Class CfnWebACL
- All Implemented Interfaces:
IInspectable
,ITaggable
,software.amazon.jsii.JsiiSerializable
,software.constructs.IConstruct
,software.constructs.IDependable
This is the latest version of AWS WAF , named AWS WAF V2, released in November, 2019.
For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF developer guide .
Use an WebACL
to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.
The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.
You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, or an AWS Verified Access instance.
For more information, see Web access control lists (web ACLs) in the AWS WAF developer guide .
Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation
If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with ShieldMitigationRuleGroup
. This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.
When you manage the web ACL through AWS CloudFormation interfaces, you won't see the Shield Advanced rule. AWS CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.
Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.
For more information, see Shield Advanced automatic application layer DDoS mitigation in the AWS Shield Advanced developer guide .
Example:
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic interface
Specifies that AWS WAF should allow the request and optionally defines additional custom handling for the request.static interface
A logical rule statement used to combine other rule statements with AND logic.static interface
Specifies custom configurations for the associations between the web ACL and protected resources.static interface
Details for your use of the account creation fraud prevention managed rule group,AWSManagedRulesACFPRuleSet
.static interface
Details for your use of the account takeover prevention managed rule group,AWSManagedRulesATPRuleSet
.static interface
Details for your use of the Bot Control managed rule group,AWSManagedRulesBotControlRuleSet
.static interface
Specifies that AWS WAF should block the request and optionally defines additional custom handling for the response to the web request.static interface
Inspect the body of the web request.static final class
A fluent builder forCfnWebACL
.static interface
A rule statement that defines a string match search for AWS WAF to apply to web requests.static interface
Specifies that AWS WAF should run aCAPTCHA
check against the request:.static interface
Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings.static interface
Specifies that AWS WAF should run aChallenge
check against the request to verify that the request is coming from a legitimate client session: - If the request includes a valid, unexpired challenge token, AWS WAF applies any custom request handling and labels that you've configured and then allows the web request inspection to proceed to the next rule, similar to aCountAction
.static interface
Specifies how AWS WAF should handleChallenge
evaluations.static interface
The filter to use to identify the subset of cookies to inspect in a web request.static interface
Inspect the cookies in the web request.static interface
Specifies that AWS WAF should count the request.static interface
A custom header for custom request and response handling.static interface
Custom request handling behavior that inserts custom headers into a web request.static interface
The response body to use in a custom response to a web request.static interface
A custom response to send to the client.static interface
In aWebACL
, this is the action that you want AWS WAF to perform when a web request doesn't match any of the rules in theWebACL
.static interface
Specifies a single rule in a rule group whose action you want to override toCount
.static interface
The identifier of a field in the web request payload that contains customer data.static interface
Specifies a web request component to be used in a rule match statement or in a logging configuration.static interface
The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.static interface
A rule statement that labels web requests by country and region and that matches against web requests based on country code.static interface
The filter to use to identify the subset of headers to inspect in a web request.static interface
Inspect all headers in the web request.static interface
Used for CAPTCHA and challenge token settings.static interface
The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.static interface
A rule statement used to detect web requests coming from particular IP addresses or address ranges.static interface
Available for use with Amazon CloudFront distributions and Application Load Balancers.static interface
Inspect the body of the web request as JSON.static interface
The patterns to look for in the JSON body.static interface
A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.static interface
A single label container.static interface
Additional information that's used by a managed rule group.static interface
A rule statement used to run the rules that are defined in a managed rule group.static interface
A logical rule statement used to negate the results of another rule statement.static interface
A logical rule statement used to combine other rule statements with OR logic.static interface
The action to use in the place of the action that results from the rule group evaluation.static interface
Specifies a single custom aggregate key for a rate-base rule.static interface
A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate.static interface
Specifies a cookie as an aggregate key for a rate-based rule.static interface
Specifies a header as an aggregate key for a rate-based rule.static interface
Specifies a label namespace to use as an aggregate key for a rate-based rule.static interface
Specifies a query argument in the request as an aggregate key for a rate-based rule.static interface
Specifies the request's query string as an aggregate key for a rate-based rule.static interface
Specifies the request's URI path as an aggregate key for a rate-based rule.static interface
A rule statement used to search web request components for a match against a single regular expression.static interface
A rule statement used to search web request components for matches with regular expressions.static interface
Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to AWS WAF for inspection.static interface
The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.static interface
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.static interface
Configures inspection of the response body.static interface
Configures inspection of the response header.static interface
Configures inspection of the response JSON.static interface
The criteria for inspecting responses to login requests and account creation requests, used by the ATP and ACFP rule groups to track login and account creation success and failure rates.static interface
Configures inspection of the response status code.static interface
Action setting to use in the place of a rule action that is configured inside the rule group.static interface
The action that AWS WAF should take on a web request when it matches a rule's statement.static interface
A rule statement used to run the rules that are defined in aRuleGroup
.static interface
A single rule, which you can use in aWebACL
orRuleGroup
to identify web requests that you want to manage in some way.static interface
Inspect one of the headers in the web request, identified by name, for example,User-Agent
orReferer
.static interface
Inspect one query argument in the web request, identified by name, for example UserName or SalesRegion .static interface
A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<).static interface
A rule statement that inspects for malicious SQL code.static interface
The processing guidance for a rule, used by AWS WAF to determine whether a web request matches the rule.static interface
Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.static interface
Defines and enables Amazon CloudWatch metrics and web request sample collection.static interface
A rule statement that inspects for cross-site scripting (XSS) attacks.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationMode
Nested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$Default
Nested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$Proxy
Nested classes/interfaces inherited from interface software.amazon.awscdk.ITaggable
ITaggable.Jsii$Default, ITaggable.Jsii$Proxy
-
Field Summary
Modifier and TypeFieldDescriptionstatic final String
The CloudFormation resource type name for this resource class. -
Constructor Summary
ModifierConstructorDescriptionprotected
CfnWebACL
(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protected
CfnWebACL
(software.amazon.jsii.JsiiObjectRef objRef) CfnWebACL
(software.constructs.Construct scope, String id, CfnWebACLProps props) -
Method Summary
Modifier and TypeMethodDescriptionSpecifies custom configurations for the associations between the web ACL and protected resources.The Amazon Resource Name (ARN) of the web ACL.The web ACL capacity units (WCUs) currently being used by this web ACL.The ID of the web ACL.The label namespace prefix for this web ACL.Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings.Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings.A map of custom response keys and content bodies.The action to perform if none of theRules
contained in theWebACL
match.A description of the web ACL that helps with identification.getName()
The name of the web ACL.getRules()
The rule statements used to identify the web requests that you want to manage.getScope()
Specifies whether this is for an Amazon CloudFront distribution or for a regional application.getTags()
Tag Manager which manages the tags for this resource.Key:value pairs associated with an AWS resource.Specifies the domains that AWS WAF should accept in a web request token.Defines and enables Amazon CloudWatch metrics and web request sample collection.void
inspect
(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties
(Map<String, Object> props) void
setAssociationConfig
(IResolvable value) Specifies custom configurations for the associations between the web ACL and protected resources.void
Specifies custom configurations for the associations between the web ACL and protected resources.void
setCaptchaConfig
(IResolvable value) Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings.void
Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings.void
setChallengeConfig
(IResolvable value) Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings.void
Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings.void
setCustomResponseBodies
(Map<String, Object> value) A map of custom response keys and content bodies.void
A map of custom response keys and content bodies.void
setDefaultAction
(IResolvable value) The action to perform if none of theRules
contained in theWebACL
match.void
The action to perform if none of theRules
contained in theWebACL
match.void
setDescription
(String value) A description of the web ACL that helps with identification.void
The name of the web ACL.void
The rule statements used to identify the web requests that you want to manage.void
setRules
(IResolvable value) The rule statements used to identify the web requests that you want to manage.void
Specifies whether this is for an Amazon CloudFront distribution or for a regional application.void
setTagsRaw
(List<CfnTag> value) Key:value pairs associated with an AWS resource.void
setTokenDomains
(List<String> value) Specifies the domains that AWS WAF should accept in a web request token.void
setVisibilityConfig
(IResolvable value) Defines and enables Amazon CloudWatch metrics and web request sample collection.void
Defines and enables Amazon CloudWatch metrics and web request sample collection.Methods inherited from class software.amazon.awscdk.CfnResource
addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validateProperties
Methods inherited from class software.amazon.awscdk.CfnRefElement
getRef
Methods inherited from class software.amazon.awscdk.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalId
Methods inherited from class software.constructs.Construct
getNode, isConstruct
Methods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSet
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, wait
Methods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnWebACL
protected CfnWebACL(software.amazon.jsii.JsiiObjectRef objRef) -
CfnWebACL
protected CfnWebACL(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnWebACL
@Stability(Stable) public CfnWebACL(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnWebACLProps props) - Parameters:
scope
- Scope in which this resource is defined. This parameter is required.id
- Construct identifier for this resource (unique in its scope). This parameter is required.props
- Resource properties. This parameter is required.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspect
in interfaceIInspectable
- Parameters:
inspector
- tree inspector to collect and process attributes. This parameter is required.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderProperties
in classCfnResource
- Parameters:
props
- This parameter is required.
-
getAttrArn
The Amazon Resource Name (ARN) of the web ACL. -
getAttrCapacity
The web ACL capacity units (WCUs) currently being used by this web ACL.AWS WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.
-
getAttrId
The ID of the web ACL. -
getAttrLabelNamespace
The label namespace prefix for this web ACL.All labels added by rules in this web ACL have this prefix.
The syntax for the label namespace prefix for a web ACL is the following:
awswaf:<account ID>:webacl:<web ACL name>:
When a rule with a label matches a web request, AWS WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon.
-
getCfnProperties
- Overrides:
getCfnProperties
in classCfnResource
-
getTags
Tag Manager which manages the tags for this resource. -
getDefaultAction
The action to perform if none of theRules
contained in theWebACL
match. -
setDefaultAction
The action to perform if none of theRules
contained in theWebACL
match. -
setDefaultAction
The action to perform if none of theRules
contained in theWebACL
match. -
getScope
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. -
setScope
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. -
getVisibilityConfig
Defines and enables Amazon CloudWatch metrics and web request sample collection. -
setVisibilityConfig
Defines and enables Amazon CloudWatch metrics and web request sample collection. -
setVisibilityConfig
@Stability(Stable) public void setVisibilityConfig(@NotNull CfnWebACL.VisibilityConfigProperty value) Defines and enables Amazon CloudWatch metrics and web request sample collection. -
getAssociationConfig
Specifies custom configurations for the associations between the web ACL and protected resources. -
setAssociationConfig
Specifies custom configurations for the associations between the web ACL and protected resources. -
setAssociationConfig
@Stability(Stable) public void setAssociationConfig(@Nullable CfnWebACL.AssociationConfigProperty value) Specifies custom configurations for the associations between the web ACL and protected resources. -
getCaptchaConfig
Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings. -
setCaptchaConfig
Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings. -
setCaptchaConfig
Specifies how AWS WAF should handleCAPTCHA
evaluations for rules that don't have their ownCaptchaConfig
settings. -
getChallengeConfig
Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings. -
setChallengeConfig
Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings. -
setChallengeConfig
@Stability(Stable) public void setChallengeConfig(@Nullable CfnWebACL.ChallengeConfigProperty value) Specifies how AWS WAF should handle challenge evaluations for rules that don't have their ownChallengeConfig
settings. -
getCustomResponseBodies
A map of custom response keys and content bodies. -
setCustomResponseBodies
A map of custom response keys and content bodies. -
setCustomResponseBodies
A map of custom response keys and content bodies. -
getDescription
A description of the web ACL that helps with identification. -
setDescription
A description of the web ACL that helps with identification. -
getName
The name of the web ACL. -
setName
The name of the web ACL. -
getRules
The rule statements used to identify the web requests that you want to manage. -
setRules
The rule statements used to identify the web requests that you want to manage. -
setRules
The rule statements used to identify the web requests that you want to manage. -
getTagsRaw
Key:value pairs associated with an AWS resource. -
setTagsRaw
Key:value pairs associated with an AWS resource. -
getTokenDomains
Specifies the domains that AWS WAF should accept in a web request token. -
setTokenDomains
Specifies the domains that AWS WAF should accept in a web request token.
-