) (https://docs.aws.amazon.com/waf/latest/developerguide/aws-waf-capacity-units.html) + in the WAF Developer Guide. + format: int64 + type: integer + customResponseBodies: + additionalProperties: + description: |- + The response body to use in a custom response to a web request. This is referenced + by key from CustomResponse CustomResponseBodyKey. + properties: + content: + type: string + contentType: + type: string + type: object + description: |- + A map of custom response keys and content bodies. When you create a rule + with a block action, you can send a custom response to the web request. You + define these for the rule group, and then use them in the rules that you + define in the rule group. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + + For information about the limits on count and size for custom request and + response settings, see WAF quotas (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) + in the WAF Developer Guide. + type: object + description: + description: A description of the rule group that helps with identification. + type: string + name: + description: |- + The name of the rule group. You cannot change the name of a rule group after + you create it. + type: string + rules: + description: |- + The Rule statements used to identify the web requests that you want to manage. + Each rule includes one top-level statement that WAF uses to identify matching + web requests, and parameters that govern how WAF handles them. + items: + description: |- + A single rule, which you can use in a WebACL or RuleGroup to identify web + requests that you want to manage in some way. Each rule includes one top-level + Statement that WAF uses to identify matching web requests, and parameters + that govern how WAF handles them. + properties: + action: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + captchaConfig: + description: |- + Specifies how WAF should handle CAPTCHA evaluations. This is available at + the web ACL level and in each rule. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + challengeConfig: + description: |- + Specifies how WAF should handle Challenge evaluations. This is available + at the web ACL level and in each rule. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + name: + type: string + overrideAction: + description: |- + The action to use in the place of the action that results from the rule group + evaluation. Set the override action to none to leave the result of the rule + group alone. Set it to count to override the result to count only. + + You can only use this for rule statements that reference a rule group, like + RuleGroupReferenceStatement and ManagedRuleGroupStatement. + + This option is usually set to none. It does not affect how the rules in the + rule group are evaluated. If you want the rules in the rule group to only + count matches, do not use this and instead use the rule action override option, + with Count action, in your rule group reference statement settings. + properties: + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + none: + additionalProperties: + type: string + description: |- + Specifies that WAF should do nothing. This is used for the OverrideAction + setting on a Rule when the rule uses a rule group reference statement. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + + JSON specification: "None": {} + type: object + type: object + priority: + format: int64 + type: integer + ruleLabels: + items: + description: |- + A single label container. This is used as an element of a label array in + multiple contexts, for example, in RuleLabels inside a Rule and in Labels + inside a SampledHTTPRequest. + properties: + name: + type: string + type: object + type: array + statement: + description: |- + The processing guidance for a Rule, used by WAF to determine whether a web + request matches the rule. + + For example specifications, see the examples section of CreateWebACL. + properties: + andStatement: + type: string + byteMatchStatement: + description: |- + A rule statement that defines a string match search for WAF to apply to web + requests. The byte match statement provides the bytes to search for, the + location in requests that you want WAF to search, and other settings. The + bytes to search for are typically a string that corresponds with ASCII characters. + In the WAF console and the developer guide, this is called a string match + statement. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + positionalConstraint: + type: string + searchString: + format: byte + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + geoMatchStatement: + description: |- + A rule statement that labels web requests by country and region and that + matches against web requests based on country code. A geo match rule labels + every request that it inspects regardless of whether it finds a match. + + * To manage requests only by country, you can use this statement by itself + and specify the countries that you want to match against in the CountryCodes + array. + + * Otherwise, configure your geo match rule with Count action so that it + only labels requests. Then, add one or more label match rules to run after + the geo match rule and configure them to match against the geographic + labels and handle the requests as needed. + + WAF labels requests using the alpha-2 country and region codes from the International + Organization for Standardization (ISO) 3166 standard. WAF determines the + codes using either the IP address in the web request origin or, if you specify + it, the address in the geo match ForwardedIPConfig. + + If you use the web request origin, the label formats are awswaf:clientip:geo:region:- and awswaf:clientip:geo:country:. + + If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region:- and awswaf:forwardedip:geo:country:. + + For additional details, see Geographic match rule statement (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) + in the WAF Developer Guide (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). + properties: + countryCodes: + items: + type: string + type: array + forwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used for GeoMatchStatement and RateBasedStatement. + For IPSetReferenceStatement, use IPSetForwardedIPConfig instead. + + WAF only evaluates the first IP address found in the specified HTTP header. + properties: + fallbackBehavior: + type: string + headerName: + type: string + type: object + type: object + ipSetReferenceStatement: + description: |- + A rule statement used to detect web requests coming from particular IP addresses + or address ranges. To use this, create an IPSet that specifies the addresses + you want to detect, then use the ARN of that set in this statement. To create + an IP set, see CreateIPSet. + + Each IP set rule statement references an IP set. You create and maintain + the set independent of your rules. This allows you to use the single set + in multiple rules. When you update the referenced set, WAF automatically + updates all rules that reference it. + properties: + arn: + type: string + ipSetForwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used only for IPSetReferenceStatement. For GeoMatchStatement + and RateBasedStatement, use ForwardedIPConfig instead. + properties: + fallbackBehavior: + type: string + headerName: + type: string + position: + type: string + type: object + type: object + labelMatchStatement: + description: |- + A rule statement to match against labels that have been added to the web + request by rules that have already run in the web ACL. + + The label match statement provides the label or namespace string to search + for. The label string can represent a part or all of the fully qualified + label name that had been added to the web request. Fully qualified labels + have a prefix, optional namespaces, and label name. The prefix identifies + the rule group or web ACL context of the rule that added the label. If you + do not provide the fully qualified name in your label match string, WAF performs + the search for labels that were added in the same context as the label match + statement. + properties: + key: + type: string + scope: + type: string + type: object + managedRuleGroupStatement: + description: |- + A rule statement used to run the rules that are defined in a managed rule + group. To use this, provide the vendor name and the name of the rule group + in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups. + + You cannot nest a ManagedRuleGroupStatement, for example for use inside a + NotStatement or OrStatement. You cannot use a managed rule group inside another + rule group. You can only reference a managed rule group as a top-level statement + within a rule that you define in a web ACL. + + You are charged additional fees when you use the WAF Bot Control managed + rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account + takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or + the WAF Fraud Control account creation fraud prevention (ACFP) managed rule + group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing (http://aws.amazon.com/waf/pricing/). + properties: + excludedRules: + items: + description: |- + Specifies a single rule in a rule group whose action you want to override + to Count. + + Instead of this option, use RuleActionOverrides. It accepts any valid action + setting, including Count. + properties: + name: + type: string + type: object + type: array + managedRuleGroupConfigs: + items: + description: |- + Additional information that's used by a managed rule group. Many managed + rule groups don't require this. + + The rule groups used for intelligent threat mitigation require additional + configuration: + + * Use the AWSManagedRulesACFPRuleSet configuration object to configure + the account creation fraud prevention managed rule group. The configuration + includes the registration and sign-up pages of your application and the + locations in the account creation request payload of data, such as the + user email and phone number fields. + + * Use the AWSManagedRulesATPRuleSet configuration object to configure + the account takeover prevention managed rule group. The configuration + includes the sign-in page of your application and the locations in the + login request payload of data such as the username and password. + + * Use the AWSManagedRulesBotControlRuleSet configuration object to configure + the protection level that you want the Bot Control rule group to use. + + For example specifications, see the examples section of CreateWebACL. + properties: + awsManagedRulesACFPRuleSet: + description: |- + Details for your use of the account creation fraud prevention managed rule + group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig. + properties: + creationPath: + type: string + enableRegexInPath: + type: boolean + registrationPagePath: + type: string + requestInspection: + description: |- + The criteria for inspecting account creation requests, used by the ACFP rule + group to validate and track account creation attempts. + + This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig. + + In these settings, you specify how your application accepts account creation + attempts by providing the request payload type and the names of the fields + within the request body where the username, password, email, and primary + address and phone number fields are provided. + properties: + addressFields: + items: + description: |- + The name of a field in the request payload that contains part or all of your + customer's primary physical address. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + type: array + emailField: + description: |- + The name of the field in the request payload that contains your customer's + email. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + phoneNumberFields: + items: + description: |- + The name of a field in the request payload that contains part or all of your + customer's primary phone number. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + type: array + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + responseInspection: + description: |- + The criteria for inspecting responses to login requests and account creation + requests, used by the ATP and ACFP rule groups to track login and account + creation success and failure rates. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + + The rule groups evaluates the responses that your protected resources send + back to client login and account creation attempts, keeping count of successful + and failed attempts from each IP address and client session. Using this information, + the rule group labels and mitigates requests from client sessions and IP + addresses with too much suspicious activity in a short amount of time. + + This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet + configurations in ManagedRuleGroupConfig. + + Enable response inspection by configuring exactly one component of the response + to inspect, for example, Header or StatusCode. You can't configure more than + one component for inspection. If you don't configure any of the response + inspection options, response inspection is disabled. + properties: + bodyContains: + description: |- + Configures inspection of the response body. WAF can inspect the first 65,536 + bytes (64 KB) of the response body. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureStrings: + items: + type: string + type: array + successStrings: + items: + type: string + type: array + type: object + header: + description: |- + Configures inspection of the response header. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + name: + type: string + successValues: + items: + type: string + type: array + type: object + json: + description: |- + Configures inspection of the response JSON. WAF can inspect the first 65,536 + bytes (64 KB) of the response JSON. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + identifier: + type: string + successValues: + items: + type: string + type: array + type: object + statusCode: + description: |- + Configures inspection of the response status code. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureCodes: + items: + format: int64 + type: integer + type: array + successCodes: + items: + format: int64 + type: integer + type: array + type: object + type: object + type: object + awsManagedRulesATPRuleSet: + description: |- + Details for your use of the account takeover prevention managed rule group, + AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig. + properties: + enableRegexInPath: + type: boolean + loginPath: + type: string + requestInspection: + description: |- + The criteria for inspecting login requests, used by the ATP rule group to + validate credentials usage. + + This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig. + + In these settings, you specify how your application accepts login attempts + by providing the request payload type and the names of the fields within + the request body where the username and password are provided. + properties: + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + responseInspection: + description: |- + The criteria for inspecting responses to login requests and account creation + requests, used by the ATP and ACFP rule groups to track login and account + creation success and failure rates. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + + The rule groups evaluates the responses that your protected resources send + back to client login and account creation attempts, keeping count of successful + and failed attempts from each IP address and client session. Using this information, + the rule group labels and mitigates requests from client sessions and IP + addresses with too much suspicious activity in a short amount of time. + + This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet + configurations in ManagedRuleGroupConfig. + + Enable response inspection by configuring exactly one component of the response + to inspect, for example, Header or StatusCode. You can't configure more than + one component for inspection. If you don't configure any of the response + inspection options, response inspection is disabled. + properties: + bodyContains: + description: |- + Configures inspection of the response body. WAF can inspect the first 65,536 + bytes (64 KB) of the response body. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureStrings: + items: + type: string + type: array + successStrings: + items: + type: string + type: array + type: object + header: + description: |- + Configures inspection of the response header. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + name: + type: string + successValues: + items: + type: string + type: array + type: object + json: + description: |- + Configures inspection of the response JSON. WAF can inspect the first 65,536 + bytes (64 KB) of the response JSON. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + identifier: + type: string + successValues: + items: + type: string + type: array + type: object + statusCode: + description: |- + Configures inspection of the response status code. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureCodes: + items: + format: int64 + type: integer + type: array + successCodes: + items: + format: int64 + type: integer + type: array + type: object + type: object + type: object + awsManagedRulesBotControlRuleSet: + description: |- + Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet. + This configuration is used in ManagedRuleGroupConfig. + properties: + enableMachineLearning: + type: boolean + inspectionLevel: + type: string + type: object + loginPath: + type: string + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + type: array + name: + type: string + ruleActionOverrides: + items: + description: |- + Action setting to use in the place of a rule action that is configured inside + the rule group. You specify one override for each rule whose action you want + to change. + + You can use overrides for testing, for example you can override all of rule + actions to Count and then monitor the resulting count metrics to understand + how the rule group would handle your web traffic. You can also permanently + override some or all actions, to modify how the rule group manages your web + traffic. + properties: + actionToUse: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + name: + type: string + type: object + type: array + scopeDownStatement: + type: string + vendorName: + type: string + version: + type: string + type: object + notStatement: + type: string + orStatement: + type: string + rateBasedStatement: + description: |- + A rate-based rule counts incoming requests and rate limits requests when + they are coming at too fast a rate. The rule categorizes requests according + to your aggregation criteria, collects them into aggregation instances, and + counts and rate limits the requests for each instance. + + If you change any of these settings in a rule that's currently in use, the + change resets the rule's rate limiting counts. This can pause the rule's + rate limiting activities for up to a minute. + + You can specify individual aggregation keys, like IP address or HTTP method. + You can also specify aggregation key combinations, like IP address and HTTP + method, or HTTP method, query argument, and cookie. + + Each unique set of values for the aggregation keys that you specify is a + separate aggregation instance, with the value from each key contributing + to the aggregation instance definition. + + For example, assume the rule evaluates web requests with the following IP + address and HTTP method values: + + * IP address 10.1.1.1, HTTP method POST + + * IP address 10.1.1.1, HTTP method GET + + * IP address 127.0.0.0, HTTP method POST + + * IP address 10.1.1.1, HTTP method GET + + The rule would create different aggregation instances according to your aggregation + criteria, for example: + + * If the aggregation criteria is just the IP address, then each individual + address is an aggregation instance, and WAF counts requests separately + for each. The aggregation instances and request counts for our example + would be the following: IP address 10.1.1.1: count 3 IP address 127.0.0.0: + count 1 + + * If the aggregation criteria is HTTP method, then each individual HTTP + method is an aggregation instance. The aggregation instances and request + counts for our example would be the following: HTTP method POST: count + 2 HTTP method GET: count 2 + + * If the aggregation criteria is IP address and HTTP method, then each + IP address and each HTTP method would contribute to the combined aggregation + instance. The aggregation instances and request counts for our example + would be the following: IP address 10.1.1.1, HTTP method POST: count 1 + IP address 10.1.1.1, HTTP method GET: count 2 IP address 127.0.0.0, HTTP + method POST: count 1 + + For any n-tuple of aggregation keys, each unique combination of values for + the keys defines a separate aggregation instance, which WAF counts and rate-limits + individually. + + You can optionally nest another statement inside the rate-based statement, + to narrow the scope of the rule so that it only counts and rate limits requests + that match the nested statement. You can use this nested scope-down statement + in conjunction with your aggregation key specifications or you can just count + and rate limit all requests that match the scope-down statement, without + additional aggregation. When you choose to just manage all requests that + match a scope-down statement, the aggregation instance is singular for the + rule. + + You cannot nest a RateBasedStatement inside another statement, for example + inside a NotStatement or OrStatement. You can define a RateBasedStatement + inside a web ACL and inside a rule group. + + For additional information about the options, see Rate limiting web requests + using rate-based rules (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) + in the WAF Developer Guide. + + If you only aggregate on the individual IP address or forwarded IP address, + you can retrieve the list of IP addresses that WAF is currently rate limiting + for a rule through the API call GetRateBasedStatementManagedKeys. This option + is not available for other aggregation configurations. + + WAF tracks and manages web requests separately for each instance of a rate-based + rule that you use. For example, if you provide the same rate-based rule settings + in two web ACLs, each of the two rule statements represents a separate instance + of the rate-based rule and gets its own tracking and management by WAF. If + you define a rate-based rule inside a rule group, and then use that rule + group in multiple places, each use creates a separate instance of the rate-based + rule that gets its own tracking and management by WAF. + properties: + aggregateKeyType: + type: string + customKeys: + items: + description: |- + Specifies a single custom aggregate key for a rate-base rule. + + Web requests that are missing any of the components specified in the aggregation + keys are omitted from the rate-based rule evaluation and handling. + properties: + cookie: + description: |- + Specifies a cookie as an aggregate key for a rate-based rule. Each distinct + value in the cookie contributes to the aggregation instance. If you use a + single cookie as your custom key, then each value fully defines an aggregation + instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + forwardedIP: + additionalProperties: + type: string + description: |- + Specifies the first IP address in an HTTP header as an aggregate key for + a rate-based rule. Each distinct forwarded IP address contributes to the + aggregation instance. + + This setting is used only in the RateBasedStatementCustomKey specification + of a rate-based rule statement. When you specify an IP or forwarded IP in + the custom key settings, you must also specify at least one other key to + use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP + in your rate-based statement's AggregateKeyType. + + This data type supports using the forwarded IP address in the web request + aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON + specification for using the forwarded IP address doesn't explicitly use this + data type. + + JSON specification: "ForwardedIP": {} + + When you use this specification, you must also configure the forwarded IP + address in the rate-based statement's ForwardedIPConfig. + type: object + header: + description: |- + Specifies a header as an aggregate key for a rate-based rule. Each distinct + value in the header contributes to the aggregation instance. If you use a + single header as your custom key, then each value fully defines an aggregation + instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + httpMethod: + additionalProperties: + type: string + description: |- + Specifies the request's HTTP method as an aggregate key for a rate-based + rule. Each distinct HTTP method contributes to the aggregation instance. + If you use just the HTTP method as your custom key, then each method fully + defines an aggregation instance. + + JSON specification: "RateLimitHTTPMethod": {} + type: object + iP: + additionalProperties: + type: string + description: |- + Specifies the IP address in the web request as an aggregate key for a rate-based + rule. Each distinct IP address contributes to the aggregation instance. + + This setting is used only in the RateBasedStatementCustomKey specification + of a rate-based rule statement. To use this in the custom key settings, you + must specify at least one other key to use, along with the IP address. To + aggregate on only the IP address, in your rate-based statement's AggregateKeyType, + specify IP. + + JSON specification: "RateLimitIP": {} + type: object + labelNamespace: + description: |- + Specifies a label namespace to use as an aggregate key for a rate-based rule. + Each distinct fully qualified label name that has the specified label namespace + contributes to the aggregation instance. If you use just one label namespace + as your custom key, then each label name fully defines an aggregation instance. + + This uses only labels that have been added to the request by rules that are + evaluated before this rate-based rule in the web ACL. + + For information about label namespaces and names, see Label syntax and naming + requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) + in the WAF Developer Guide. + properties: + namespace: + type: string + type: object + queryArgument: + description: |- + Specifies a query argument in the request as an aggregate key for a rate-based + rule. Each distinct value for the named query argument contributes to the + aggregation instance. If you use a single query argument as your custom key, + then each value fully defines an aggregation instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + queryString: + description: |- + Specifies the request's query string as an aggregate key for a rate-based + rule. Each distinct string contributes to the aggregation instance. If you + use just the query string as your custom key, then each string fully defines + an aggregation instance. + properties: + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + uriPath: + description: |- + Specifies the request's URI path as an aggregate key for a rate-based rule. + Each distinct URI path contributes to the aggregation instance. If you use + just the URI path as your custom key, then each URI path fully defines an + aggregation instance. + properties: + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + type: object + type: array + evaluationWindowSec: + format: int64 + type: integer + forwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used for GeoMatchStatement and RateBasedStatement. + For IPSetReferenceStatement, use IPSetForwardedIPConfig instead. + + WAF only evaluates the first IP address found in the specified HTTP header. + properties: + fallbackBehavior: + type: string + headerName: + type: string + type: object + limit: + format: int64 + type: integer + scopeDownStatement: + type: string + type: object + regexMatchStatement: + description: |- + A rule statement used to search web request components for a match against + a single regular expression. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + regexString: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + regexPatternSetReferenceStatement: + description: |- + A rule statement used to search web request components for matches with regular + expressions. To use this, create a RegexPatternSet that specifies the expressions + that you want to detect, then use the ARN of that set in this statement. + A web request matches the pattern set rule statement if the request component + matches any of the patterns in the set. To create a regex pattern set, see + CreateRegexPatternSet. + + Each regex pattern set rule statement references a regex pattern set. You + create and maintain the set independent of your rules. This allows you to + use the single set in multiple rules. When you update the referenced set, + WAF automatically updates all rules that reference it. + properties: + arn: + type: string + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + ruleGroupReferenceStatement: + description: |- + A rule statement used to run the rules that are defined in a RuleGroup. To + use this, create a rule group with your rules, then provide the ARN of the + rule group in this statement. + + You cannot nest a RuleGroupReferenceStatement, for example for use inside + a NotStatement or OrStatement. You cannot use a rule group reference statement + inside another rule group. You can only reference a rule group as a top-level + statement within a rule that you define in a web ACL. + properties: + arn: + type: string + excludedRules: + items: + description: |- + Specifies a single rule in a rule group whose action you want to override + to Count. + + Instead of this option, use RuleActionOverrides. It accepts any valid action + setting, including Count. + properties: + name: + type: string + type: object + type: array + ruleActionOverrides: + items: + description: |- + Action setting to use in the place of a rule action that is configured inside + the rule group. You specify one override for each rule whose action you want + to change. + + You can use overrides for testing, for example you can override all of rule + actions to Count and then monitor the resulting count metrics to understand + how the rule group would handle your web traffic. You can also permanently + override some or all actions, to modify how the rule group manages your web + traffic. + properties: + actionToUse: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + name: + type: string + type: object + type: array + type: object + sizeConstraintStatement: + description: |- + A rule statement that compares a number of bytes against the size of a request + component, using a comparison operator, such as greater than (>) or less + than (<). For example, you can use a size constraint statement to look for + query strings that are longer than 100 bytes. + + If you configure WAF to inspect the request body, WAF inspects only the number + of bytes in the body up to the limit for the web ACL and protected resource + type. If you know that the request body for your web requests should never + exceed the inspection limit, you can use a size constraint statement to block + requests that have a larger request body size. For more information about + the inspection limits, see Body and JsonBody settings for the FieldToMatch + data type. + + If you choose URI for the value of Part of the request to filter on, the + slash (/) in the URI counts as one character. For example, the URI /logo.jpg + is nine characters long. + properties: + comparisonOperator: + type: string + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + size: + format: int64 + type: integer + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + sqliMatchStatement: + description: |- + A rule statement that inspects for malicious SQL code. Attackers insert malicious + SQL code into web requests to do things like modify your database or extract + data from it. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + sensitivityLevel: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + xssMatchStatement: + description: |- + A rule statement that inspects for cross-site scripting (XSS) attacks. In + XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle + to inject malicious client-site scripts into other legitimate web browsers. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + type: object + visibilityConfig: + description: Defines and enables Amazon CloudWatch metrics and + web request sample collection. + properties: + cloudWatchMetricsEnabled: + type: boolean + metricName: + type: string + sampledRequestsEnabled: + type: boolean + type: object + type: object + type: array + scope: + description: |- + Specifies whether this is for an Amazon CloudFront distribution or for a + regional application. A regional application can be an Application Load Balancer + (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon + Cognito user pool, an App Runner service, or an Amazon Web Services Verified + Access instance. + + To work with CloudFront, you must also specify the Region US East (N. Virginia) + as follows: + + * CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT + --region=us-east-1. + + * API and SDKs - For all calls, use the Region endpoint us-east-1. + type: string + tags: + description: An array of key:value pairs to associate with the resource. + items: + description: |- + A tag associated with an Amazon Web Services resource. Tags are key:value + pairs that you can use to categorize and manage your resources, for purposes + like billing or other management. Typically, the tag key represents a category, + such as "environment", and the tag value represents a specific value within + that category, such as "test," "development," or "production". Or you might + set the tag key to "customer" and the value to the customer name or ID. You + can specify one or more tags to add to each Amazon Web Services resource, + up to 50 tags for a resource. + + You can tag the Amazon Web Services resources that you manage through WAF: + web ACLs, rule groups, IP sets, and regex pattern sets. You can't manage + or view tags through the WAF console. + properties: + key: + type: string + value: + type: string + type: object + type: array + visibilityConfig: + description: Defines and enables Amazon CloudWatch metrics and web + request sample collection. + properties: + cloudWatchMetricsEnabled: + type: boolean + metricName: + type: string + sampledRequestsEnabled: + type: boolean + type: object + required: + - capacity + - name + - scope + - visibilityConfig + type: object + status: + description: RuleGroupStatus defines the observed state of RuleGroup + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + id: + description: |- + A unique identifier for the rule group. This ID is returned in the responses + to create and list commands. You provide it to operations like update and + delete. + type: string + lockToken: + description: |- + A token used for optimistic locking. WAF returns a token to your get and + list requests, to mark the state of the entity at the time of the request. + To make changes to the entity associated with the token, you provide the + token to operations like update and delete. WAF uses the token to ensure + that no changes have been made to the entity since you last retrieved it. + If a change has been made, the update fails with a WAFOptimisticLockException. + If this happens, perform another get, and use the new token returned by that + operation. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_webacls.yaml b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_webacls.yaml new file mode 100644 index 00000000000..8c507046eda --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/manifests/wafv2.services.k8s.aws_webacls.yaml @@ -0,0 +1,3978 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.2 + creationTimestamp: null + name: webacls.wafv2.services.k8s.aws +spec: + group: wafv2.services.k8s.aws + names: + kind: WebACL + listKind: WebACLList + plural: webacls + singular: webacl + scope: Namespaced + versions: + - name: v1alpha1 + schema: + openAPIV3Schema: + description: WebACL is the Schema for the WebACLS API + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + WebACLSpec defines the desired state of WebACL. + + A web ACL defines a collection of rules to use to inspect and control web + requests. Each rule has a statement that defines what to look for in web + requests and an action that WAF applies to requests that match the statement. + In the web ACL, you assign a default action to take (allow, block) for any + request that does not match any of the rules. The rules in a web ACL can + be a combination of the types Rule, RuleGroup, and managed rule group. You + can associate a web ACL with one or more Amazon Web Services resources to + protect. The resources can be an Amazon CloudFront distribution, an Amazon + API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, + an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services + Verified Access instance. + properties: + associationConfig: + description: |- + Specifies custom configurations for the associations between the web ACL + and protected resources. + + Use this to customize the maximum size of the request body that your protected + resources forward to WAF for inspection. You can customize this setting for + CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. + The default setting is 16 KB (16,384 bytes). + + You are charged additional fees when your protected resources forward body + sizes that are larger than the default. For more information, see WAF Pricing + (http://aws.amazon.com/waf/pricing/). + + For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + bytes). + properties: + requestBody: + additionalProperties: + description: |- + Customizes the maximum size of the request body that your protected CloudFront, + API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward + to WAF for inspection. The default size is 16 KB (16,384 bytes). You can + change the setting for any of the available resource types. + + You are charged additional fees when your protected resources forward body + sizes that are larger than the default. For more information, see WAF Pricing + (http://aws.amazon.com/waf/pricing/). + + Example JSON: { "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" } + + For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + bytes). + + This is used in the AssociationConfig of the web ACL. + properties: + defaultSizeInspectionLimit: + type: string + type: object + type: object + type: object + captchaConfig: + description: |- + Specifies how WAF should handle CAPTCHA evaluations for rules that don't + have their own CaptchaConfig settings. If you don't specify this, WAF uses + its default settings for CaptchaConfig. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + challengeConfig: + description: |- + Specifies how WAF should handle challenge evaluations for rules that don't + have their own ChallengeConfig settings. If you don't specify this, WAF uses + its default settings for ChallengeConfig. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + customResponseBodies: + additionalProperties: + description: |- + The response body to use in a custom response to a web request. This is referenced + by key from CustomResponse CustomResponseBodyKey. + properties: + content: + type: string + contentType: + type: string + type: object + description: |- + A map of custom response keys and content bodies. When you create a rule + with a block action, you can send a custom response to the web request. You + define these for the web ACL, and then use them in the rules and default + actions that you define in the web ACL. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + + For information about the limits on count and size for custom request and + response settings, see WAF quotas (https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) + in the WAF Developer Guide. + type: object + defaultAction: + description: The action to perform if none of the Rules contained + in the WebACL match. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + description: + description: A description of the web ACL that helps with identification. + type: string + name: + description: |- + The name of the web ACL. You cannot change the name of a web ACL after you + create it. + type: string + rules: + description: |- + The Rule statements used to identify the web requests that you want to manage. + Each rule includes one top-level statement that WAF uses to identify matching + web requests, and parameters that govern how WAF handles them. + items: + description: |- + A single rule, which you can use in a WebACL or RuleGroup to identify web + requests that you want to manage in some way. Each rule includes one top-level + Statement that WAF uses to identify matching web requests, and parameters + that govern how WAF handles them. + properties: + action: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + captchaConfig: + description: |- + Specifies how WAF should handle CAPTCHA evaluations. This is available at + the web ACL level and in each rule. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + challengeConfig: + description: |- + Specifies how WAF should handle Challenge evaluations. This is available + at the web ACL level and in each rule. + properties: + immunityTimeProperty: + description: |- + Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA + or challenge timestamp remains valid after WAF updates it for a successful + CAPTCHA or challenge response. + properties: + immunityTime: + format: int64 + type: integer + type: object + type: object + name: + type: string + overrideAction: + description: |- + The action to use in the place of the action that results from the rule group + evaluation. Set the override action to none to leave the result of the rule + group alone. Set it to count to override the result to count only. + + You can only use this for rule statements that reference a rule group, like + RuleGroupReferenceStatement and ManagedRuleGroupStatement. + + This option is usually set to none. It does not affect how the rules in the + rule group are evaluated. If you want the rules in the rule group to only + count matches, do not use this and instead use the rule action override option, + with Count action, in your rule group reference statement settings. + properties: + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + none: + additionalProperties: + type: string + description: |- + Specifies that WAF should do nothing. This is used for the OverrideAction + setting on a Rule when the rule uses a rule group reference statement. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + + JSON specification: "None": {} + type: object + type: object + priority: + format: int64 + type: integer + ruleLabels: + items: + description: |- + A single label container. This is used as an element of a label array in + multiple contexts, for example, in RuleLabels inside a Rule and in Labels + inside a SampledHTTPRequest. + properties: + name: + type: string + type: object + type: array + statement: + description: |- + The processing guidance for a Rule, used by WAF to determine whether a web + request matches the rule. + + For example specifications, see the examples section of CreateWebACL. + properties: + andStatement: + type: string + byteMatchStatement: + description: |- + A rule statement that defines a string match search for WAF to apply to web + requests. The byte match statement provides the bytes to search for, the + location in requests that you want WAF to search, and other settings. The + bytes to search for are typically a string that corresponds with ASCII characters. + In the WAF console and the developer guide, this is called a string match + statement. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + positionalConstraint: + type: string + searchString: + format: byte + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + geoMatchStatement: + description: |- + A rule statement that labels web requests by country and region and that + matches against web requests based on country code. A geo match rule labels + every request that it inspects regardless of whether it finds a match. + + * To manage requests only by country, you can use this statement by itself + and specify the countries that you want to match against in the CountryCodes + array. + + * Otherwise, configure your geo match rule with Count action so that it + only labels requests. Then, add one or more label match rules to run after + the geo match rule and configure them to match against the geographic + labels and handle the requests as needed. + + WAF labels requests using the alpha-2 country and region codes from the International + Organization for Standardization (ISO) 3166 standard. WAF determines the + codes using either the IP address in the web request origin or, if you specify + it, the address in the geo match ForwardedIPConfig. + + If you use the web request origin, the label formats are awswaf:clientip:geo:region:- and awswaf:clientip:geo:country:. + + If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region:- and awswaf:forwardedip:geo:country:. + + For additional details, see Geographic match rule statement (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-geo-match.html) + in the WAF Developer Guide (https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html). + properties: + countryCodes: + items: + type: string + type: array + forwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used for GeoMatchStatement and RateBasedStatement. + For IPSetReferenceStatement, use IPSetForwardedIPConfig instead. + + WAF only evaluates the first IP address found in the specified HTTP header. + properties: + fallbackBehavior: + type: string + headerName: + type: string + type: object + type: object + ipSetReferenceStatement: + description: |- + A rule statement used to detect web requests coming from particular IP addresses + or address ranges. To use this, create an IPSet that specifies the addresses + you want to detect, then use the ARN of that set in this statement. To create + an IP set, see CreateIPSet. + + Each IP set rule statement references an IP set. You create and maintain + the set independent of your rules. This allows you to use the single set + in multiple rules. When you update the referenced set, WAF automatically + updates all rules that reference it. + properties: + arn: + type: string + ipSetForwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used only for IPSetReferenceStatement. For GeoMatchStatement + and RateBasedStatement, use ForwardedIPConfig instead. + properties: + fallbackBehavior: + type: string + headerName: + type: string + position: + type: string + type: object + type: object + labelMatchStatement: + description: |- + A rule statement to match against labels that have been added to the web + request by rules that have already run in the web ACL. + + The label match statement provides the label or namespace string to search + for. The label string can represent a part or all of the fully qualified + label name that had been added to the web request. Fully qualified labels + have a prefix, optional namespaces, and label name. The prefix identifies + the rule group or web ACL context of the rule that added the label. If you + do not provide the fully qualified name in your label match string, WAF performs + the search for labels that were added in the same context as the label match + statement. + properties: + key: + type: string + scope: + type: string + type: object + managedRuleGroupStatement: + description: |- + A rule statement used to run the rules that are defined in a managed rule + group. To use this, provide the vendor name and the name of the rule group + in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups. + + You cannot nest a ManagedRuleGroupStatement, for example for use inside a + NotStatement or OrStatement. You cannot use a managed rule group inside another + rule group. You can only reference a managed rule group as a top-level statement + within a rule that you define in a web ACL. + + You are charged additional fees when you use the WAF Bot Control managed + rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account + takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or + the WAF Fraud Control account creation fraud prevention (ACFP) managed rule + group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing (http://aws.amazon.com/waf/pricing/). + properties: + excludedRules: + items: + description: |- + Specifies a single rule in a rule group whose action you want to override + to Count. + + Instead of this option, use RuleActionOverrides. It accepts any valid action + setting, including Count. + properties: + name: + type: string + type: object + type: array + managedRuleGroupConfigs: + items: + description: |- + Additional information that's used by a managed rule group. Many managed + rule groups don't require this. + + The rule groups used for intelligent threat mitigation require additional + configuration: + + * Use the AWSManagedRulesACFPRuleSet configuration object to configure + the account creation fraud prevention managed rule group. The configuration + includes the registration and sign-up pages of your application and the + locations in the account creation request payload of data, such as the + user email and phone number fields. + + * Use the AWSManagedRulesATPRuleSet configuration object to configure + the account takeover prevention managed rule group. The configuration + includes the sign-in page of your application and the locations in the + login request payload of data such as the username and password. + + * Use the AWSManagedRulesBotControlRuleSet configuration object to configure + the protection level that you want the Bot Control rule group to use. + + For example specifications, see the examples section of CreateWebACL. + properties: + awsManagedRulesACFPRuleSet: + description: |- + Details for your use of the account creation fraud prevention managed rule + group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig. + properties: + creationPath: + type: string + enableRegexInPath: + type: boolean + registrationPagePath: + type: string + requestInspection: + description: |- + The criteria for inspecting account creation requests, used by the ACFP rule + group to validate and track account creation attempts. + + This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig. + + In these settings, you specify how your application accepts account creation + attempts by providing the request payload type and the names of the fields + within the request body where the username, password, email, and primary + address and phone number fields are provided. + properties: + addressFields: + items: + description: |- + The name of a field in the request payload that contains part or all of your + customer's primary physical address. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + type: array + emailField: + description: |- + The name of the field in the request payload that contains your customer's + email. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + phoneNumberFields: + items: + description: |- + The name of a field in the request payload that contains part or all of your + customer's primary phone number. + + This data type is used in the RequestInspectionACFP data type. + properties: + identifier: + type: string + type: object + type: array + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + responseInspection: + description: |- + The criteria for inspecting responses to login requests and account creation + requests, used by the ATP and ACFP rule groups to track login and account + creation success and failure rates. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + + The rule groups evaluates the responses that your protected resources send + back to client login and account creation attempts, keeping count of successful + and failed attempts from each IP address and client session. Using this information, + the rule group labels and mitigates requests from client sessions and IP + addresses with too much suspicious activity in a short amount of time. + + This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet + configurations in ManagedRuleGroupConfig. + + Enable response inspection by configuring exactly one component of the response + to inspect, for example, Header or StatusCode. You can't configure more than + one component for inspection. If you don't configure any of the response + inspection options, response inspection is disabled. + properties: + bodyContains: + description: |- + Configures inspection of the response body. WAF can inspect the first 65,536 + bytes (64 KB) of the response body. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureStrings: + items: + type: string + type: array + successStrings: + items: + type: string + type: array + type: object + header: + description: |- + Configures inspection of the response header. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + name: + type: string + successValues: + items: + type: string + type: array + type: object + json: + description: |- + Configures inspection of the response JSON. WAF can inspect the first 65,536 + bytes (64 KB) of the response JSON. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + identifier: + type: string + successValues: + items: + type: string + type: array + type: object + statusCode: + description: |- + Configures inspection of the response status code. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureCodes: + items: + format: int64 + type: integer + type: array + successCodes: + items: + format: int64 + type: integer + type: array + type: object + type: object + type: object + awsManagedRulesATPRuleSet: + description: |- + Details for your use of the account takeover prevention managed rule group, + AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig. + properties: + enableRegexInPath: + type: boolean + loginPath: + type: string + requestInspection: + description: |- + The criteria for inspecting login requests, used by the ATP rule group to + validate credentials usage. + + This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig. + + In these settings, you specify how your application accepts login attempts + by providing the request payload type and the names of the fields within + the request body where the username and password are provided. + properties: + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + responseInspection: + description: |- + The criteria for inspecting responses to login requests and account creation + requests, used by the ATP and ACFP rule groups to track login and account + creation success and failure rates. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + + The rule groups evaluates the responses that your protected resources send + back to client login and account creation attempts, keeping count of successful + and failed attempts from each IP address and client session. Using this information, + the rule group labels and mitigates requests from client sessions and IP + addresses with too much suspicious activity in a short amount of time. + + This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet + configurations in ManagedRuleGroupConfig. + + Enable response inspection by configuring exactly one component of the response + to inspect, for example, Header or StatusCode. You can't configure more than + one component for inspection. If you don't configure any of the response + inspection options, response inspection is disabled. + properties: + bodyContains: + description: |- + Configures inspection of the response body. WAF can inspect the first 65,536 + bytes (64 KB) of the response body. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureStrings: + items: + type: string + type: array + successStrings: + items: + type: string + type: array + type: object + header: + description: |- + Configures inspection of the response header. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + name: + type: string + successValues: + items: + type: string + type: array + type: object + json: + description: |- + Configures inspection of the response JSON. WAF can inspect the first 65,536 + bytes (64 KB) of the response JSON. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureValues: + items: + type: string + type: array + identifier: + type: string + successValues: + items: + type: string + type: array + type: object + statusCode: + description: |- + Configures inspection of the response status code. This is part of the ResponseInspection + configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet. + + Response inspection is available only in web ACLs that protect Amazon CloudFront + distributions. + properties: + failureCodes: + items: + format: int64 + type: integer + type: array + successCodes: + items: + format: int64 + type: integer + type: array + type: object + type: object + type: object + awsManagedRulesBotControlRuleSet: + description: |- + Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet. + This configuration is used in ManagedRuleGroupConfig. + properties: + enableMachineLearning: + type: boolean + inspectionLevel: + type: string + type: object + loginPath: + type: string + passwordField: + description: |- + The name of the field in the request payload that contains your customer's + password. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + payloadType: + type: string + usernameField: + description: |- + The name of the field in the request payload that contains your customer's + username. + + This data type is used in the RequestInspection and RequestInspectionACFP + data types. + properties: + identifier: + type: string + type: object + type: object + type: array + name: + type: string + ruleActionOverrides: + items: + description: |- + Action setting to use in the place of a rule action that is configured inside + the rule group. You specify one override for each rule whose action you want + to change. + + You can use overrides for testing, for example you can override all of rule + actions to Count and then monitor the resulting count metrics to understand + how the rule group would handle your web traffic. You can also permanently + override some or all actions, to modify how the rule group manages your web + traffic. + properties: + actionToUse: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + name: + type: string + type: object + type: array + scopeDownStatement: + type: string + vendorName: + type: string + version: + type: string + type: object + notStatement: + type: string + orStatement: + type: string + rateBasedStatement: + description: |- + A rate-based rule counts incoming requests and rate limits requests when + they are coming at too fast a rate. The rule categorizes requests according + to your aggregation criteria, collects them into aggregation instances, and + counts and rate limits the requests for each instance. + + If you change any of these settings in a rule that's currently in use, the + change resets the rule's rate limiting counts. This can pause the rule's + rate limiting activities for up to a minute. + + You can specify individual aggregation keys, like IP address or HTTP method. + You can also specify aggregation key combinations, like IP address and HTTP + method, or HTTP method, query argument, and cookie. + + Each unique set of values for the aggregation keys that you specify is a + separate aggregation instance, with the value from each key contributing + to the aggregation instance definition. + + For example, assume the rule evaluates web requests with the following IP + address and HTTP method values: + + * IP address 10.1.1.1, HTTP method POST + + * IP address 10.1.1.1, HTTP method GET + + * IP address 127.0.0.0, HTTP method POST + + * IP address 10.1.1.1, HTTP method GET + + The rule would create different aggregation instances according to your aggregation + criteria, for example: + + * If the aggregation criteria is just the IP address, then each individual + address is an aggregation instance, and WAF counts requests separately + for each. The aggregation instances and request counts for our example + would be the following: IP address 10.1.1.1: count 3 IP address 127.0.0.0: + count 1 + + * If the aggregation criteria is HTTP method, then each individual HTTP + method is an aggregation instance. The aggregation instances and request + counts for our example would be the following: HTTP method POST: count + 2 HTTP method GET: count 2 + + * If the aggregation criteria is IP address and HTTP method, then each + IP address and each HTTP method would contribute to the combined aggregation + instance. The aggregation instances and request counts for our example + would be the following: IP address 10.1.1.1, HTTP method POST: count 1 + IP address 10.1.1.1, HTTP method GET: count 2 IP address 127.0.0.0, HTTP + method POST: count 1 + + For any n-tuple of aggregation keys, each unique combination of values for + the keys defines a separate aggregation instance, which WAF counts and rate-limits + individually. + + You can optionally nest another statement inside the rate-based statement, + to narrow the scope of the rule so that it only counts and rate limits requests + that match the nested statement. You can use this nested scope-down statement + in conjunction with your aggregation key specifications or you can just count + and rate limit all requests that match the scope-down statement, without + additional aggregation. When you choose to just manage all requests that + match a scope-down statement, the aggregation instance is singular for the + rule. + + You cannot nest a RateBasedStatement inside another statement, for example + inside a NotStatement or OrStatement. You can define a RateBasedStatement + inside a web ACL and inside a rule group. + + For additional information about the options, see Rate limiting web requests + using rate-based rules (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rate-based-rules.html) + in the WAF Developer Guide. + + If you only aggregate on the individual IP address or forwarded IP address, + you can retrieve the list of IP addresses that WAF is currently rate limiting + for a rule through the API call GetRateBasedStatementManagedKeys. This option + is not available for other aggregation configurations. + + WAF tracks and manages web requests separately for each instance of a rate-based + rule that you use. For example, if you provide the same rate-based rule settings + in two web ACLs, each of the two rule statements represents a separate instance + of the rate-based rule and gets its own tracking and management by WAF. If + you define a rate-based rule inside a rule group, and then use that rule + group in multiple places, each use creates a separate instance of the rate-based + rule that gets its own tracking and management by WAF. + properties: + aggregateKeyType: + type: string + customKeys: + items: + description: |- + Specifies a single custom aggregate key for a rate-base rule. + + Web requests that are missing any of the components specified in the aggregation + keys are omitted from the rate-based rule evaluation and handling. + properties: + cookie: + description: |- + Specifies a cookie as an aggregate key for a rate-based rule. Each distinct + value in the cookie contributes to the aggregation instance. If you use a + single cookie as your custom key, then each value fully defines an aggregation + instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + forwardedIP: + additionalProperties: + type: string + description: |- + Specifies the first IP address in an HTTP header as an aggregate key for + a rate-based rule. Each distinct forwarded IP address contributes to the + aggregation instance. + + This setting is used only in the RateBasedStatementCustomKey specification + of a rate-based rule statement. When you specify an IP or forwarded IP in + the custom key settings, you must also specify at least one other key to + use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP + in your rate-based statement's AggregateKeyType. + + This data type supports using the forwarded IP address in the web request + aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON + specification for using the forwarded IP address doesn't explicitly use this + data type. + + JSON specification: "ForwardedIP": {} + + When you use this specification, you must also configure the forwarded IP + address in the rate-based statement's ForwardedIPConfig. + type: object + header: + description: |- + Specifies a header as an aggregate key for a rate-based rule. Each distinct + value in the header contributes to the aggregation instance. If you use a + single header as your custom key, then each value fully defines an aggregation + instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + httpMethod: + additionalProperties: + type: string + description: |- + Specifies the request's HTTP method as an aggregate key for a rate-based + rule. Each distinct HTTP method contributes to the aggregation instance. + If you use just the HTTP method as your custom key, then each method fully + defines an aggregation instance. + + JSON specification: "RateLimitHTTPMethod": {} + type: object + iP: + additionalProperties: + type: string + description: |- + Specifies the IP address in the web request as an aggregate key for a rate-based + rule. Each distinct IP address contributes to the aggregation instance. + + This setting is used only in the RateBasedStatementCustomKey specification + of a rate-based rule statement. To use this in the custom key settings, you + must specify at least one other key to use, along with the IP address. To + aggregate on only the IP address, in your rate-based statement's AggregateKeyType, + specify IP. + + JSON specification: "RateLimitIP": {} + type: object + labelNamespace: + description: |- + Specifies a label namespace to use as an aggregate key for a rate-based rule. + Each distinct fully qualified label name that has the specified label namespace + contributes to the aggregation instance. If you use just one label namespace + as your custom key, then each label name fully defines an aggregation instance. + + This uses only labels that have been added to the request by rules that are + evaluated before this rate-based rule in the web ACL. + + For information about label namespaces and names, see Label syntax and naming + requirements (https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-label-requirements.html) + in the WAF Developer Guide. + properties: + namespace: + type: string + type: object + queryArgument: + description: |- + Specifies a query argument in the request as an aggregate key for a rate-based + rule. Each distinct value for the named query argument contributes to the + aggregation instance. If you use a single query argument as your custom key, + then each value fully defines an aggregation instance. + properties: + name: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + queryString: + description: |- + Specifies the request's query string as an aggregate key for a rate-based + rule. Each distinct string contributes to the aggregation instance. If you + use just the query string as your custom key, then each string fully defines + an aggregation instance. + properties: + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + uriPath: + description: |- + Specifies the request's URI path as an aggregate key for a rate-based rule. + Each distinct URI path contributes to the aggregation instance. If you use + just the URI path as your custom key, then each URI path fully defines an + aggregation instance. + properties: + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + type: object + type: array + evaluationWindowSec: + format: int64 + type: integer + forwardedIPConfig: + description: |- + The configuration for inspecting IP addresses in an HTTP header that you + specify, instead of using the IP address that's reported by the web request + origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify + any header name. + + If the specified header isn't present in the request, WAF doesn't apply the + rule to the web request at all. + + This configuration is used for GeoMatchStatement and RateBasedStatement. + For IPSetReferenceStatement, use IPSetForwardedIPConfig instead. + + WAF only evaluates the first IP address found in the specified HTTP header. + properties: + fallbackBehavior: + type: string + headerName: + type: string + type: object + limit: + format: int64 + type: integer + scopeDownStatement: + type: string + type: object + regexMatchStatement: + description: |- + A rule statement used to search web request components for a match against + a single regular expression. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + regexString: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + regexPatternSetReferenceStatement: + description: |- + A rule statement used to search web request components for matches with regular + expressions. To use this, create a RegexPatternSet that specifies the expressions + that you want to detect, then use the ARN of that set in this statement. + A web request matches the pattern set rule statement if the request component + matches any of the patterns in the set. To create a regex pattern set, see + CreateRegexPatternSet. + + Each regex pattern set rule statement references a regex pattern set. You + create and maintain the set independent of your rules. This allows you to + use the single set in multiple rules. When you update the referenced set, + WAF automatically updates all rules that reference it. + properties: + arn: + type: string + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + ruleGroupReferenceStatement: + description: |- + A rule statement used to run the rules that are defined in a RuleGroup. To + use this, create a rule group with your rules, then provide the ARN of the + rule group in this statement. + + You cannot nest a RuleGroupReferenceStatement, for example for use inside + a NotStatement or OrStatement. You cannot use a rule group reference statement + inside another rule group. You can only reference a rule group as a top-level + statement within a rule that you define in a web ACL. + properties: + arn: + type: string + excludedRules: + items: + description: |- + Specifies a single rule in a rule group whose action you want to override + to Count. + + Instead of this option, use RuleActionOverrides. It accepts any valid action + setting, including Count. + properties: + name: + type: string + type: object + type: array + ruleActionOverrides: + items: + description: |- + Action setting to use in the place of a rule action that is configured inside + the rule group. You specify one override for each rule whose action you want + to change. + + You can use overrides for testing, for example you can override all of rule + actions to Count and then monitor the resulting count metrics to understand + how the rule group would handle your web traffic. You can also permanently + override some or all actions, to modify how the rule group manages your web + traffic. + properties: + actionToUse: + description: |- + The action that WAF should take on a web request when it matches a rule's + statement. Settings at the web ACL level can override the rule action setting. + properties: + allow: + description: |- + Specifies that WAF should allow the request and optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + block: + description: |- + Specifies that WAF should block the request and optionally defines additional + custom handling for the response to the web request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customResponse: + description: |- + A custom response to send to the client. You can define a custom response + for rule actions and default web ACL actions that are set to BlockAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + customResponseBodyKey: + type: string + responseCode: + format: int64 + type: integer + responseHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + captcha: + description: |- + Specifies that WAF should run a CAPTCHA check against the request: + + * If the request includes a valid, unexpired CAPTCHA token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired token, WAF discontinues + the web ACL evaluation of the request and blocks it from going to its + intended destination. WAF generates a response that it sends back to the + client, which includes the following: The header x-amzn-waf-action with + a value of captcha. The HTTP status code 405 Method Not Allowed. If the + request contains an Accept header with a value of text/html, the response + includes a CAPTCHA JavaScript page interstitial. + + You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + challenge: + description: |- + Specifies that WAF should run a Challenge check against the request to verify + that the request is coming from a legitimate client session: + + * If the request includes a valid, unexpired challenge token, WAF applies + any custom request handling and labels that you've configured and then + allows the web request inspection to proceed to the next rule, similar + to a CountAction. + + * If the request doesn't include a valid, unexpired challenge token, WAF + discontinues the web ACL evaluation of the request and blocks it from + going to its intended destination. WAF then generates a challenge response + that it sends back to the client, which includes the following: The header + x-amzn-waf-action with a value of challenge. The HTTP status code 202 + Request Accepted. If the request contains an Accept header with a value + of text/html, the response includes a JavaScript page interstitial with + a challenge script. Challenges run silent browser interrogations in the + background, and don't generally affect the end user experience. A challenge + enforces token acquisition using an interstitial JavaScript challenge + that inspects the client session for legitimate behavior. The challenge + blocks bots or at least increases the cost of operating sophisticated + bots. After the client session successfully responds to the challenge, + it receives a new token from WAF, which the challenge script uses to resubmit + the original request. + + You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty + setting at the rule and web ACL level. The rule setting overrides the web + ACL setting. + + This action option is available for rules. It isn't available for web ACL + default actions. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + count: + description: |- + Specifies that WAF should count the request. Optionally defines additional + custom handling for the request. + + This is used in the context of other settings, for example to specify values + for RuleAction and web ACL DefaultAction. + properties: + customRequestHandling: + description: |- + Custom request handling behavior that inserts custom headers into a web request. + You can add custom request handling for WAF to use when the rule action doesn't + block the request. For example, CaptchaAction for requests with valid t okens, + and AllowAction. + + For information about customizing web requests and responses, see Customizing + web requests and responses in WAF (https://docs.aws.amazon.com/waf/latest/developerguide/waf-custom-request-response.html) + in the WAF Developer Guide. + properties: + insertHeaders: + items: + description: |- + A custom header for custom request and response handling. This is used in + CustomResponse and CustomRequestHandling. + properties: + name: + type: string + value: + type: string + type: object + type: array + type: object + type: object + type: object + name: + type: string + type: object + type: array + type: object + sizeConstraintStatement: + description: |- + A rule statement that compares a number of bytes against the size of a request + component, using a comparison operator, such as greater than (>) or less + than (<). For example, you can use a size constraint statement to look for + query strings that are longer than 100 bytes. + + If you configure WAF to inspect the request body, WAF inspects only the number + of bytes in the body up to the limit for the web ACL and protected resource + type. If you know that the request body for your web requests should never + exceed the inspection limit, you can use a size constraint statement to block + requests that have a larger request body size. For more information about + the inspection limits, see Body and JsonBody settings for the FieldToMatch + data type. + + If you choose URI for the value of Part of the request to filter on, the + slash (/) in the URI counts as one character. For example, the URI /logo.jpg + is nine characters long. + properties: + comparisonOperator: + type: string + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + size: + format: int64 + type: integer + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + sqliMatchStatement: + description: |- + A rule statement that inspects for malicious SQL code. Attackers insert malicious + SQL code into web requests to do things like modify your database or extract + data from it. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + sensitivityLevel: + type: string + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + xssMatchStatement: + description: |- + A rule statement that inspects for cross-site scripting (XSS) attacks. In + XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle + to inject malicious client-site scripts into other legitimate web browsers. + properties: + fieldToMatch: + description: |- + Specifies a web request component to be used in a rule match statement or + in a logging configuration. + + * In a rule statement, this is the part of the web request that you want + WAF to inspect. Include the single FieldToMatch type that you want to + inspect, with additional specifications as needed, according to the type. + You specify a single request component in FieldToMatch for each rule statement + that requires it. To inspect more than one component of the web request, + create a separate rule statement for each component. Example JSON for + a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example + JSON for a Method field to match specification: "FieldToMatch": { "Method": + { "Name": "DELETE" } } + + * In a logging configuration, this is used in the RedactedFields property + to specify a field to redact from the logging records. For this use case, + note the following: Even though all FieldToMatch settings are available, + the only valid settings for field redaction are UriPath, QueryString, + SingleHeader, and Method. In this documentation, the descriptions of the + individual fields talk about specifying the web request component to inspect, + but for field redaction, you are specifying the component type to redact + from the logs. + properties: + allQueryArguments: + additionalProperties: + type: string + description: |- + Inspect all query arguments of the web request. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "AllQueryArguments": {} + type: object + body: + description: |- + Inspect the body of the web request. The body immediately follows the request + headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + properties: + oversizeHandling: + type: string + type: object + cookies: + description: |- + Inspect the cookies in the web request. You can specify the parts of the + cookies to inspect and you can narrow the set of cookies to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of cookies to inspect in a web request. + + You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies. + + Example JSON: "MatchPattern": { "IncludedCookies": [ "session-id-time", "session-id" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedCookies: + items: + type: string + type: array + includedCookies: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + headerOrder: + description: |- + Inspect a string containing the list of the request's header names, ordered + as they appear in the web request that WAF receives for inspection. WAF generates + the string and then uses that as the field to match component in its inspection. + WAF separates the header names in the string using colons and no added spaces, + for example host:user-agent:accept:authorization:referer. + properties: + oversizeHandling: + type: string + type: object + headers: + description: |- + Inspect all headers in the web request. You can specify the parts of the + headers to inspect and you can narrow the set of headers to inspect by including + or excluding specific keys. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + If you want to inspect just the value of a single header, use the SingleHeader + FieldToMatch setting instead. + + Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", + "OversizeHandling": "MATCH" } + properties: + matchPattern: + description: |- + The filter to use to identify the subset of headers to inspect in a web request. + + You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders. + + Example JSON: "MatchPattern": { "ExcludedHeaders": [ "KeyToExclude1", "KeyToExclude2" + ] } + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + excludedHeaders: + items: + type: string + type: array + includedHeaders: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + ja3Fingerprint: + description: |- + Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character + hash derived from the TLS Client Hello of an incoming request. This fingerprint + serves as a unique identifier for the client's TLS configuration. WAF calculates + and logs this fingerprint for each request that has enough TLS Client Hello + information for the calculation. Almost all web requests include this information. + + You can use this choice only with a string match ByteMatchStatement with + the PositionalConstraint set to EXACTLY. + + You can obtain the JA3 fingerprint for client requests from the web ACL logs. + If WAF is able to calculate the fingerprint, it includes it in the logs. + For information about the logging fields, see Log fields (https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) + in the WAF Developer Guide. + + Provide the JA3 fingerprint string from the logs in your string match statement + specification, to match with any future requests that have the same TLS configuration. + properties: + fallbackBehavior: + type: string + type: object + jsonBody: + description: |- + Inspect the body of the web request as JSON. The body immediately follows + the request headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Use the specifications in this object to indicate which parts of the JSON + body to inspect using the rule's inspection criteria. WAF inspects only the + parts of the JSON that result from the matches that you indicate. + + Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": + "ALL" } + properties: + invalidFallbackBehavior: + type: string + matchPattern: + description: |- + The patterns to look for in the JSON body. WAF inspects the results of these + pattern matches against the rule inspection criteria. This is used with the + FieldToMatch option JsonBody. + properties: + all: + additionalProperties: + type: string + description: |- + Inspect all of the elements that WAF has parsed and extracted from the web + request component that you've identified in your FieldToMatch specifications. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "All": {} + type: object + includedPaths: + items: + type: string + type: array + type: object + matchScope: + type: string + oversizeHandling: + type: string + type: object + method: + additionalProperties: + type: string + description: |- + Inspect the HTTP method of the web request. The method indicates the type + of operation that the request is asking the origin to perform. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "Method": {} + type: object + queryString: + additionalProperties: + type: string + description: |- + Inspect the query string of the web request. This is the part of a URL that + appears after a ? character, if any. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "QueryString": {} + type: object + singleHeader: + description: |- + Inspect one of the headers in the web request, identified by name, for example, + User-Agent or Referer. The name isn't case sensitive. + + You can filter and inspect all headers with the FieldToMatch setting Headers. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleHeader": { "Name": "haystack" } + properties: + name: + type: string + type: object + singleQueryArgument: + description: |- + Inspect one query argument in the web request, identified by name, for example + UserName or SalesRegion. The name isn't case sensitive. + + This is used to indicate the web request component to inspect, in the FieldToMatch + specification. + + Example JSON: "SingleQueryArgument": { "Name": "myArgument" } + properties: + name: + type: string + type: object + uriPath: + additionalProperties: + type: string + description: |- + Inspect the path component of the URI of the web request. This is the part + of the web request that identifies a resource. For example, /images/daily-ad.jpg. + + This is used in the FieldToMatch specification for some web request component + types. + + JSON specification: "UriPath": {} + type: object + type: object + textTransformations: + items: + description: |- + Text transformations eliminate some of the unusual formatting that attackers + use in web requests in an effort to bypass detection. + properties: + priority: + format: int64 + type: integer + type: + type: string + type: object + type: array + type: object + type: object + visibilityConfig: + description: Defines and enables Amazon CloudWatch metrics and + web request sample collection. + properties: + cloudWatchMetricsEnabled: + type: boolean + metricName: + type: string + sampledRequestsEnabled: + type: boolean + type: object + type: object + type: array + scope: + description: |- + Specifies whether this is for an Amazon CloudFront distribution or for a + regional application. A regional application can be an Application Load Balancer + (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon + Cognito user pool, an App Runner service, or an Amazon Web Services Verified + Access instance. + + To work with CloudFront, you must also specify the Region US East (N. Virginia) + as follows: + + * CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT + --region=us-east-1. + + * API and SDKs - For all calls, use the Region endpoint us-east-1. + type: string + tags: + description: An array of key:value pairs to associate with the resource. + items: + description: |- + A tag associated with an Amazon Web Services resource. Tags are key:value + pairs that you can use to categorize and manage your resources, for purposes + like billing or other management. Typically, the tag key represents a category, + such as "environment", and the tag value represents a specific value within + that category, such as "test," "development," or "production". Or you might + set the tag key to "customer" and the value to the customer name or ID. You + can specify one or more tags to add to each Amazon Web Services resource, + up to 50 tags for a resource. + + You can tag the Amazon Web Services resources that you manage through WAF: + web ACLs, rule groups, IP sets, and regex pattern sets. You can't manage + or view tags through the WAF console. + properties: + key: + type: string + value: + type: string + type: object + type: array + tokenDomains: + description: |- + Specifies the domains that WAF should accept in a web request token. This + enables the use of tokens across multiple protected websites. When WAF provides + a token, it uses the domain of the Amazon Web Services resource that the + web ACL is protecting. If you don't specify a list of token domains, WAF + accepts tokens only for the domain of the protected resource. With a token + domain list, WAF accepts the resource's host domain plus all domains in the + token domain list, including their prefixed subdomains. + + Example JSON: "TokenDomains": { "mywebsite.com", "myotherwebsite.com" } + + Public suffixes aren't allowed. For example, you can't use gov.au or co.uk + as token domains. + items: + type: string + type: array + visibilityConfig: + description: Defines and enables Amazon CloudWatch metrics and web + request sample collection. + properties: + cloudWatchMetricsEnabled: + type: boolean + metricName: + type: string + sampledRequestsEnabled: + type: boolean + type: object + required: + - defaultAction + - name + - scope + - visibilityConfig + type: object + status: + description: WebACLStatus defines the observed state of WebACL + properties: + ackResourceMetadata: + description: |- + All CRs managed by ACK have a common `Status.ACKResourceMetadata` member + that is used to contain resource sync state, account ownership, + constructed ARN for the resource + properties: + arn: + description: |- + ARN is the Amazon Resource Name for the resource. This is a + globally-unique identifier and is set only by the ACK service controller + once the controller has orchestrated the creation of the resource OR + when it has verified that an "adopted" resource (a resource where the + ARN annotation was set by the Kubernetes user on the CR) exists and + matches the supplied CR's Spec field values. + https://github.com/aws/aws-controllers-k8s/issues/270 + type: string + ownerAccountID: + description: |- + OwnerAccountID is the AWS Account ID of the account that owns the + backend AWS service API resource. + type: string + region: + description: Region is the AWS region in which the resource exists + or will exist. + type: string + required: + - ownerAccountID + - region + type: object + conditions: + description: |- + All CRS managed by ACK have a common `Status.Conditions` member that + contains a collection of `ackv1alpha1.Condition` objects that describe + the various terminal states of the CR and its backend AWS service API + resource + items: + description: |- + Condition is the common struct used by all CRDs managed by ACK service + controllers to indicate terminal states of the CR and its backend AWS + service API resource + properties: + lastTransitionTime: + description: Last time the condition transitioned from one status + to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: Status of the condition, one of True, False, Unknown. + type: string + type: + description: Type is the type of the Condition + type: string + required: + - status + - type + type: object + type: array + id: + description: |- + The unique identifier for the web ACL. This ID is returned in the responses + to create and list commands. You provide it to operations like update and + delete. + type: string + lockToken: + description: |- + A token used for optimistic locking. WAF returns a token to your get and + list requests, to mark the state of the entity at the time of the request. + To make changes to the entity associated with the token, you provide the + token to operations like update and delete. WAF uses the token to ensure + that no changes have been made to the entity since you last retrieved it. + If a change has been made, the update fails with a WAFOptimisticLockException. + If this happens, perform another get, and use the new token returned by that + operation. + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null diff --git a/operators/ack-wafv2-controller/0.0.4/metadata/annotations.yaml b/operators/ack-wafv2-controller/0.0.4/metadata/annotations.yaml new file mode 100644 index 00000000000..8c876b9e36b --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/metadata/annotations.yaml @@ -0,0 +1,15 @@ +annotations: + # Core bundle annotations. + operators.operatorframework.io.bundle.mediatype.v1: registry+v1 + operators.operatorframework.io.bundle.manifests.v1: manifests/ + operators.operatorframework.io.bundle.metadata.v1: metadata/ + operators.operatorframework.io.bundle.package.v1: ack-wafv2-controller + operators.operatorframework.io.bundle.channels.v1: alpha + operators.operatorframework.io.bundle.channel.default.v1: alpha + operators.operatorframework.io.metrics.builder: operator-sdk-v1.28.0 + operators.operatorframework.io.metrics.mediatype.v1: metrics+v1 + operators.operatorframework.io.metrics.project_layout: unknown + + # Annotations for testing. + operators.operatorframework.io.test.mediatype.v1: scorecard+v1 + operators.operatorframework.io.test.config.v1: tests/scorecard/ diff --git a/operators/ack-wafv2-controller/0.0.4/tests/scorecard/config.yaml b/operators/ack-wafv2-controller/0.0.4/tests/scorecard/config.yaml new file mode 100644 index 00000000000..382ddefd156 --- /dev/null +++ b/operators/ack-wafv2-controller/0.0.4/tests/scorecard/config.yaml @@ -0,0 +1,50 @@ +apiVersion: scorecard.operatorframework.io/v1alpha3 +kind: Configuration +metadata: + name: config +stages: +- parallel: true + tests: + - entrypoint: + - scorecard-test + - basic-check-spec + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: basic + test: basic-check-spec-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-bundle-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-bundle-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-crds-have-validation + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-crds-have-validation-test + storage: + spec: + mountPath: {} + - entrypoint: + - scorecard-test + - olm-spec-descriptors + image: quay.io/operator-framework/scorecard-test:v1.7.1 + labels: + suite: olm + test: olm-spec-descriptors-test + storage: + spec: + mountPath: {} +storage: + spec: + mountPath: {}