Table Of Contents

Feedback

User Guide

First time using the AWS CLI? See the User Guide for help getting started.

[ aws . waf ]

create-rule

Description

Creates a Rule , which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block. If you add more than one predicate to a Rule , a request must match all of the specifications to be allowed or blocked. For example, suppose you add the following to a Rule :

  • An IPSet that matches the IP address 192.0.2.44/32
  • A ByteMatchSet that matches BadBot in the User-Agent header

You then add the Rule to a WebACL and specify that you want to blocks requests that satisfy the Rule . For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot .

To create and configure a Rule , perform the following steps:

  • Create and update the predicates that you want to include in the Rule . For more information, see CreateByteMatchSet , CreateIPSet , and CreateSqlInjectionMatchSet .
  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRule request.
  • Submit a CreateRule request.
  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.
  • Submit an UpdateRule request to specify the predicates that you want to include in the Rule .
  • Create and update a WebACL that contains the Rule . For more information, see CreateWebACL .

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

See 'aws help' for descriptions of global parameters.

Synopsis

  create-rule
--name <value>
--metric-name <value>
--change-token <value>
[--cli-input-json <value>]
[--generate-cli-skeleton <value>]

Options

--name (string)

A friendly name or description of the Rule . You can't change the name of a Rule after you create it.

--metric-name (string)

A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the Rule .

--change-token (string)

The value returned by the most recent call to GetChangeToken .

--cli-input-json (string) Performs service operation based on the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, the CLI values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

See 'aws help' for descriptions of global parameters.

Output

Rule -> (structure)

The Rule returned in the CreateRule response.

RuleId -> (string)

A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

RuleId is returned by CreateRule and by ListRules .

Name -> (string)

The friendly name or description for the Rule . You can't change the name of a Rule after you create it.

MetricName -> (string)

A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the Rule .

Predicates -> (list)

The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a Rule .

(structure)

Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

Negated -> (boolean)

Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

Type -> (string)

The type of predicate in a Rule , such as ByteMatch or IPSet .

DataId -> (string)

A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

ChangeToken -> (string)

The ChangeToken that you used to submit the CreateRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .