Interface CfnWebACL.RateBasedStatementProperty
- All Superinterfaces:
software.amazon.jsii.JsiiSerializable
- All Known Implementing Classes:
CfnWebACL.RateBasedStatementProperty.Jsii$Proxy
- Enclosing class:
CfnWebACL
@Stability(Stable)
public static interface CfnWebACL.RateBasedStatementProperty
extends software.amazon.jsii.JsiiSerializable
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span.
You can use this to put a temporary block on requests from an IP address that is sending excessive requests.
AWS WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by AWS WAF . If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by AWS WAF .
When the rule action triggers, AWS WAF blocks additional requests from the IP address until the request rate falls below the limit.
You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
- An IP match statement with an IP set that specifies the address 192.0.2.44.
- A string match statement that searches in the User-Agent header for the string BadBot.
In this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.
You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement . You can define a RateBasedStatement inside a web ACL and inside a rule group.
Example:
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import software.amazon.awscdk.services.wafv2.*;
Object all;
Object allQueryArguments;
Object method;
Object queryString;
Object singleHeader;
Object singleQueryArgument;
StatementProperty statementProperty_;
Object uriPath;
RateBasedStatementProperty rateBasedStatementProperty = RateBasedStatementProperty.builder()
.aggregateKeyType("aggregateKeyType")
.limit(123)
// the properties below are optional
.forwardedIpConfig(ForwardedIPConfigurationProperty.builder()
.fallbackBehavior("fallbackBehavior")
.headerName("headerName")
.build())
.scopeDownStatement(StatementProperty.builder()
.andStatement(AndStatementProperty.builder()
.statements(List.of(statementProperty_))
.build())
.byteMatchStatement(ByteMatchStatementProperty.builder()
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.positionalConstraint("positionalConstraint")
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
// the properties below are optional
.searchString("searchString")
.searchStringBase64("searchStringBase64")
.build())
.geoMatchStatement(GeoMatchStatementProperty.builder()
.countryCodes(List.of("countryCodes"))
.forwardedIpConfig(ForwardedIPConfigurationProperty.builder()
.fallbackBehavior("fallbackBehavior")
.headerName("headerName")
.build())
.build())
.ipSetReferenceStatement(Map.of(
"arn", "arn",
// the properties below are optional
"ipSetForwardedIpConfig", Map.of(
"fallbackBehavior", "fallbackBehavior",
"headerName", "headerName",
"position", "position")))
.labelMatchStatement(LabelMatchStatementProperty.builder()
.key("key")
.scope("scope")
.build())
.managedRuleGroupStatement(ManagedRuleGroupStatementProperty.builder()
.name("name")
.vendorName("vendorName")
// the properties below are optional
.excludedRules(List.of(ExcludedRuleProperty.builder()
.name("name")
.build()))
.managedRuleGroupConfigs(List.of(ManagedRuleGroupConfigProperty.builder()
.awsManagedRulesAtpRuleSet(AWSManagedRulesATPRuleSetProperty.builder()
.loginPath("loginPath")
// the properties below are optional
.requestInspection(RequestInspectionProperty.builder()
.passwordField(FieldIdentifierProperty.builder()
.identifier("identifier")
.build())
.payloadType("payloadType")
.usernameField(FieldIdentifierProperty.builder()
.identifier("identifier")
.build())
.build())
.responseInspection(ResponseInspectionProperty.builder()
.bodyContains(ResponseInspectionBodyContainsProperty.builder()
.failureStrings(List.of("failureStrings"))
.successStrings(List.of("successStrings"))
.build())
.header(ResponseInspectionHeaderProperty.builder()
.failureValues(List.of("failureValues"))
.name("name")
.successValues(List.of("successValues"))
.build())
.json(ResponseInspectionJsonProperty.builder()
.failureValues(List.of("failureValues"))
.identifier("identifier")
.successValues(List.of("successValues"))
.build())
.statusCode(ResponseInspectionStatusCodeProperty.builder()
.failureCodes(List.of(123))
.successCodes(List.of(123))
.build())
.build())
.build())
.awsManagedRulesBotControlRuleSet(AWSManagedRulesBotControlRuleSetProperty.builder()
.inspectionLevel("inspectionLevel")
.build())
.loginPath("loginPath")
.passwordField(FieldIdentifierProperty.builder()
.identifier("identifier")
.build())
.payloadType("payloadType")
.usernameField(FieldIdentifierProperty.builder()
.identifier("identifier")
.build())
.build()))
.ruleActionOverrides(List.of(RuleActionOverrideProperty.builder()
.actionToUse(RuleActionProperty.builder()
.allow(AllowActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.block(BlockActionProperty.builder()
.customResponse(CustomResponseProperty.builder()
.responseCode(123)
// the properties below are optional
.customResponseBodyKey("customResponseBodyKey")
.responseHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.captcha(CaptchaActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.challenge(ChallengeActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.count(CountActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.build())
.name("name")
.build()))
.scopeDownStatement(statementProperty_)
.version("version")
.build())
.notStatement(NotStatementProperty.builder()
.statement(statementProperty_)
.build())
.orStatement(OrStatementProperty.builder()
.statements(List.of(statementProperty_))
.build())
.rateBasedStatement(RateBasedStatementProperty.builder()
.aggregateKeyType("aggregateKeyType")
.limit(123)
// the properties below are optional
.forwardedIpConfig(ForwardedIPConfigurationProperty.builder()
.fallbackBehavior("fallbackBehavior")
.headerName("headerName")
.build())
.scopeDownStatement(statementProperty_)
.build())
.regexMatchStatement(RegexMatchStatementProperty.builder()
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.regexString("regexString")
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
.build())
.regexPatternSetReferenceStatement(RegexPatternSetReferenceStatementProperty.builder()
.arn("arn")
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
.build())
.ruleGroupReferenceStatement(RuleGroupReferenceStatementProperty.builder()
.arn("arn")
// the properties below are optional
.excludedRules(List.of(ExcludedRuleProperty.builder()
.name("name")
.build()))
.ruleActionOverrides(List.of(RuleActionOverrideProperty.builder()
.actionToUse(RuleActionProperty.builder()
.allow(AllowActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.block(BlockActionProperty.builder()
.customResponse(CustomResponseProperty.builder()
.responseCode(123)
// the properties below are optional
.customResponseBodyKey("customResponseBodyKey")
.responseHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.captcha(CaptchaActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.challenge(ChallengeActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.count(CountActionProperty.builder()
.customRequestHandling(CustomRequestHandlingProperty.builder()
.insertHeaders(List.of(CustomHTTPHeaderProperty.builder()
.name("name")
.value("value")
.build()))
.build())
.build())
.build())
.name("name")
.build()))
.build())
.sizeConstraintStatement(SizeConstraintStatementProperty.builder()
.comparisonOperator("comparisonOperator")
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.size(123)
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
.build())
.sqliMatchStatement(SqliMatchStatementProperty.builder()
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
// the properties below are optional
.sensitivityLevel("sensitivityLevel")
.build())
.xssMatchStatement(XssMatchStatementProperty.builder()
.fieldToMatch(FieldToMatchProperty.builder()
.allQueryArguments(allQueryArguments)
.body(BodyProperty.builder()
.oversizeHandling("oversizeHandling")
.build())
.cookies(CookiesProperty.builder()
.matchPattern(CookieMatchPatternProperty.builder()
.all(all)
.excludedCookies(List.of("excludedCookies"))
.includedCookies(List.of("includedCookies"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.headers(HeadersProperty.builder()
.matchPattern(HeaderMatchPatternProperty.builder()
.all(all)
.excludedHeaders(List.of("excludedHeaders"))
.includedHeaders(List.of("includedHeaders"))
.build())
.matchScope("matchScope")
.oversizeHandling("oversizeHandling")
.build())
.jsonBody(JsonBodyProperty.builder()
.matchPattern(JsonMatchPatternProperty.builder()
.all(all)
.includedPaths(List.of("includedPaths"))
.build())
.matchScope("matchScope")
// the properties below are optional
.invalidFallbackBehavior("invalidFallbackBehavior")
.oversizeHandling("oversizeHandling")
.build())
.method(method)
.queryString(queryString)
.singleHeader(singleHeader)
.singleQueryArgument(singleQueryArgument)
.uriPath(uriPath)
.build())
.textTransformations(List.of(TextTransformationProperty.builder()
.priority(123)
.type("type")
.build()))
.build())
.build())
.build();
-
Nested Class Summary
Nested ClassesModifier and TypeInterfaceDescriptionstatic final classA builder forCfnWebACL.RateBasedStatementPropertystatic final classAn implementation forCfnWebACL.RateBasedStatementProperty -
Method Summary
Modifier and TypeMethodDescriptionbuilder()Setting that indicates how to aggregate the request counts.default ObjectThe configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.getLimit()The limit on requests per 5-minute period for a single originating IP address.default ObjectAn optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement.Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Method Details
-
getAggregateKeyType
Setting that indicates how to aggregate the request counts. The options are the following:.IP- Aggregate the request counts on the IP address from the web request origin.FORWARDED_IP- Aggregate the request counts on the first IP address in an HTTP header. If you use this, configure theForwardedIPConfig, to specify the header to use.
You can only use the
IPandFORWARDED_IPkey types. -
getLimit
The limit on requests per 5-minute period for a single originating IP address.If the statement includes a
ScopeDownStatement, this limit is applied only to the requests that match the statement. -
getForwardedIpConfig
The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.
If the specified header isn't present in the request, AWS WAF doesn't apply the rule to the web request at all.
This is required if you specify a forwarded IP in the rule's aggregate key settings.
-
getScopeDownStatement
An optional nested statement that narrows the scope of the web requests that are evaluated by the rate-based statement.Requests are only tracked by the rate-based statement if they match the scope-down statement. You can use any nestable
Statementin the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement. -
builder
-