AWS WAF

Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule.

Each Predicate object identifies a predicate, such as a ByteMatchSet or an IPSet, that specifies the web requests that you want to block or count. The RateLimit specifies the number of requests every five minutes that triggers the rule.

If you add more than one predicate to a RateBasedRule , a request must match all the predicates and exceed the RateLimit to be counted or blocked. For example, suppose you add the following to a RateBasedRule :

• An IPSet that matches the IP address 192.0.2.44/32

• A ByteMatchSet that matches BadBot in the User-Agent header

Further, you specify a RateLimit of 15,000.

You then add the RateBasedRule to a WebACL and specify that you want to block requests that satisfy the rule. For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot . Further, requests that match these two conditions much be received at a rate of more than 15,000 every five minutes. If the rate drops below this limit, AWS WAF no longer blocks the requests.

As a second example, suppose you want to limit requests to a particular page on your site. To do this, you could add the following to a RateBasedRule :

• A ByteMatchSet with FieldToMatch of URI

• A PositionalConstraint of STARTS_WITH

• A TargetString of login

Further, you specify a RateLimit of 15,000.

By adding this RateBasedRule to a WebACL , you could limit requests to your login page without affecting the rest of your site.

See also: AWS API Documentation

Request Syntax

client.update_rate_based_rule(
    RuleId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'Predicate': {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            }
        },
    ],
    RateLimit=123
)

type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule that you want to update. RuleId is returned by CreateRateBasedRule and by ListRateBasedRules.

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken.

type Updates

list

param Updates

[REQUIRED]

An array of RuleUpdate objects that you want to insert into or delete from a RateBasedRule.

• (dict) --

  Specifies a Predicate (such as an IPSet ) and indicates whether you want to add it to a Rule or delete it from a Rule .

  • Action (string) -- [REQUIRED]

    Specify INSERT to add a Predicate to a Rule . Use DELETE to remove a Predicate from a Rule .

  • Predicate (dict) -- [REQUIRED]

    The ID of the Predicate (such as an IPSet ) that you want to add to a Rule .

    • Negated (boolean) -- [REQUIRED]

      Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

      Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

    • Type (string) -- [REQUIRED]

      The type of predicate in a Rule , such as ByteMatchSet or IPSet .

    • DataId (string) -- [REQUIRED]

      A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

type RateLimit

integer

param RateLimit

[REQUIRED]

The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

• (dict) --

  • ChangeToken (string) --

    The ChangeToken that you used to submit the UpdateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.

Returns an array of RuleSummary objects.

See also: AWS API Documentation

Request Syntax

client.list_rate_based_rules(
    NextMarker='string',
    Limit=123
)

type NextMarker

string

param NextMarker

If you specify a value for Limit and you have more Rules than the value of Limit , AWS WAF returns a NextMarker value in the response that allows you to list another group of Rules . For the second and subsequent ListRateBasedRules requests, specify the value of NextMarker from the previous response to get information about another batch of Rules .

type Limit

integer

param Limit

Specifies the number of Rules that you want AWS WAF to return for this request. If you have more Rules than the number that you specify for Limit , the response includes a NextMarker value that you can use to get another batch of Rules .

rtype

dict

returns

Response Syntax

{
    'NextMarker': 'string',
    'Rules': [
        {
            'RuleId': 'string',
            'Name': 'string'
        },
    ]
}

Response Structure

• (dict) --

  • NextMarker (string) --

    If you have more Rules than the number that you specified for Limit in the request, the response includes a NextMarker value. To list more Rules , submit another ListRateBasedRules request, and specify the NextMarker value from the response in the NextMarker value in the next request.

  • Rules (list) --

    An array of RuleSummary objects.

    • (dict) --

      Contains the identifier and the friendly name or description of the Rule .

      • RuleId (string) --

        A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

        RuleId is returned by CreateRule and by ListRules.

      • Name (string) --

        A friendly name or description of the Rule. You can't change the name of a Rule after you create it.

Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request.

See also: AWS API Documentation

Request Syntax

client.get_rate_based_rule(
    RuleId='string'
)

type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule that you want to get. RuleId is returned by CreateRateBasedRule and by ListRateBasedRules.

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'MatchPredicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            },
        ],
        'RateKey': 'IP',
        'RateLimit': 123
    }
}

Response Structure

• (dict) --

  • Rule (dict) --

    Information about the RateBasedRule that you specified in the GetRateBasedRule request.

    • RuleId (string) --

      A unique identifier for a RateBasedRule . You use RuleId to get more information about a RateBasedRule (see GetRateBasedRule ), update a RateBasedRule (see UpdateRateBasedRule ), insert a RateBasedRule into a WebACL or delete one from a WebACL (see UpdateWebACL ), or delete a RateBasedRule from AWS WAF (see DeleteRateBasedRule ).

    • Name (string) --

      A friendly name or description for a RateBasedRule . You can't change the name of a RateBasedRule after you create it.

    • MetricName (string) --

      A friendly name or description for the metrics for a RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

    • MatchPredicates (list) --

      The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet object that you want to include in a RateBasedRule .

      • (dict) --

        Specifies the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

        • Negated (boolean) --

          Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

          Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

        • Type (string) --

          The type of predicate in a Rule , such as ByteMatchSet or IPSet .

        • DataId (string) --

          A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

    • RateKey (string) --

      The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests arriving from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

    • RateLimit (integer) --

      The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

Creates a RateBasedRule. The RateBasedRule contains a RateLimit , which specifies the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period. The RateBasedRule also contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to count or block if these requests exceed the RateLimit .

If you add more than one predicate to a RateBasedRule , a request not only must exceed the RateLimit , but it also must match all the specifications to be counted or blocked. For example, suppose you add the following to a RateBasedRule :

• An IPSet that matches the IP address 192.0.2.44/32

• A ByteMatchSet that matches BadBot in the User-Agent header

Further, you specify a RateLimit of 15,000.

You then add the RateBasedRule to a WebACL and specify that you want to block requests that meet the conditions in the rule. For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot . Further, requests that match these two conditions must be received at a rate of more than 15,000 requests every five minutes. If both conditions are met and the rate is exceeded, AWS WAF blocks the requests. If the rate drops below 15,000 for a five-minute period, AWS WAF no longer blocks the requests.

As a second example, suppose you want to limit requests to a particular page on your site. To do this, you could add the following to a RateBasedRule :

• A ByteMatchSet with FieldToMatch of URI

• A PositionalConstraint of STARTS_WITH

• A TargetString of login

Further, you specify a RateLimit of 15,000.

By adding this RateBasedRule to a WebACL , you could limit requests to your login page without affecting the rest of your site.

To create and configure a RateBasedRule , perform the following steps:

• Create and update the predicates that you want to include in the rule. For more information, see CreateByteMatchSet, CreateIPSet, and CreateSqlInjectionMatchSet.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRule request.

• Submit a CreateRateBasedRule request.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

• Submit an UpdateRateBasedRule request to specify the predicates that you want to include in the rule.

• Create and update a WebACL that contains the RateBasedRule . For more information, see CreateWebACL.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide.

See also: AWS API Documentation

Request Syntax

client.create_rate_based_rule(
    Name='string',
    MetricName='string',
    RateKey='IP',
    RateLimit=123,
    ChangeToken='string'
)

type Name

string

param Name

[REQUIRED]

A friendly name or description of the RateBasedRule. You can't change the name of a RateBasedRule after you create it.

type MetricName

string

param MetricName

[REQUIRED]

A friendly name or description for the metrics for this RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

type RateKey

string

param RateKey

[REQUIRED]

The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests that arrive from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

type RateLimit

integer

param RateLimit

[REQUIRED]

The maximum number of requests, which have an identical value in the field that is specified by RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

type ChangeToken

string

param ChangeToken

[REQUIRED]

The ChangeToken that you used to submit the CreateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'MatchPredicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            },
        ],
        'RateKey': 'IP',
        'RateLimit': 123
    },
    'ChangeToken': 'string'
}

Response Structure

• (dict) --

  • Rule (dict) --

    The RateBasedRule that is returned in the CreateRateBasedRule response.

    • RuleId (string) --

      A unique identifier for a RateBasedRule . You use RuleId to get more information about a RateBasedRule (see GetRateBasedRule ), update a RateBasedRule (see UpdateRateBasedRule ), insert a RateBasedRule into a WebACL or delete one from a WebACL (see UpdateWebACL ), or delete a RateBasedRule from AWS WAF (see DeleteRateBasedRule ).

    • Name (string) --

      A friendly name or description for a RateBasedRule . You can't change the name of a RateBasedRule after you create it.

    • MetricName (string) --

      A friendly name or description for the metrics for a RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

    • MatchPredicates (list) --

      The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet object that you want to include in a RateBasedRule .

      • (dict) --

        Specifies the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

        • Negated (boolean) --

          Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

          Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet. For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

        • Type (string) --

          The type of predicate in a Rule , such as ByteMatchSet or IPSet .

        • DataId (string) --

          A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

    • RateKey (string) --

      The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests arriving from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

    • RateLimit (integer) --

      The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

  • ChangeToken (string) --

    The ChangeToken that you used to submit the CreateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.

Permanently deletes a RateBasedRule. You can't delete a rule if it's still used in any WebACL objects or if it still includes any predicates, such as ByteMatchSet objects.

If you just want to remove a rule from a WebACL , use UpdateWebACL.

To permanently delete a RateBasedRule from AWS WAF, perform the following steps:

• Update the RateBasedRule to remove predicates, if any. For more information, see UpdateRateBasedRule.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteRateBasedRule request.

• Submit a DeleteRateBasedRule request.

See also: AWS API Documentation

Request Syntax

client.delete_rate_based_rule(
    RuleId='string',
    ChangeToken='string'
)

type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule that you want to delete. RuleId is returned by CreateRateBasedRule and by ListRateBasedRules.

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

• (dict) --

  • ChangeToken (string) --

    The ChangeToken that you used to submit the DeleteRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.

Returns an array of IP addresses currently being blocked by the RateBasedRule that is specified by the RuleId . The maximum number of managed keys that will be blocked is 10,000. If more than 10,000 addresses exceed the rate limit, the 10,000 addresses with the highest rates will be blocked.

See also: AWS API Documentation

Request Syntax

client.get_rate_based_rule_managed_keys(
    RuleId='string',
    NextMarker='string'
)

type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule for which you want to get a list of ManagedKeys . RuleId is returned by CreateRateBasedRule and by ListRateBasedRules.

type NextMarker

string

param NextMarker

A null value and not currently used. Do not include this in your request.

rtype

dict

returns

Response Syntax

{
    'ManagedKeys': [
        'string',
    ],
    'NextMarker': 'string'
}

Response Structure

• (dict) --

  • ManagedKeys (list) --

    An array of IP addresses that currently are blocked by the specified RateBasedRule.

    • (string) --

  • NextMarker (string) --

    A null value and not currently used.

{'WebACL': {'Rules': {'Type': 'REGULAR | RATE_BASED'}}}

Creates a WebACL , which contains the Rules that identify the CloudFront web requests that you want to allow, block, or count. AWS WAF evaluates Rules in order based on the value of Priority for each Rule .

You also specify a default action, either ALLOW or BLOCK . If a web request doesn't match any of the Rules in a WebACL , AWS WAF responds to the request with the default action.

To create and configure a WebACL , perform the following steps:

• Create and update the ByteMatchSet objects and other predicates that you want to include in Rules . For more information, see CreateByteMatchSet, UpdateByteMatchSet, CreateIPSet, UpdateIPSet, CreateSqlInjectionMatchSet, and UpdateSqlInjectionMatchSet.

• Create and update the Rules that you want to include in the WebACL . For more information, see CreateRule and UpdateRule.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateWebACL request.

• Submit a CreateWebACL request.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateWebACL request.

• Submit an UpdateWebACL request to specify the Rules that you want to include in the WebACL , to specify the default action, and to associate the WebACL with a CloudFront distribution.

For more information about how to use the AWS WAF API, see the AWS WAF Developer Guide.

See also: AWS API Documentation

Request Syntax

client.create_web_acl(
    Name='string',
    MetricName='string',
    DefaultAction={
        'Type': 'BLOCK'|'ALLOW'|'COUNT'
    },
    ChangeToken='string'
)

type Name

string

param Name

[REQUIRED]

A friendly name or description of the WebACL. You can't change Name after you create the WebACL .

type MetricName

string

param MetricName

[REQUIRED]

A friendly name or description for the metrics for this WebACL . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the WebACL .

type DefaultAction

dict

param DefaultAction

[REQUIRED]

The action that you want AWS WAF to take when a request doesn't match the criteria specified in any of the Rule objects that are associated with the WebACL .

• Type (string) -- [REQUIRED]

  Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

  • ALLOW : AWS WAF allows requests

  • BLOCK : AWS WAF blocks requests

  • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken.

rtype

dict

returns

Response Syntax

{
    'WebACL': {
        'WebACLId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'DefaultAction': {
            'Type': 'BLOCK'|'ALLOW'|'COUNT'
        },
        'Rules': [
            {
                'Priority': 123,
                'RuleId': 'string',
                'Action': {
                    'Type': 'BLOCK'|'ALLOW'|'COUNT'
                },
                'Type': 'REGULAR'|'RATE_BASED'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

• (dict) --

  • WebACL (dict) --

    The WebACL returned in the CreateWebACL response.

    • WebACLId (string) --

      A unique identifier for a WebACL . You use WebACLId to get information about a WebACL (see GetWebACL ), update a WebACL (see UpdateWebACL ), and delete a WebACL from AWS WAF (see DeleteWebACL ).

      WebACLId is returned by CreateWebACL and by ListWebACLs.

    • Name (string) --

      A friendly name or description of the WebACL . You can't change the name of a WebACL after you create it.

    • MetricName (string) --

      A friendly name or description for the metrics for this WebACL . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the WebACL .

    • DefaultAction (dict) --

      The action to perform if none of the Rules contained in the WebACL match. The action is specified by the WafAction object.

      • Type (string) --

        Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

        • ALLOW : AWS WAF allows requests

        • BLOCK : AWS WAF blocks requests

        • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

    • Rules (list) --

      An array that contains the action for each Rule in a WebACL , the priority of the Rule , and the ID of the Rule .

      • (dict) --

        The ActivatedRule object in an UpdateWebACL request specifies a Rule that you want to insert or delete, the priority of the Rule in the WebACL , and the action that you want AWS WAF to take when a web request matches the Rule ( ALLOW , BLOCK , or COUNT ).

        To specify whether to insert or delete a Rule , use the Action parameter in the WebACLUpdate data type.

        • Priority (integer) --

          Specifies the order in which the Rules in a WebACL are evaluated. Rules with a lower value for Priority are evaluated before Rules with a higher value. The value must be a unique integer. If you add multiple Rules to a WebACL , the values don't need to be consecutive.

        • RuleId (string) --

          The RuleId for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

          RuleId is returned by CreateRule and by ListRules.

        • Action (dict) --

          Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule . Valid values for Action include the following:

          • ALLOW : CloudFront responds with the requested object.

          • BLOCK : CloudFront responds with an HTTP 403 (Forbidden) status code.

          • COUNT : AWS WAF increments a counter of requests that match the conditions in the rule and then continues to inspect the web request based on the remaining rules in the web ACL.

          • Type (string) --

            Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

            • ALLOW : AWS WAF allows requests

            • BLOCK : AWS WAF blocks requests

            • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

        • Type (string) --

          The rule type, either REGULAR , as defined by Rule, or RATE_BASED , as defined by RateBasedRule. The default is REGULAR. Although this field is optional, be aware that if you try to add a RATE_BASED rule to a web ACL without setting the type, the UpdateWebACL request will fail because the request tries to add a REGULAR rule with the specified ID, which does not exist.

  • ChangeToken (string) --

    The ChangeToken that you used to submit the CreateWebACL request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.

{'WebACL': {'Rules': {'Type': 'REGULAR | RATE_BASED'}}}

Returns the WebACL that is specified by WebACLId .

See also: AWS API Documentation

Request Syntax

client.get_web_acl(
    WebACLId='string'
)

type WebACLId

string

param WebACLId

[REQUIRED]

The WebACLId of the WebACL that you want to get. WebACLId is returned by CreateWebACL and by ListWebACLs.

rtype

dict

returns

Response Syntax

{
    'WebACL': {
        'WebACLId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'DefaultAction': {
            'Type': 'BLOCK'|'ALLOW'|'COUNT'
        },
        'Rules': [
            {
                'Priority': 123,
                'RuleId': 'string',
                'Action': {
                    'Type': 'BLOCK'|'ALLOW'|'COUNT'
                },
                'Type': 'REGULAR'|'RATE_BASED'
            },
        ]
    }
}

Response Structure

• (dict) --

  • WebACL (dict) --

    Information about the WebACL that you specified in the GetWebACL request. For more information, see the following topics:

    • WebACL: Contains DefaultAction , MetricName , Name , an array of Rule objects, and WebACLId

    • DefaultAction (Data type is WafAction ): Contains Type

    • Rules : Contains an array of ActivatedRule objects, which contain Action , Priority , and RuleId

    • Action : Contains Type

    • WebACLId (string) --

      A unique identifier for a WebACL . You use WebACLId to get information about a WebACL (see GetWebACL ), update a WebACL (see UpdateWebACL ), and delete a WebACL from AWS WAF (see DeleteWebACL ).

      WebACLId is returned by CreateWebACL and by ListWebACLs.

    • Name (string) --

      A friendly name or description of the WebACL . You can't change the name of a WebACL after you create it.

    • MetricName (string) --

      A friendly name or description for the metrics for this WebACL . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the WebACL .

    • DefaultAction (dict) --

      The action to perform if none of the Rules contained in the WebACL match. The action is specified by the WafAction object.

      • Type (string) --

        Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

        • ALLOW : AWS WAF allows requests

        • BLOCK : AWS WAF blocks requests

        • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

    • Rules (list) --

      An array that contains the action for each Rule in a WebACL , the priority of the Rule , and the ID of the Rule .

      • (dict) --

        The ActivatedRule object in an UpdateWebACL request specifies a Rule that you want to insert or delete, the priority of the Rule in the WebACL , and the action that you want AWS WAF to take when a web request matches the Rule ( ALLOW , BLOCK , or COUNT ).

        To specify whether to insert or delete a Rule , use the Action parameter in the WebACLUpdate data type.

        • Priority (integer) --

          Specifies the order in which the Rules in a WebACL are evaluated. Rules with a lower value for Priority are evaluated before Rules with a higher value. The value must be a unique integer. If you add multiple Rules to a WebACL , the values don't need to be consecutive.

        • RuleId (string) --

          The RuleId for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

          RuleId is returned by CreateRule and by ListRules.

        • Action (dict) --

          Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule . Valid values for Action include the following:

          • ALLOW : CloudFront responds with the requested object.

          • BLOCK : CloudFront responds with an HTTP 403 (Forbidden) status code.

          • COUNT : AWS WAF increments a counter of requests that match the conditions in the rule and then continues to inspect the web request based on the remaining rules in the web ACL.

          • Type (string) --

            Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

            • ALLOW : AWS WAF allows requests

            • BLOCK : AWS WAF blocks requests

            • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

        • Type (string) --

          The rule type, either REGULAR , as defined by Rule, or RATE_BASED , as defined by RateBasedRule. The default is REGULAR. Although this field is optional, be aware that if you try to add a RATE_BASED rule to a web ACL without setting the type, the UpdateWebACL request will fail because the request tries to add a REGULAR rule with the specified ID, which does not exist.

{'Updates': {'ActivatedRule': {'Type': 'REGULAR | RATE_BASED'}}}

Inserts or deletes ActivatedRule objects in a WebACL . Each Rule identifies web requests that you want to allow, block, or count. When you update a WebACL , you specify the following values:

• A default action for the WebACL , either ALLOW or BLOCK . AWS WAF performs the default action if a request doesn't match the criteria in any of the Rules in a WebACL .

• The Rules that you want to add and/or delete. If you want to replace one Rule with another, you delete the existing Rule and add the new one.

• For each Rule , whether you want AWS WAF to allow requests, block requests, or count requests that match the conditions in the Rule .

• The order in which you want AWS WAF to evaluate the Rules in a WebACL . If you add more than one Rule to a WebACL , AWS WAF evaluates each request against the Rules in order based on the value of Priority . (The Rule that has the lowest value for Priority is evaluated first.) When a web request matches all of the predicates (such as ByteMatchSets and IPSets ) in a Rule , AWS WAF immediately takes the corresponding action, allow or block, and doesn't evaluate the request against the remaining Rules in the WebACL , if any.

To create and configure a WebACL , perform the following steps:

• Create and update the predicates that you want to include in Rules . For more information, see CreateByteMatchSet, UpdateByteMatchSet, CreateIPSet, UpdateIPSet, CreateSqlInjectionMatchSet, and UpdateSqlInjectionMatchSet.

• Create and update the Rules that you want to include in the WebACL . For more information, see CreateRule and UpdateRule.

• Create a WebACL . See CreateWebACL.

• Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateWebACL request.

• Submit an UpdateWebACL request to specify the Rules that you want to include in the WebACL , to specify the default action, and to associate the WebACL with a CloudFront distribution.

Be aware that if you try to add a RATE_BASED rule to a web ACL without setting the rule type when first creating the rule, the UpdateWebACL request will fail because the request tries to add a REGULAR rule (the default rule type) with the specified ID, which does not exist.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide.

See also: AWS API Documentation

Request Syntax

client.update_web_acl(
    WebACLId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'ActivatedRule': {
                'Priority': 123,
                'RuleId': 'string',
                'Action': {
                    'Type': 'BLOCK'|'ALLOW'|'COUNT'
                },
                'Type': 'REGULAR'|'RATE_BASED'
            }
        },
    ],
    DefaultAction={
        'Type': 'BLOCK'|'ALLOW'|'COUNT'
    }
)

type WebACLId

string

param WebACLId

[REQUIRED]

The WebACLId of the WebACL that you want to update. WebACLId is returned by CreateWebACL and by ListWebACLs.

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken.

type Updates

list

param Updates

An array of updates to make to the WebACL.

An array of WebACLUpdate objects that you want to insert into or delete from a WebACL. For more information, see the applicable data types:

• WebACLUpdate: Contains Action and ActivatedRule

• ActivatedRule: Contains Action , Priority , RuleId , and Type

• WafAction: Contains Type

• (dict) --

  Specifies whether to insert a Rule into or delete a Rule from a WebACL .

  • Action (string) -- [REQUIRED]

    Specifies whether to insert a Rule into or delete a Rule from a WebACL .

  • ActivatedRule (dict) -- [REQUIRED]

    The ActivatedRule object in an UpdateWebACL request specifies a Rule that you want to insert or delete, the priority of the Rule in the WebACL , and the action that you want AWS WAF to take when a web request matches the Rule ( ALLOW , BLOCK , or COUNT ).

    • Priority (integer) -- [REQUIRED]

      Specifies the order in which the Rules in a WebACL are evaluated. Rules with a lower value for Priority are evaluated before Rules with a higher value. The value must be a unique integer. If you add multiple Rules to a WebACL , the values don't need to be consecutive.

    • RuleId (string) -- [REQUIRED]

      The RuleId for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

      RuleId is returned by CreateRule and by ListRules.

    • Action (dict) -- [REQUIRED]

      Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule . Valid values for Action include the following:

      • ALLOW : CloudFront responds with the requested object.

      • BLOCK : CloudFront responds with an HTTP 403 (Forbidden) status code.

      • COUNT : AWS WAF increments a counter of requests that match the conditions in the rule and then continues to inspect the web request based on the remaining rules in the web ACL.

      • Type (string) -- [REQUIRED]

        Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

        • ALLOW : AWS WAF allows requests

        • BLOCK : AWS WAF blocks requests

        • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

    • Type (string) --

      The rule type, either REGULAR , as defined by Rule, or RATE_BASED , as defined by RateBasedRule. The default is REGULAR. Although this field is optional, be aware that if you try to add a RATE_BASED rule to a web ACL without setting the type, the UpdateWebACL request will fail because the request tries to add a REGULAR rule with the specified ID, which does not exist.

type DefaultAction

dict

param DefaultAction

A default action for the web ACL, either ALLOW or BLOCK. AWS WAF performs the default action if a request doesn't match the criteria in any of the rules in a web ACL.

• Type (string) -- [REQUIRED]

  Specifies how you want AWS WAF to respond to requests that match the settings in a Rule . Valid settings include the following:

  • ALLOW : AWS WAF allows requests

  • BLOCK : AWS WAF blocks requests

  • COUNT : AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

• (dict) --

  • ChangeToken (string) --

    The ChangeToken that you used to submit the UpdateWebACL request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus.