AWS::WAFv2::WebACL ResponseInspection

The criteria for inspecting responses to login requests and account creation requests, used by the ATP and ACFP rule groups to track login and account creation success and failure rates.

Note

Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

The rule groups evaluates the responses that your protected resources send back to client login and account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses with too much suspicious activity in a short amount of time.

This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet configurations in ManagedRuleGroupConfig.

Enable response inspection by configuring exactly one component of the response to inspect, for example, Header or StatusCode. You can't configure more than one component for inspection. If you don't configure any of the response inspection options, response inspection is disabled.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "BodyContains" : ResponseInspectionBodyContains,
  "Header" : ResponseInspectionHeader,
  "Json" : ResponseInspectionJson,
  "StatusCode" : ResponseInspectionStatusCode
}

YAML


  BodyContains: 
    ResponseInspectionBodyContains
  Header: 
    ResponseInspectionHeader
  Json: 
    ResponseInspectionJson
  StatusCode: 
    ResponseInspectionStatusCode

Properties

BodyContains

Configures inspection of the response body for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response body.

Required: No

Type: ResponseInspectionBodyContains

Update requires: No interruption

Header

Configures inspection of the response header for success and failure indicators.

Required: No

Type: ResponseInspectionHeader

Update requires: No interruption

Json

Configures inspection of the response JSON for success and failure indicators. AWS WAF can inspect the first 65,536 bytes (64 KB) of the response JSON.

Required: No

Type: ResponseInspectionJson

Update requires: No interruption

StatusCode

Configures inspection of the response status code for success and failure indicators.

Required: No

Type: ResponseInspectionStatusCode

Update requires: No interruption

Examples

Configure the response inspection fields for status code inspection
Configure the response inspection fields for inspection of the response body

Configure the response inspection fields for status code inspection

The following shows an example ResponseInspection for the status code component inspection.

YAML


ResponseInspection:
  StatusCode:
    SuccessCodes:
      - 200
      - 202
    FailureCodes:
      - 400
      - 404

JSON


"ResponseInspection":{
      "StatusCode":{
         "SuccessCodes":[
            200,
            202
         ],
         "FailureCodes":[
            400,
            404
         ]
      }
   }

Configure the response inspection fields for inspection of the response body

The following shows an example RequestInspection for inspection of the response body.

YAML


ResponseInspection:
  BodyContains:
    SuccessStrings:
      - Successful
      - Logged In
    FailureStrings:
      - Loginfailed
      - Failed Attempt

JSON


"ResponseInspection":{
      "BodyContains":{
         "SuccessStrings":[
            "Successful",
            "Logged In"
         ],
         "FailureStrings":[
            "Login Failed",
            "Failed Attempt"
         ]
      }
   }

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

RequestInspectionACFP

ResponseInspectionBodyContains