The Amazon Resource Name (ARN) of the web ACL that you want to associate with the resource.

The Amazon Resource Name (ARN) of the resource to associate with the web ACL.

The ARN must be in one of the following formats:

• For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
• For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
• For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
• For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

The response's http status code.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

An array of Rule that you're configuring to use in a rule group or web ACL.

The capacity required by the rules and scope.

The response's http status code.

A description of the IP set that helps with identification.

An array of key:value pairs to associate with the resource.

The name of the IP set. You cannot change the name of an IPSet after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The version of the IP addresses, either IPV4 or IPV6.

Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

Example address strings:

• To configure WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32.
• To configure WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
• To configure WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.
• To configure WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Example JSON Addresses specifications:

• Empty array: "Addresses": []
• Array with one address: "Addresses": ["192.0.2.44/32"]
• Array with three addresses: "Addresses": ["192.0.2.44/32", "192.0.2.0/24", "192.0.0.0/16"]
• INVALID specification: "Addresses": [""] INVALID

High-level information about an IPSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to use the address set in a Rule.

The response's http status code.

A description of the set that helps with identification.

An array of key:value pairs to associate with the resource.

The name of the set. You cannot change the name after you create the set.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

Array of regular expression strings.

High-level information about a RegexPatternSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RegexPatternSet, and the ARN, that you provide to the RegexPatternSetReferenceStatement to use the pattern set in a Rule.

The response's http status code.

A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

A description of the rule group that helps with identification.

The Rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.

An array of key:value pairs to associate with the resource.

The name of the rule group. You cannot change the name of a rule group after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The web ACL capacity units (WCUs) required for this rule group.

When you create your own rule group, you define this, and you cannot change it after creation. When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity for a set of rules using CheckCapacity.

WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.

Defines and enables Amazon CloudWatch metrics and web request sample collection.

High-level information about a RuleGroup, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RuleGroup, and the ARN, that you provide to the RuleGroupReferenceStatement to use the rule group in a Rule.

The response's http status code.

Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings. If you don't specify this, WAF uses its default settings for CaptchaConfig.

Specifies how WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings. If you don't specify this, WAF uses its default settings for ChallengeConfig.

A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

A description of the web ACL that helps with identification.

The Rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.

An array of key:value pairs to associate with the resource.

Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.

Example JSON: "TokenDomains": { "mywebsite.com", "myotherwebsite.com" }

Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.

The name of the web ACL. You cannot change the name of a web ACL after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The action to perform if none of the Rules contained in the WebACL match.

Defines and enables Amazon CloudWatch metrics and web request sample collection.

High-level information about a WebACL, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a WebACL, and the ARN, that you provide to operations like AssociateWebACL.

The response's http status code.

The Amazon Resource Name (ARN) of the web ACL.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The name of the IP set. You cannot change the name of an IPSet after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The Amazon Resource Name (ARN) of the web ACL from which you want to delete the LoggingConfiguration.

The response's http status code.

The Amazon Resource Name (ARN) of the rule group from which you want to delete the policy.

You must be the owner of the rule group to perform this operation.

The response's http status code.

The name of the set. You cannot change the name after you create the set.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The name of the rule group. You cannot change the name of a rule group after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the rule group. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The name of the web ACL. You cannot change the name of a web ACL after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The unique identifier for the web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The version of the rule group. You can only use a version that is not scheduled for expiration. If you don't provide this, WAF uses the vendor's default version.

The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.

The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The labels that one or more rules in this rule group add to matching web requests. These labels are defined in the RuleLabels for a Rule.

The web ACL capacity units (WCUs) required for this rule group. WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule type, to reflect each rule's relative cost. Rule group capacity is fixed at creation, so users can plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.

The labels that one or more rules in this rule group match against in label match statements. These labels are defined in a LabelMatchStatement specification, in the Statement definition of a rule.

The label namespace prefix for this rule group. All labels added by rules in this rule group have this prefix.

• The syntax for the label namespace prefix for a managed rule group is the following:

  awswaf:managed:<vendor>:<rule group name>:

• When a rule with a label matches a web request, WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon:

  <label namespace>:<label from rule>

The Amazon resource name (ARN) of the Amazon Simple Notification Service SNS topic that's used to record changes to the managed rule group. You can subscribe to the SNS topic to receive notifications when the managed rule group is modified, such as for new versions and for version expiration. For more information, see the Amazon Simple Notification Service Developer Guide.

The managed rule group's version.

The response's http status code.

The Amazon Resource Name (ARN) of the resource to disassociate from the web ACL.

The ARN must be in one of the following formats:

• For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
• For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
• For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
• For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

The response's http status code.

The device platform.

The release version. For the latest available version, specify LATEST.

The presigned download URL for the specified SDK release.

The response's http status code.

The name of the IP set. You cannot change the name of an IPSet after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The Amazon Resource Name (ARN) of the web ACL for which you want to get the LoggingConfiguration.

The LoggingConfiguration for the specified web ACL.

The response's http status code.

The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.

This name is assigned to the corresponding managed rule group, which your customers can access and use.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The managed rule set that you requested.

The response's http status code.

The device platform.

The release version. For the latest available version, specify LATEST.

Information for a specified SDK release, including release notes and tags.

The response's http status code.

The Amazon Resource Name (ARN) of the rule group for which you want to get the policy.

The IAM policy that is attached to the specified rule group.

The response's http status code.

The name of the rule group reference statement in your web ACL. This is required only when you have the rate-based rule nested inside a rule group.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The name of the web ACL. You cannot change the name of a web ACL after you create it.

The unique identifier for the web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

The name of the rate-based rule to get the keys for. If you have the rule defined inside a rule group that you're using in your web ACL, also provide the name of the rule group reference statement in the request parameter RuleGroupRuleName.

The keys that are of Internet Protocol version 4 (IPv4).

The keys that are of Internet Protocol version 6 (IPv6).

The response's http status code.

The name of the set. You cannot change the name after you create the set.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The Amazon Resource Name (ARN) of the entity.

A unique identifier for the rule group. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

The name of the rule group. You cannot change the name of a rule group after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The Amazon resource name (ARN) of the WebACL for which you want a sample of requests.

The metric name assigned to the Rule or RuleGroup for which you want a sample of requests.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The start date and time and the end date and time of the range for which you want GetSampledRequests to return a sample of requests. You must specify the times in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, "2016-09-27T14:50Z". You can specify any time range in the previous three hours. If you specify a start time that's earlier than three hours ago, WAF sets it to three hours ago.

The number of requests that you want WAF to return from among the first 5,000 requests that your Amazon Web Services resource received during the time range. If your resource received fewer requests than the value of MaxItems, GetSampledRequests returns information about all of them.

The total number of requests from which GetSampledRequests got a sample of MaxItems requests. If PopulationSize is less than MaxItems, the sample includes every request that your Amazon Web Services resource received during the specified time range.

A complex type that contains detailed information about each of the requests in the sample.

Usually, TimeWindow is the time range that you specified in the GetSampledRequests request. However, if your Amazon Web Services resource received more than 5,000 requests during the time range that you specified in the request, GetSampledRequests returns the time range for the first 5,000 requests. Times are in Coordinated Universal Time (UTC) format.

The response's http status code.

The name of the web ACL. You cannot change the name of a web ACL after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The unique identifier for the web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration in the WAF Developer Guide.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The web ACL specification. You can modify the settings in this web ACL and use it to update this web ACL or create a new one.

The response's http status code.

The Amazon Resource Name (ARN) of the resource whose web ACL you want to retrieve.

The ARN must be in one of the following formats:

• For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
• For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
• For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
• For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id

The web ACL that is associated with the resource. If there is no associated resource, WAF returns a null web ACL.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.

The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The name of the version that's currently set as the default.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The versions that are currently available for the specified managed rule group.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

Array of IPSets. This may not be the full list of IPSets that you have defined. See the Limit specification for this request.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

Your managed rule sets.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The device platform to retrieve the list for.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

High level information for the available SDK releases.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

Used for web ACLs that are scoped for regional applications. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

If you don't provide a resource type, the call uses the resource type APPLICATION_LOAD_BALANCER.

Default: APPLICATION_LOAD_BALANCER

The Amazon Resource Name (ARN) of the web ACL.

The array of Amazon Resource Names (ARNs) of the associated resources.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The Amazon Resource Name (ARN) of the resource.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The collection of tagging definitions for the resource.

The response's http status code.

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

The response's http status code.

The response's http status code.

The version of the named managed rule group that you'd like your customers to choose, from among your version offerings.

The versions of the named managed rule group that you want to offer to your customers.

The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.

This name is assigned to the corresponding managed rule group, which your customers can access and use.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

The Amazon Resource Name (ARN) of the RuleGroup to which you want to attach the policy.

The policy to attach to the specified rule group.

The policy specifications must conform to the following:

• The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
• The policy must include specifications for Effect, Action, and Principal.
• Effect must specify Allow.
• Action must specify wafv2:CreateWebACL, wafv2:UpdateWebACL, and wafv2:PutFirewallManagerRuleGroups and may optionally specify wafv2:GetRuleGroup. WAF rejects any extra actions or wildcard actions in the policy.
• The policy must not include a Resource parameter.

For more information, see IAM Policies.

The response's http status code.

The Amazon Resource Name (ARN) of the resource.

An array of key:value pairs to associate with the resource.

The response's http status code.

The Amazon Resource Name (ARN) of the resource.

An array of keys identifying the tags to disassociate from the resource.

The response's http status code.

A description of the IP set that helps with identification.

The name of the IP set. You cannot change the name of an IPSet after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

Example address strings:

• To configure WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify 192.0.2.44/32.
• To configure WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify 192.0.2.0/24.
• To configure WAF to allow, block, or count requests that originated from the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify 1111:0000:0000:0000:0000:0000:0000:0111/128.
• To configure WAF to allow, block, or count requests that originated from IP addresses 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify 1111:0000:0000:0000:0000:0000:0000:0000/64.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Example JSON Addresses specifications:

• Empty array: "Addresses": []
• Array with one address: "Addresses": ["192.0.2.44/32"]
• Array with three addresses: "Addresses": ["192.0.2.44/32", "192.0.2.0/24", "192.0.0.0/16"]
• INVALID specification: "Addresses": [""] INVALID

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.

The response's http status code.

The name of the managed rule set. You use this, along with the rule set ID, to identify the rule set.

This name is assigned to the corresponding managed rule group, which your customers can access and use.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the managed rule set. The ID is returned in the responses to commands like list. You provide it to operations like get and update.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The version that you want to remove from your list of offerings for the named managed rule group.

The time that you want the version to expire.

Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, "2016-09-27T14:50Z".

The version that is set to expire.

The time that the version will expire.

Times are in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, "2016-09-27T14:50Z".

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

The response's http status code.

A description of the set that helps with identification.

The name of the set. You cannot change the name after you create the set.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.

The response's http status code.

A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

A description of the rule group that helps with identification.

The Rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.

The name of the rule group. You cannot change the name of a rule group after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

A unique identifier for the rule group. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

Defines and enables Amazon CloudWatch metrics and web request sample collection.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.

The response's http status code.

Specifies how WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings. If you don't specify this, WAF uses its default settings for CaptchaConfig.

Specifies how WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings. If you don't specify this, WAF uses its default settings for ChallengeConfig.

A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

A description of the web ACL that helps with identification.

The Rule statements used to identify the web requests that you want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.

Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.

Example JSON: "TokenDomains": { "mywebsite.com", "myotherwebsite.com" }

Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.

The name of the web ACL. You cannot change the name of a web ACL after you create it.

Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

• CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
• API and SDKs - For all calls, use the Region endpoint us-east-1.

The unique identifier for the web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

The action to perform if none of the Rules contained in the WebACL match.

Defines and enables Amazon CloudWatch metrics and web request sample collection.

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.

The response's http status code.

The inspection level to use for the Bot Control rule group. The common level is the least expensive. The targeted level includes all common level rules and adds rules with more advanced inspection criteria. For details, see WAF Bot Control rule group.

The action setting that a log record must contain in order to meet the condition. This is the action that WAF applied to the web request.

For rule groups, this is either the configured rule action setting, or if you've applied a rule action override to the rule, it's the override action. The value EXCLUDED_AS_COUNT matches on excluded rules and also on rules that have a rule action override of Count.

Defines custom handling for the web request.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

The statements to combine with AND logic. You can use any statements that can be nested.

Defines a custom response for the web request.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service.

The options for oversize handling are the following:

• CONTINUE - Inspect the body normally, according to the rule inspection criteria.
• MATCH - Treat the web request as matching the rule statement. WAF applies the rule action to the request.
• NO_MATCH - Treat the web request as not matching the rule statement.

You can combine the MATCH or NO_MATCH settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.

Default: CONTINUE

A string value that you want WAF to search for. WAF searches only in the part of web requests that you designate for inspection in FieldToMatch. The maximum length of the value is 50 bytes.

Valid values depend on the component that you specify for inspection in FieldToMatch:

• Method: The HTTP method that you want WAF to search for. This indicates the type of operation specified in the request.
• UriPath: The value that you want WAF to search for in the URI path, for example, /images/daily-ad.jpg.

If SearchString includes alphabetic characters A-Z and a-z, note that the value is case sensitive.

If you're using the WAF API

Specify a base64-encoded version of the value. The maximum length of the value before you base64-encode it is 50 bytes.

For example, suppose the value of Type is HEADER and the value of Data is User-Agent. If you want to search the User-Agent header for the value BadBot, you base64-encode BadBot using MIME base64-encoding and include the resulting value, QmFkQm90, in the value of SearchString.

If you're using the CLI or one of the Amazon Web Services SDKs

The value that you want WAF to search for. The SDK automatically base64 encodes the value.-- -- Note: This Lens automatically encodes and decodes Base64 data. -- The underlying isomorphism will encode to Base64 representation during -- serialisation, and decode from Base64 representation during deserialisation. -- This Lens accepts and returns only raw unencoded data.

The part of the web request that you want WAF to inspect.

Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. If you specify one or more transformations in a rule statement, WAF performs all transformations on the content of the request component identified by FieldToMatch, starting from the lowest priority setting, before inspecting the content for a match.

The area within the portion of the web request that you want WAF to search for SearchString. Valid values include the following:

CONTAINS

The specified part of the web request must include the value of SearchString, but the location doesn't matter.

CONTAINS_WORD

The specified part of the web request must include the value of SearchString, and SearchString must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or _). In addition, SearchString must be a word, which means that both of the following are true:

• SearchString is at the beginning of the specified part of the web request or is preceded by a character other than an alphanumeric character or underscore (_). Examples include the value of a header and ;BadBot.
• SearchString is at the end of the specified part of the web request or is followed by a character other than an alphanumeric character or underscore (_), for example, BadBot; and -BadBot;.

EXACTLY

The value of the specified part of the web request must exactly match the value of SearchString.

STARTS_WITH

The value of SearchString must appear at the beginning of the specified part of the web request.

ENDS_WITH

The value of SearchString must appear at the end of the specified part of the web request.

Defines custom handling for the web request, used when the CAPTCHA inspection determines that the request's token is valid and unexpired.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

Determines how long a CAPTCHA timestamp in the token remains valid after the client successfully solves a CAPTCHA puzzle.

The reason for failure, populated when the evaluation of the token fails.

The HTTP response code indicating the status of the CAPTCHA token in the web request. If the token is missing, invalid, or expired, this code is 405 Method Not Allowed.

The time that the CAPTCHA was last solved for the supplied token.

Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

Determines how long a challenge timestamp in the token remains valid after the client successfully responds to a challenge.

The reason for failure, populated when the evaluation of the token fails.

The HTTP response code indicating the status of the challenge token in the web request. If the token is missing, invalid, or expired, this code is 202 Request Accepted.

The time that the challenge was last solved for the supplied token.

A single action condition. This is the action setting that a log record must contain in order to meet the condition.

A single label name condition. This is the fully qualified label name that a log record must contain in order to meet the condition. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label.

Inspect all cookies.

Inspect only the cookies whose keys don't match any of the strings specified here.

Inspect only the cookies that have a key that matches one of the strings specified here.

The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: "MatchPattern": { "IncludedCookies": {"KeyToInclude1", "KeyToInclude2", "KeyToInclude3"} }

The parts of the cookies to inspect with the rule inspection criteria. If you specify All, WAF inspects both keys and values.

What WAF should do if the cookies of the request are larger than WAF can inspect. WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to WAF.

The options for oversize handling are the following:

• CONTINUE - Inspect the cookies normally, according to the rule inspection criteria.
• MATCH - Treat the web request as matching the rule statement. WAF applies the rule action to the request.
• NO_MATCH - Treat the web request as not matching the rule statement.

Defines custom handling for the web request.

For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

The name of the custom header.

For custom request header insertion, when WAF inserts the header into the request, it prefixes this name x-amzn-waf-, to avoid confusion with the headers that are already in the request. For example, for the header name sample, WAF inserts the header x-amzn-waf-sample.

The value of the custom header.

The HTTP headers to insert into the request. Duplicate header names are not allowed.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

References the response body that you want WAF to return to the web request client. You can define a custom response for a rule action or a default web ACL action that is set to block. To do this, you first define the response body key and value in the CustomResponseBodies setting for the WebACL or RuleGroup where you want to use it. Then, in the rule action or web ACL default action BlockAction setting, you reference the response body using this key.

The HTTP headers to use in the response. Duplicate header names are not allowed.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

The HTTP status code to return to the client.

For a list of status codes that you can use in your custom responses, see Supported status codes for custom response in the WAF Developer Guide.

The type of content in the payload that you are defining in the Content string.

The payload of the custom response.

You can use JSON escape strings in JSON content. To do this, you must specify JSON content in the ContentType setting.

For information about the limits on count and size for custom request and response settings, see WAF quotas in the WAF Developer Guide.

Specifies that WAF should allow requests by default.

Specifies that WAF should block requests by default.

The name of the rule whose action you want to override to Count.