AWS::WAFv2::WebACL ManagedRuleGroupStatement
A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement.
You cannot nest a ManagedRuleGroupStatement
, for example for use inside a NotStatement
or OrStatement
. It can only be referenced as a top-level statement within a rule.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "ExcludedRules" :
[ ExcludedRule, ... ]
, "ManagedRuleGroupConfigs" :[ ManagedRuleGroupConfig, ... ]
, "Name" :String
, "ScopeDownStatement" :Statement
, "VendorName" :String
, "Version" :String
}
YAML
ExcludedRules:
- ExcludedRule
ManagedRuleGroupConfigs:- ManagedRuleGroupConfig
Name:String
ScopeDownStatement:Statement
VendorName:String
Version:String
Properties
ExcludedRules
-
The rules in the referenced rule group whose actions are set to
Count
. When you exclude a rule, AWS WAF evaluates it exactly as it would if the rule action setting wereCount
. This is a useful option for testing the rules in a rule group without modifying how they handle your web traffic.Required: No
Type: List of ExcludedRule
Maximum:
100
Update requires: No interruption
ManagedRuleGroupConfigs
-
Additional information that's used by a managed rule group. Most managed rule groups don't require this.
Use this for the account takeover prevention managed rule group
AWSManagedRulesATPRuleSet
, to provide information about the sign-in page of your application.You can provide multiple individual
ManagedRuleGroupConfig
objects for any rule group configuration, for exampleUsernameField
andPasswordField
. The configuration that you provide depends on the needs of the managed rule group. For the ATP managed rule group, you provide the following individual configuration objects:LoginPath
,PasswordField
,PayloadType
andUsernameField
.Required: No
Type: List of ManagedRuleGroupConfig
Update requires: No interruption
Name
-
The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
Required: Yes
Type: String
Minimum:
1
Maximum:
128
Pattern:
^[\w\-]+$
Update requires: No interruption
ScopeDownStatement
-
An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable Statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
Required: No
Type: Statement
Update requires: No interruption
VendorName
-
The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.
Required: Yes
Type: String
Minimum:
1
Maximum:
128
Pattern:
.*\S.*
Update requires: No interruption
Version
-
The version of the managed rule group to use. If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.
Required: No
Type: String
Minimum:
1
Maximum:
64
Pattern:
^[\w#:\.\-/]+$
Update requires: No interruption
Examples
Configure the managed rule group statement for AWSManagedRulesATPRuleSet
The following shows an example ManagedRuleGroupStatement
for the AWS WAF ATP managed rule group.
The ManagedRuleGroupConfigs
settings are provided as a number of individual ManagedRuleGroupConfig
settings.
YAML
ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesATPRuleSet ManagedRuleGroupConfigs: - LoginPath: /api/accounts/login - PayloadType: JSON - PasswordField: Identifier: /form/password - UsernameField: Identifier: /form/username
JSON
{ "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesATPRuleSet", "ManagedRuleGroupConfigs": [ { "LoginPath": "/api/accounts/login" }, { "PayloadType": "JSON" }, { "PasswordField": { "Identifier": "/form/password" } }, { "UsernameField": { "Identifier": "/form/username" } } ] } }
Configure a standard managed rule group statement
The following shows an example ManagedRuleGroupStatement
for a managed rule group that doesn't require additional configuration.
YAML
ManagedRuleGroupStatement: VendorName: AWS Name: AWSManagedRulesCommonRuleSet
JSON
{ "ManagedRuleGroupStatement": { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet" } }