AWS WAF Regional

2017/10/16 - AWS WAF Regional - 15 new 6 updated api methods

Changes  This release adds support for regular expressions as match conditions in rules, and support for geographical location by country of request IP address as a match condition in rules.

DeleteRegexPatternSet (new) Link ¶

Permanently deletes a RegexPatternSet . You can't delete a RegexPatternSet if it's still used in any RegexMatchSet or if the RegexPatternSet is not empty.

See also: AWS API Documentation

Request Syntax

client.delete_regex_pattern_set(
    RegexPatternSetId='string',
    ChangeToken='string'
)
type RegexPatternSetId

string

param RegexPatternSetId

[REQUIRED]

The RegexPatternSetId of the RegexPatternSet that you want to delete. RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the DeleteRegexPatternSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

CreateGeoMatchSet (new) Link ¶

Creates an GeoMatchSet , which you use to specify which web requests you want to allow or block based on the country that the requests originate from. For example, if you're receiving a lot of requests from one or more countries and you want to block the requests, you can create an GeoMatchSet that contains those countries and then configure AWS WAF to block the requests.

To create and configure a GeoMatchSet , perform the following steps:

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateGeoMatchSet request.

  • Submit a CreateGeoMatchSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateGeoMatchSet request.

  • Submit an UpdateGeoMatchSetSet request to specify the countries that you want AWS WAF to watch for.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.create_geo_match_set(
    Name='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the GeoMatchSet . You can't change Name after you create the GeoMatchSet .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'GeoMatchSet': {
        'GeoMatchSetId': 'string',
        'Name': 'string',
        'GeoMatchConstraints': [
            {
                'Type': 'Country',
                'Value': 'AF'|'AX'|'AL'|'DZ'|'AS'|'AD'|'AO'|'AI'|'AQ'|'AG'|'AR'|'AM'|'AW'|'AU'|'AT'|'AZ'|'BS'|'BH'|'BD'|'BB'|'BY'|'BE'|'BZ'|'BJ'|'BM'|'BT'|'BO'|'BQ'|'BA'|'BW'|'BV'|'BR'|'IO'|'BN'|'BG'|'BF'|'BI'|'KH'|'CM'|'CA'|'CV'|'KY'|'CF'|'TD'|'CL'|'CN'|'CX'|'CC'|'CO'|'KM'|'CG'|'CD'|'CK'|'CR'|'CI'|'HR'|'CU'|'CW'|'CY'|'CZ'|'DK'|'DJ'|'DM'|'DO'|'EC'|'EG'|'SV'|'GQ'|'ER'|'EE'|'ET'|'FK'|'FO'|'FJ'|'FI'|'FR'|'GF'|'PF'|'TF'|'GA'|'GM'|'GE'|'DE'|'GH'|'GI'|'GR'|'GL'|'GD'|'GP'|'GU'|'GT'|'GG'|'GN'|'GW'|'GY'|'HT'|'HM'|'VA'|'HN'|'HK'|'HU'|'IS'|'IN'|'ID'|'IR'|'IQ'|'IE'|'IM'|'IL'|'IT'|'JM'|'JP'|'JE'|'JO'|'KZ'|'KE'|'KI'|'KP'|'KR'|'KW'|'KG'|'LA'|'LV'|'LB'|'LS'|'LR'|'LY'|'LI'|'LT'|'LU'|'MO'|'MK'|'MG'|'MW'|'MY'|'MV'|'ML'|'MT'|'MH'|'MQ'|'MR'|'MU'|'YT'|'MX'|'FM'|'MD'|'MC'|'MN'|'ME'|'MS'|'MA'|'MZ'|'MM'|'NA'|'NR'|'NP'|'NL'|'NC'|'NZ'|'NI'|'NE'|'NG'|'NU'|'NF'|'MP'|'NO'|'OM'|'PK'|'PW'|'PS'|'PA'|'PG'|'PY'|'PE'|'PH'|'PN'|'PL'|'PT'|'PR'|'QA'|'RE'|'RO'|'RU'|'RW'|'BL'|'SH'|'KN'|'LC'|'MF'|'PM'|'VC'|'WS'|'SM'|'ST'|'SA'|'SN'|'RS'|'SC'|'SL'|'SG'|'SX'|'SK'|'SI'|'SB'|'SO'|'ZA'|'GS'|'SS'|'ES'|'LK'|'SD'|'SR'|'SJ'|'SZ'|'SE'|'CH'|'SY'|'TW'|'TJ'|'TZ'|'TH'|'TL'|'TG'|'TK'|'TO'|'TT'|'TN'|'TR'|'TM'|'TC'|'TV'|'UG'|'UA'|'AE'|'GB'|'US'|'UM'|'UY'|'UZ'|'VU'|'VE'|'VN'|'VG'|'VI'|'WF'|'EH'|'YE'|'ZM'|'ZW'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • GeoMatchSet (dict) --

      The GeoMatchSet returned in the CreateGeoMatchSet response. The GeoMatchSet contains no GeoMatchConstraints .

      • GeoMatchSetId (string) --

        The GeoMatchSetId for an GeoMatchSet . You use GeoMatchSetId to get information about a GeoMatchSet (see GeoMatchSet ), update a GeoMatchSet (see UpdateGeoMatchSet ), insert a GeoMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete a GeoMatchSet from AWS WAF (see DeleteGeoMatchSet ).

        GeoMatchSetId is returned by CreateGeoMatchSet and by ListGeoMatchSets .

      • Name (string) --

        A friendly name or description of the GeoMatchSet . You can't change the name of an GeoMatchSet after you create it.

      • GeoMatchConstraints (list) --

        An array of GeoMatchConstraint objects, which contain the country that you want AWS WAF to search for.

        • (dict) --

          The country from which web requests originate that you want AWS WAF to search for.

          • Type (string) --

            The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

          • Value (string) --

            The country that you want AWS WAF to search for.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateGeoMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

GetRegexPatternSet (new) Link ¶

Returns the RegexPatternSet specified by RegexPatternSetId .

See also: AWS API Documentation

Request Syntax

client.get_regex_pattern_set(
    RegexPatternSetId='string'
)
type RegexPatternSetId

string

param RegexPatternSetId

[REQUIRED]

The RegexPatternSetId of the RegexPatternSet that you want to get. RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

rtype

dict

returns

Response Syntax

{
    'RegexPatternSet': {
        'RegexPatternSetId': 'string',
        'Name': 'string',
        'RegexPatternStrings': [
            'string',
        ]
    }
}

Response Structure

  • (dict) --

    • RegexPatternSet (dict) --

      Information about the RegexPatternSet that you specified in the GetRegexPatternSet request, including the identifier of the pattern set and the regular expression patterns you want AWS WAF to search for.

      • RegexPatternSetId (string) --

        The identifier for the RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet , update a RegexPatternSet , remove a RegexPatternSet from a RegexMatchSet , and delete a RegexPatternSet from AWS WAF.

        RegexMatchSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

      • Name (string) --

        A friendly name or description of the RegexPatternSet . You can't change Name after you create a RegexPatternSet .

      • RegexPatternStrings (list) --

        Specifies the regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t .

        • (string) --

ListRegexPatternSets (new) Link ¶

Returns an array of RegexPatternSetSummary objects.

See also: AWS API Documentation

Request Syntax

client.list_regex_pattern_sets(
    NextMarker='string',
    Limit=123
)
type NextMarker

string

param NextMarker

If you specify a value for Limit and you have more RegexPatternSet objects than the value of Limit , AWS WAF returns a NextMarker value in the response that allows you to list another group of RegexPatternSet objects. For the second and subsequent ListRegexPatternSets requests, specify the value of NextMarker from the previous response to get information about another batch of RegexPatternSet objects.

type Limit

integer

param Limit

Specifies the number of RegexPatternSet objects that you want AWS WAF to return for this request. If you have more RegexPatternSet objects than the number you specify for Limit , the response includes a NextMarker value that you can use to get another batch of RegexPatternSet objects.

rtype

dict

returns

Response Syntax

{
    'NextMarker': 'string',
    'RegexPatternSets': [
        {
            'RegexPatternSetId': 'string',
            'Name': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextMarker (string) --

      If you have more RegexPatternSet objects than the number that you specified for Limit in the request, the response includes a NextMarker value. To list more RegexPatternSet objects, submit another ListRegexPatternSets request, and specify the NextMarker value from the response in the NextMarker value in the next request.

    • RegexPatternSets (list) --

      An array of RegexPatternSetSummary objects.

      • (dict) --

        Returned by ListRegexPatternSets . Each RegexPatternSetSummary object includes the Name and RegexPatternSetId for one RegexPatternSet .

        • RegexPatternSetId (string) --

          The RegexPatternSetId for a RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet , update a RegexPatternSet , remove a RegexPatternSet from a RegexMatchSet , and delete a RegexPatternSet from AWS WAF.

          RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

        • Name (string) --

          A friendly name or description of the RegexPatternSet . You can't change Name after you create a RegexPatternSet .

UpdateRegexPatternSet (new) Link ¶

Inserts or deletes RegexMatchSetUpdate objects (filters) in a RegexPatternSet . For each RegexPatternSet object, you specify the following values:

  • Whether to insert or delete the object from the array. If you want to change a RegexPatternSet object, you delete the existing object and add a new one.

  • The regular expression pattern that you want AWS WAF to look for. For more information, see RegexPatternSet .

For example, you can create a RegexPatternString such as B[a@]dB[o0]t . AWS WAF will match this RegexPatternString to:

To create and configure a RegexPatternSet , perform the following steps:

  • Create a RegexPatternSet. For more information, see CreateRegexPatternSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRegexPatternSet request.

  • Submit an UpdateRegexPatternSet request to specify the regular expression pattern that you want AWS WAF to watch for.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.update_regex_pattern_set(
    RegexPatternSetId='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'RegexPatternString': 'string'
        },
    ],
    ChangeToken='string'
)
type RegexPatternSetId

string

param RegexPatternSetId

[REQUIRED]

The RegexPatternSetId of the RegexPatternSet that you want to update. RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

type Updates

list

param Updates

[REQUIRED]

An array of RegexPatternSetUpdate objects that you want to insert into or delete from a RegexPatternSet .

  • (dict) --

    In an UpdateRegexPatternSet request, RegexPatternSetUpdate specifies whether to insert or delete a RegexPatternString and includes the settings for the RegexPatternString .

    • Action (string) -- [REQUIRED]

      Specifies whether to insert or delete a RegexPatternString .

    • RegexPatternString (string) -- [REQUIRED]

      Specifies the regular expression (regex) pattern that you want AWS WAF to search for, such as B[a@]dB[o0]t .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateRegexPatternSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

GetGeoMatchSet (new) Link ¶

Returns the GeoMatchSet that is specified by GeoMatchSetId .

See also: AWS API Documentation

Request Syntax

client.get_geo_match_set(
    GeoMatchSetId='string'
)
type GeoMatchSetId

string

param GeoMatchSetId

[REQUIRED]

The GeoMatchSetId of the GeoMatchSet that you want to get. GeoMatchSetId is returned by CreateGeoMatchSet and by ListGeoMatchSets .

rtype

dict

returns

Response Syntax

{
    'GeoMatchSet': {
        'GeoMatchSetId': 'string',
        'Name': 'string',
        'GeoMatchConstraints': [
            {
                'Type': 'Country',
                'Value': 'AF'|'AX'|'AL'|'DZ'|'AS'|'AD'|'AO'|'AI'|'AQ'|'AG'|'AR'|'AM'|'AW'|'AU'|'AT'|'AZ'|'BS'|'BH'|'BD'|'BB'|'BY'|'BE'|'BZ'|'BJ'|'BM'|'BT'|'BO'|'BQ'|'BA'|'BW'|'BV'|'BR'|'IO'|'BN'|'BG'|'BF'|'BI'|'KH'|'CM'|'CA'|'CV'|'KY'|'CF'|'TD'|'CL'|'CN'|'CX'|'CC'|'CO'|'KM'|'CG'|'CD'|'CK'|'CR'|'CI'|'HR'|'CU'|'CW'|'CY'|'CZ'|'DK'|'DJ'|'DM'|'DO'|'EC'|'EG'|'SV'|'GQ'|'ER'|'EE'|'ET'|'FK'|'FO'|'FJ'|'FI'|'FR'|'GF'|'PF'|'TF'|'GA'|'GM'|'GE'|'DE'|'GH'|'GI'|'GR'|'GL'|'GD'|'GP'|'GU'|'GT'|'GG'|'GN'|'GW'|'GY'|'HT'|'HM'|'VA'|'HN'|'HK'|'HU'|'IS'|'IN'|'ID'|'IR'|'IQ'|'IE'|'IM'|'IL'|'IT'|'JM'|'JP'|'JE'|'JO'|'KZ'|'KE'|'KI'|'KP'|'KR'|'KW'|'KG'|'LA'|'LV'|'LB'|'LS'|'LR'|'LY'|'LI'|'LT'|'LU'|'MO'|'MK'|'MG'|'MW'|'MY'|'MV'|'ML'|'MT'|'MH'|'MQ'|'MR'|'MU'|'YT'|'MX'|'FM'|'MD'|'MC'|'MN'|'ME'|'MS'|'MA'|'MZ'|'MM'|'NA'|'NR'|'NP'|'NL'|'NC'|'NZ'|'NI'|'NE'|'NG'|'NU'|'NF'|'MP'|'NO'|'OM'|'PK'|'PW'|'PS'|'PA'|'PG'|'PY'|'PE'|'PH'|'PN'|'PL'|'PT'|'PR'|'QA'|'RE'|'RO'|'RU'|'RW'|'BL'|'SH'|'KN'|'LC'|'MF'|'PM'|'VC'|'WS'|'SM'|'ST'|'SA'|'SN'|'RS'|'SC'|'SL'|'SG'|'SX'|'SK'|'SI'|'SB'|'SO'|'ZA'|'GS'|'SS'|'ES'|'LK'|'SD'|'SR'|'SJ'|'SZ'|'SE'|'CH'|'SY'|'TW'|'TJ'|'TZ'|'TH'|'TL'|'TG'|'TK'|'TO'|'TT'|'TN'|'TR'|'TM'|'TC'|'TV'|'UG'|'UA'|'AE'|'GB'|'US'|'UM'|'UY'|'UZ'|'VU'|'VE'|'VN'|'VG'|'VI'|'WF'|'EH'|'YE'|'ZM'|'ZW'
            },
        ]
    }
}

Response Structure

  • (dict) --

    • GeoMatchSet (dict) --

      Information about the GeoMatchSet that you specified in the GetGeoMatchSet request. This includes the Type , which for a GeoMatchContraint is always Country , as well as the Value , which is the identifier for a specific country.

      • GeoMatchSetId (string) --

        The GeoMatchSetId for an GeoMatchSet . You use GeoMatchSetId to get information about a GeoMatchSet (see GeoMatchSet ), update a GeoMatchSet (see UpdateGeoMatchSet ), insert a GeoMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete a GeoMatchSet from AWS WAF (see DeleteGeoMatchSet ).

        GeoMatchSetId is returned by CreateGeoMatchSet and by ListGeoMatchSets .

      • Name (string) --

        A friendly name or description of the GeoMatchSet . You can't change the name of an GeoMatchSet after you create it.

      • GeoMatchConstraints (list) --

        An array of GeoMatchConstraint objects, which contain the country that you want AWS WAF to search for.

        • (dict) --

          The country from which web requests originate that you want AWS WAF to search for.

          • Type (string) --

            The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

          • Value (string) --

            The country that you want AWS WAF to search for.

UpdateRegexMatchSet (new) Link ¶

Inserts or deletes RegexMatchSetUpdate objects (filters) in a RegexMatchSet . For each RegexMatchSetUpdate object, you specify the following values:

  • Whether to insert or delete the object from the array. If you want to change a RegexMatchSetUpdate object, you delete the existing object and add a new one.

  • The part of a web request that you want AWS WAF to inspect, such as a query string or the value of the User-Agent header.

  • The identifier of the pattern (a regular expression) that you want AWS WAF to look for. For more information, see RegexPatternSet .

  • Whether to perform any conversions on the request, such as converting it to lowercase, before inspecting it for the specified string.

For example, you can create a RegexPatternSet that matches any requests with User-Agent headers that contain the string B[a@]dB[o0]t . You can then configure AWS WAF to reject those requests.

To create and configure a RegexMatchSet , perform the following steps:

  • Create a RegexMatchSet. For more information, see CreateRegexMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRegexMatchSet request.

  • Submit an UpdateRegexMatchSet request to specify the part of the request that you want AWS WAF to inspect (for example, the header or the URI) and the identifier of the RegexPatternSet that contain the regular expression patters you want AWS WAF to watch for.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.update_regex_match_set(
    RegexMatchSetId='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'RegexMatchTuple': {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE',
                'RegexPatternSetId': 'string'
            }
        },
    ],
    ChangeToken='string'
)
type RegexMatchSetId

string

param RegexMatchSetId

[REQUIRED]

The RegexMatchSetId of the RegexMatchSet that you want to update. RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

type Updates

list

param Updates

[REQUIRED]

An array of RegexMatchSetUpdate objects that you want to insert into or delete from a RegexMatchSet . For more information, see RegexMatchTuple .

  • (dict) --

    In an UpdateRegexMatchSet request, RegexMatchSetUpdate specifies whether to insert or delete a RegexMatchTuple and includes the settings for the RegexMatchTuple .

    • Action (string) -- [REQUIRED]

      Specifies whether to insert or delete a RegexMatchTuple .

    • RegexMatchTuple (dict) -- [REQUIRED]

      Information about the part of a web request that you want AWS WAF to inspect and the identifier of the regular expression (regex) pattern that you want AWS WAF to search for. If you specify DELETE for the value of Action , the RegexMatchTuple values must exactly match the values in the RegexMatchTuple that you want to delete from the RegexMatchSet .

      • FieldToMatch (dict) -- [REQUIRED]

        Specifies where in a web request to look for the RegexPatternSet .

        • Type (string) -- [REQUIRED]

          The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

          • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

          • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

          • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

          • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

          • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

        • Data (string) --

          When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

          The name of the header is not case sensitive.

      • TextTransformation (string) -- [REQUIRED]

        Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on RegexPatternSet before inspecting a request for a match.

        CMD_LINE

        When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

        • Delete the following characters: " ' ^

        • Delete spaces before the following characters: / (

        • Replace the following characters with a space: , ;

        • Replace multiple spaces with one space

        • Convert uppercase letters (A-Z) to lowercase (a-z)

        COMPRESS_WHITE_SPACE

        Use this option to replace the following characters with a space character (decimal 32):

        • f, formfeed, decimal 12

        • t, tab, decimal 9

        • n, newline, decimal 10

        • r, carriage return, decimal 13

        • v, vertical tab, decimal 11

        • non-breaking space, decimal 160

        COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

        HTML_ENTITY_DECODE

        Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

        • Replaces (ampersand)quot; with "

        • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

        • Replaces (ampersand)lt; with a "less than" symbol

        • Replaces (ampersand)gt; with >

        • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

        • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

        LOWERCASE

        Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

        URL_DECODE

        Use this option to decode a URL-encoded value.

        NONE

        Specify NONE if you don't want to perform any text transformations.

      • RegexPatternSetId (string) -- [REQUIRED]

        The RegexPatternSetId for a RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet (see GetRegexPatternSet ), update a RegexPatternSet (see UpdateRegexPatternSet ), insert a RegexPatternSet into a RegexMatchSet or delete one from a RegexMatchSet (see UpdateRegexMatchSet ), and delete an RegexPatternSet from AWS WAF (see DeleteRegexPatternSet ).

        RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateRegexMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

CreateRegexPatternSet (new) Link ¶

Creates a RegexPatternSet . You then use UpdateRegexPatternSet to specify the regular expression (regex) pattern that you want AWS WAF to search for, such as B[a@]dB[o0]t . You can then configure AWS WAF to reject those requests.

To create and configure a RegexPatternSet , perform the following steps:

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRegexPatternSet request.

  • Submit a CreateRegexPatternSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRegexPatternSet request.

  • Submit an UpdateRegexPatternSet request to specify the string that you want AWS WAF to watch for.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.create_regex_pattern_set(
    Name='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the RegexPatternSet . You can't change Name after you create a RegexPatternSet .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'RegexPatternSet': {
        'RegexPatternSetId': 'string',
        'Name': 'string',
        'RegexPatternStrings': [
            'string',
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • RegexPatternSet (dict) --

      A RegexPatternSet that contains no objects.

      • RegexPatternSetId (string) --

        The identifier for the RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet , update a RegexPatternSet , remove a RegexPatternSet from a RegexMatchSet , and delete a RegexPatternSet from AWS WAF.

        RegexMatchSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

      • Name (string) --

        A friendly name or description of the RegexPatternSet . You can't change Name after you create a RegexPatternSet .

      • RegexPatternStrings (list) --

        Specifies the regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t .

        • (string) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateRegexPatternSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

DeleteRegexMatchSet (new) Link ¶

Permanently deletes a RegexMatchSet . You can't delete a RegexMatchSet if it's still used in any Rules or if it still includes any RegexMatchTuples objects (any filters).

If you just want to remove a RegexMatchSet from a Rule , use UpdateRule .

To permanently delete a RegexMatchSet , perform the following steps:

  • Update the RegexMatchSet to remove filters, if any. For more information, see UpdateRegexMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteRegexMatchSet request.

  • Submit a DeleteRegexMatchSet request.

See also: AWS API Documentation

Request Syntax

client.delete_regex_match_set(
    RegexMatchSetId='string',
    ChangeToken='string'
)
type RegexMatchSetId

string

param RegexMatchSetId

[REQUIRED]

The RegexMatchSetId of the RegexMatchSet that you want to delete. RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the DeleteRegexMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

GetRegexMatchSet (new) Link ¶

Returns the RegexMatchSet specified by RegexMatchSetId .

See also: AWS API Documentation

Request Syntax

client.get_regex_match_set(
    RegexMatchSetId='string'
)
type RegexMatchSetId

string

param RegexMatchSetId

[REQUIRED]

The RegexMatchSetId of the RegexMatchSet that you want to get. RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

rtype

dict

returns

Response Syntax

{
    'RegexMatchSet': {
        'RegexMatchSetId': 'string',
        'Name': 'string',
        'RegexMatchTuples': [
            {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE',
                'RegexPatternSetId': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    • RegexMatchSet (dict) --

      Information about the RegexMatchSet that you specified in the GetRegexMatchSet request. For more information, see RegexMatchTuple .

      • RegexMatchSetId (string) --

        The RegexMatchSetId for a RegexMatchSet . You use RegexMatchSetId to get information about a RegexMatchSet (see GetRegexMatchSet ), update a RegexMatchSet (see UpdateRegexMatchSet ), insert a RegexMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete a RegexMatchSet from AWS WAF (see DeleteRegexMatchSet ).

        RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

      • Name (string) --

        A friendly name or description of the RegexMatchSet . You can't change Name after you create a RegexMatchSet .

      • RegexMatchTuples (list) --

        Contains an array of RegexMatchTuple objects. Each RegexMatchTuple object contains:

        • The part of a web request that you want AWS WAF to inspect, such as a query string or the value of the User-Agent header.

        • The identifier of the pattern (a regular expression) that you want AWS WAF to look for. For more information, see RegexPatternSet .

        • Whether to perform any conversions on the request, such as converting it to lowercase, before inspecting it for the specified string.

        • (dict) --

          The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. Each RegexMatchTuple object contains:

          • The part of a web request that you want AWS WAF to inspect, such as a query string or the value of the User-Agent header.

          • The identifier of the pattern (a regular expression) that you want AWS WAF to look for. For more information, see RegexPatternSet .

          • Whether to perform any conversions on the request, such as converting it to lowercase, before inspecting it for the specified string.

          • FieldToMatch (dict) --

            Specifies where in a web request to look for the RegexPatternSet .

            • Type (string) --

              The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

              • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

              • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

              • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

              • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

              • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

            • Data (string) --

              When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

              The name of the header is not case sensitive.

          • TextTransformation (string) --

            Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on RegexPatternSet before inspecting a request for a match.

            CMD_LINE

            When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

            • Delete the following characters: " ' ^

            • Delete spaces before the following characters: / (

            • Replace the following characters with a space: , ;

            • Replace multiple spaces with one space

            • Convert uppercase letters (A-Z) to lowercase (a-z)

            COMPRESS_WHITE_SPACE

            Use this option to replace the following characters with a space character (decimal 32):

            • f, formfeed, decimal 12

            • t, tab, decimal 9

            • n, newline, decimal 10

            • r, carriage return, decimal 13

            • v, vertical tab, decimal 11

            • non-breaking space, decimal 160

            COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

            HTML_ENTITY_DECODE

            Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

            • Replaces (ampersand)quot; with "

            • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

            • Replaces (ampersand)lt; with a "less than" symbol

            • Replaces (ampersand)gt; with >

            • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

            • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

            LOWERCASE

            Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

            URL_DECODE

            Use this option to decode a URL-encoded value.

            NONE

            Specify NONE if you don't want to perform any text transformations.

          • RegexPatternSetId (string) --

            The RegexPatternSetId for a RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet (see GetRegexPatternSet ), update a RegexPatternSet (see UpdateRegexPatternSet ), insert a RegexPatternSet into a RegexMatchSet or delete one from a RegexMatchSet (see UpdateRegexMatchSet ), and delete an RegexPatternSet from AWS WAF (see DeleteRegexPatternSet ).

            RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

UpdateGeoMatchSet (new) Link ¶

Inserts or deletes GeoMatchConstraint objects in an GeoMatchSet . For each GeoMatchConstraint object, you specify the following values:

  • Whether to insert or delete the object from the array. If you want to change an GeoMatchConstraint object, you delete the existing object and add a new one.

  • The Type . The only valid value for Type is Country .

  • The Value , which is a two character code for the country to add to the GeoMatchConstraint object. Valid codes are listed in GeoMatchConstraint$Value .

To create and configure an GeoMatchSet , perform the following steps:

  • Submit a CreateGeoMatchSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateGeoMatchSet request.

  • Submit an UpdateGeoMatchSet request to specify the country that you want AWS WAF to watch for.

When you update an GeoMatchSet , you specify the country that you want to add and/or the country that you want to delete. If you want to change a country, you delete the existing country and add the new one.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.update_geo_match_set(
    GeoMatchSetId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'GeoMatchConstraint': {
                'Type': 'Country',
                'Value': 'AF'|'AX'|'AL'|'DZ'|'AS'|'AD'|'AO'|'AI'|'AQ'|'AG'|'AR'|'AM'|'AW'|'AU'|'AT'|'AZ'|'BS'|'BH'|'BD'|'BB'|'BY'|'BE'|'BZ'|'BJ'|'BM'|'BT'|'BO'|'BQ'|'BA'|'BW'|'BV'|'BR'|'IO'|'BN'|'BG'|'BF'|'BI'|'KH'|'CM'|'CA'|'CV'|'KY'|'CF'|'TD'|'CL'|'CN'|'CX'|'CC'|'CO'|'KM'|'CG'|'CD'|'CK'|'CR'|'CI'|'HR'|'CU'|'CW'|'CY'|'CZ'|'DK'|'DJ'|'DM'|'DO'|'EC'|'EG'|'SV'|'GQ'|'ER'|'EE'|'ET'|'FK'|'FO'|'FJ'|'FI'|'FR'|'GF'|'PF'|'TF'|'GA'|'GM'|'GE'|'DE'|'GH'|'GI'|'GR'|'GL'|'GD'|'GP'|'GU'|'GT'|'GG'|'GN'|'GW'|'GY'|'HT'|'HM'|'VA'|'HN'|'HK'|'HU'|'IS'|'IN'|'ID'|'IR'|'IQ'|'IE'|'IM'|'IL'|'IT'|'JM'|'JP'|'JE'|'JO'|'KZ'|'KE'|'KI'|'KP'|'KR'|'KW'|'KG'|'LA'|'LV'|'LB'|'LS'|'LR'|'LY'|'LI'|'LT'|'LU'|'MO'|'MK'|'MG'|'MW'|'MY'|'MV'|'ML'|'MT'|'MH'|'MQ'|'MR'|'MU'|'YT'|'MX'|'FM'|'MD'|'MC'|'MN'|'ME'|'MS'|'MA'|'MZ'|'MM'|'NA'|'NR'|'NP'|'NL'|'NC'|'NZ'|'NI'|'NE'|'NG'|'NU'|'NF'|'MP'|'NO'|'OM'|'PK'|'PW'|'PS'|'PA'|'PG'|'PY'|'PE'|'PH'|'PN'|'PL'|'PT'|'PR'|'QA'|'RE'|'RO'|'RU'|'RW'|'BL'|'SH'|'KN'|'LC'|'MF'|'PM'|'VC'|'WS'|'SM'|'ST'|'SA'|'SN'|'RS'|'SC'|'SL'|'SG'|'SX'|'SK'|'SI'|'SB'|'SO'|'ZA'|'GS'|'SS'|'ES'|'LK'|'SD'|'SR'|'SJ'|'SZ'|'SE'|'CH'|'SY'|'TW'|'TJ'|'TZ'|'TH'|'TL'|'TG'|'TK'|'TO'|'TT'|'TN'|'TR'|'TM'|'TC'|'TV'|'UG'|'UA'|'AE'|'GB'|'US'|'UM'|'UY'|'UZ'|'VU'|'VE'|'VN'|'VG'|'VI'|'WF'|'EH'|'YE'|'ZM'|'ZW'
            }
        },
    ]
)
type GeoMatchSetId

string

param GeoMatchSetId

[REQUIRED]

The GeoMatchSetId of the GeoMatchSet that you want to update. GeoMatchSetId is returned by CreateGeoMatchSet and by ListGeoMatchSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

type Updates

list

param Updates

[REQUIRED]

An array of GeoMatchSetUpdate objects that you want to insert into or delete from an GeoMatchSet . For more information, see the applicable data types:

  • GeoMatchSetUpdate : Contains Action and GeoMatchConstraint

  • GeoMatchConstraint : Contains Type and Value You can have only one Type and Value per GeoMatchConstraint . To add multiple countries, include multiple GeoMatchSetUpdate objects in your request.

  • (dict) --

    Specifies the type of update to perform to an GeoMatchSet with UpdateGeoMatchSet .

    • Action (string) -- [REQUIRED]

      Specifies whether to insert or delete a country with UpdateGeoMatchSet .

    • GeoMatchConstraint (dict) -- [REQUIRED]

      The country from which web requests originate that you want AWS WAF to search for.

      • Type (string) -- [REQUIRED]

        The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.

      • Value (string) -- [REQUIRED]

        The country that you want AWS WAF to search for.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateGeoMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

ListGeoMatchSets (new) Link ¶

Returns an array of GeoMatchSetSummary objects in the response.

See also: AWS API Documentation

Request Syntax

client.list_geo_match_sets(
    NextMarker='string',
    Limit=123
)
type NextMarker

string

param NextMarker

If you specify a value for Limit and you have more GeoMatchSet s than the value of Limit , AWS WAF returns a NextMarker value in the response that allows you to list another group of GeoMatchSet objects. For the second and subsequent ListGeoMatchSets requests, specify the value of NextMarker from the previous response to get information about another batch of GeoMatchSet objects.

type Limit

integer

param Limit

Specifies the number of GeoMatchSet objects that you want AWS WAF to return for this request. If you have more GeoMatchSet objects than the number you specify for Limit , the response includes a NextMarker value that you can use to get another batch of GeoMatchSet objects.

rtype

dict

returns

Response Syntax

{
    'NextMarker': 'string',
    'GeoMatchSets': [
        {
            'GeoMatchSetId': 'string',
            'Name': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextMarker (string) --

      If you have more GeoMatchSet objects than the number that you specified for Limit in the request, the response includes a NextMarker value. To list more GeoMatchSet objects, submit another ListGeoMatchSets request, and specify the NextMarker value from the response in the NextMarker value in the next request.

    • GeoMatchSets (list) --

      An array of GeoMatchSetSummary objects.

      • (dict) --

        Contains the identifier and the name of the GeoMatchSet .

        • GeoMatchSetId (string) --

          The GeoMatchSetId for an GeoMatchSet . You can use GeoMatchSetId in a GetGeoMatchSet request to get detailed information about an GeoMatchSet .

        • Name (string) --

          A friendly name or description of the GeoMatchSet . You can't change the name of an GeoMatchSet after you create it.

DeleteGeoMatchSet (new) Link ¶

Permanently deletes a GeoMatchSet . You can't delete a GeoMatchSet if it's still used in any Rules or if it still includes any countries.

If you just want to remove a GeoMatchSet from a Rule , use UpdateRule .

To permanently delete a GeoMatchSet from AWS WAF, perform the following steps:

  • Update the GeoMatchSet to remove any countries. For more information, see UpdateGeoMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteGeoMatchSet request.

  • Submit a DeleteGeoMatchSet request.

See also: AWS API Documentation

Request Syntax

client.delete_geo_match_set(
    GeoMatchSetId='string',
    ChangeToken='string'
)
type GeoMatchSetId

string

param GeoMatchSetId

[REQUIRED]

The GeoMatchSetID of the GeoMatchSet that you want to delete. GeoMatchSetId is returned by CreateGeoMatchSet and by ListGeoMatchSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the DeleteGeoMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

CreateRegexMatchSet (new) Link ¶

Creates a RegexMatchSet . You then use UpdateRegexMatchSet to identify the part of a web request that you want AWS WAF to inspect, such as the values of the User-Agent header or the query string. For example, you can create a RegexMatchSet that contains a RegexMatchTuple that looks for any requests with User-Agent headers that match a RegexPatternSet with pattern B[a@]dB[o0]t . You can then configure AWS WAF to reject those requests.

To create and configure a RegexMatchSet , perform the following steps:

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRegexMatchSet request.

  • Submit a CreateRegexMatchSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRegexMatchSet request.

  • Submit an UpdateRegexMatchSet request to specify the part of the request that you want AWS WAF to inspect (for example, the header or the URI) and the value, using a RegexPatternSet , that you want AWS WAF to watch for.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.create_regex_match_set(
    Name='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the RegexMatchSet . You can't change Name after you create a RegexMatchSet .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'RegexMatchSet': {
        'RegexMatchSetId': 'string',
        'Name': 'string',
        'RegexMatchTuples': [
            {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE',
                'RegexPatternSetId': 'string'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • RegexMatchSet (dict) --

      A RegexMatchSet that contains no RegexMatchTuple objects.

      • RegexMatchSetId (string) --

        The RegexMatchSetId for a RegexMatchSet . You use RegexMatchSetId to get information about a RegexMatchSet (see GetRegexMatchSet ), update a RegexMatchSet (see UpdateRegexMatchSet ), insert a RegexMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete a RegexMatchSet from AWS WAF (see DeleteRegexMatchSet ).

        RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

      • Name (string) --

        A friendly name or description of the RegexMatchSet . You can't change Name after you create a RegexMatchSet .

      • RegexMatchTuples (list) --

        Contains an array of RegexMatchTuple objects. Each RegexMatchTuple object contains:

        • The part of a web request that you want AWS WAF to inspect, such as a query string or the value of the User-Agent header.

        • The identifier of the pattern (a regular expression) that you want AWS WAF to look for. For more information, see RegexPatternSet .

        • Whether to perform any conversions on the request, such as converting it to lowercase, before inspecting it for the specified string.

        • (dict) --

          The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. Each RegexMatchTuple object contains:

          • The part of a web request that you want AWS WAF to inspect, such as a query string or the value of the User-Agent header.

          • The identifier of the pattern (a regular expression) that you want AWS WAF to look for. For more information, see RegexPatternSet .

          • Whether to perform any conversions on the request, such as converting it to lowercase, before inspecting it for the specified string.

          • FieldToMatch (dict) --

            Specifies where in a web request to look for the RegexPatternSet .

            • Type (string) --

              The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

              • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

              • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

              • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

              • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

              • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

            • Data (string) --

              When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

              The name of the header is not case sensitive.

          • TextTransformation (string) --

            Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on RegexPatternSet before inspecting a request for a match.

            CMD_LINE

            When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

            • Delete the following characters: " ' ^

            • Delete spaces before the following characters: / (

            • Replace the following characters with a space: , ;

            • Replace multiple spaces with one space

            • Convert uppercase letters (A-Z) to lowercase (a-z)

            COMPRESS_WHITE_SPACE

            Use this option to replace the following characters with a space character (decimal 32):

            • f, formfeed, decimal 12

            • t, tab, decimal 9

            • n, newline, decimal 10

            • r, carriage return, decimal 13

            • v, vertical tab, decimal 11

            • non-breaking space, decimal 160

            COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

            HTML_ENTITY_DECODE

            Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

            • Replaces (ampersand)quot; with "

            • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

            • Replaces (ampersand)lt; with a "less than" symbol

            • Replaces (ampersand)gt; with >

            • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

            • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

            LOWERCASE

            Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

            URL_DECODE

            Use this option to decode a URL-encoded value.

            NONE

            Specify NONE if you don't want to perform any text transformations.

          • RegexPatternSetId (string) --

            The RegexPatternSetId for a RegexPatternSet . You use RegexPatternSetId to get information about a RegexPatternSet (see GetRegexPatternSet ), update a RegexPatternSet (see UpdateRegexPatternSet ), insert a RegexPatternSet into a RegexMatchSet or delete one from a RegexMatchSet (see UpdateRegexMatchSet ), and delete an RegexPatternSet from AWS WAF (see DeleteRegexPatternSet ).

            RegexPatternSetId is returned by CreateRegexPatternSet and by ListRegexPatternSets .

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateRegexMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

ListRegexMatchSets (new) Link ¶

Returns an array of RegexMatchSetSummary objects.

See also: AWS API Documentation

Request Syntax

client.list_regex_match_sets(
    NextMarker='string',
    Limit=123
)
type NextMarker

string

param NextMarker

If you specify a value for Limit and you have more RegexMatchSet objects than the value of Limit , AWS WAF returns a NextMarker value in the response that allows you to list another group of ByteMatchSets . For the second and subsequent ListRegexMatchSets requests, specify the value of NextMarker from the previous response to get information about another batch of RegexMatchSet objects.

type Limit

integer

param Limit

Specifies the number of RegexMatchSet objects that you want AWS WAF to return for this request. If you have more RegexMatchSet objects than the number you specify for Limit , the response includes a NextMarker value that you can use to get another batch of RegexMatchSet objects.

rtype

dict

returns

Response Syntax

{
    'NextMarker': 'string',
    'RegexMatchSets': [
        {
            'RegexMatchSetId': 'string',
            'Name': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    • NextMarker (string) --

      If you have more RegexMatchSet objects than the number that you specified for Limit in the request, the response includes a NextMarker value. To list more RegexMatchSet objects, submit another ListRegexMatchSets request, and specify the NextMarker value from the response in the NextMarker value in the next request.

    • RegexMatchSets (list) --

      An array of RegexMatchSetSummary objects.

      • (dict) --

        Returned by ListRegexMatchSets . Each RegexMatchSetSummary object includes the Name and RegexMatchSetId for one RegexMatchSet .

        • RegexMatchSetId (string) --

          The RegexMatchSetId for a RegexMatchSet . You use RegexMatchSetId to get information about a RegexMatchSet , update a RegexMatchSet , remove a RegexMatchSet from a Rule , and delete a RegexMatchSet from AWS WAF.

          RegexMatchSetId is returned by CreateRegexMatchSet and by ListRegexMatchSets .

        • Name (string) --

          A friendly name or description of the RegexMatchSet . You can't change Name after you create a RegexMatchSet .

CreateRateBasedRule (updated) Link ¶
Changes (response)
{'Rule': {'MatchPredicates': {'Type': ['GeoMatch', 'RegexMatch']}}}

Creates a RateBasedRule . The RateBasedRule contains a RateLimit , which specifies the maximum number of requests that AWS WAF allows from a specified IP address in a five-minute period. The RateBasedRule also contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to count or block if these requests exceed the RateLimit .

If you add more than one predicate to a RateBasedRule , a request not only must exceed the RateLimit , but it also must match all the specifications to be counted or blocked. For example, suppose you add the following to a RateBasedRule :

  • An IPSet that matches the IP address 192.0.2.44/32

  • A ByteMatchSet that matches BadBot in the User-Agent header

Further, you specify a RateLimit of 15,000.

You then add the RateBasedRule to a WebACL and specify that you want to block requests that meet the conditions in the rule. For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot . Further, requests that match these two conditions must be received at a rate of more than 15,000 requests every five minutes. If both conditions are met and the rate is exceeded, AWS WAF blocks the requests. If the rate drops below 15,000 for a five-minute period, AWS WAF no longer blocks the requests.

As a second example, suppose you want to limit requests to a particular page on your site. To do this, you could add the following to a RateBasedRule :

  • A ByteMatchSet with FieldToMatch of URI

  • A PositionalConstraint of STARTS_WITH

  • A TargetString of login

Further, you specify a RateLimit of 15,000.

By adding this RateBasedRule to a WebACL , you could limit requests to your login page without affecting the rest of your site.

To create and configure a RateBasedRule , perform the following steps:

  • Create and update the predicates that you want to include in the rule. For more information, see CreateByteMatchSet , CreateIPSet , and CreateSqlInjectionMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRule request.

  • Submit a CreateRateBasedRule request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

  • Submit an UpdateRateBasedRule request to specify the predicates that you want to include in the rule.

  • Create and update a WebACL that contains the RateBasedRule . For more information, see CreateWebACL .

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.create_rate_based_rule(
    Name='string',
    MetricName='string',
    RateKey='IP',
    RateLimit=123,
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the RateBasedRule . You can't change the name of a RateBasedRule after you create it.

type MetricName

string

param MetricName

[REQUIRED]

A friendly name or description for the metrics for this RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

type RateKey

string

param RateKey

[REQUIRED]

The field that AWS WAF uses to determine if requests are likely arriving from a single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests that arrive from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

type RateLimit

integer

param RateLimit

[REQUIRED]

The maximum number of requests, which have an identical value in the field that is specified by RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

type ChangeToken

string

param ChangeToken

[REQUIRED]

The ChangeToken that you used to submit the CreateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'MatchPredicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            },
        ],
        'RateKey': 'IP',
        'RateLimit': 123
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • Rule (dict) --

      The RateBasedRule that is returned in the CreateRateBasedRule response.

      • RuleId (string) --

        A unique identifier for a RateBasedRule . You use RuleId to get more information about a RateBasedRule (see GetRateBasedRule ), update a RateBasedRule (see UpdateRateBasedRule ), insert a RateBasedRule into a WebACL or delete one from a WebACL (see UpdateWebACL ), or delete a RateBasedRule from AWS WAF (see DeleteRateBasedRule ).

      • Name (string) --

        A friendly name or description for a RateBasedRule . You can't change the name of a RateBasedRule after you create it.

      • MetricName (string) --

        A friendly name or description for the metrics for a RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

      • MatchPredicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a RateBasedRule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

      • RateKey (string) --

        The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests arriving from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

      • RateLimit (integer) --

        The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

CreateRule (updated) Link ¶
Changes (response)
{'Rule': {'Predicates': {'Type': ['GeoMatch', 'RegexMatch']}}}

Creates a Rule , which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block. If you add more than one predicate to a Rule , a request must match all of the specifications to be allowed or blocked. For example, suppose you add the following to a Rule :

  • An IPSet that matches the IP address 192.0.2.44/32

  • A ByteMatchSet that matches BadBot in the User-Agent header

You then add the Rule to a WebACL and specify that you want to blocks requests that satisfy the Rule . For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot .

To create and configure a Rule , perform the following steps:

  • Create and update the predicates that you want to include in the Rule . For more information, see CreateByteMatchSet , CreateIPSet , and CreateSqlInjectionMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRule request.

  • Submit a CreateRule request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

  • Submit an UpdateRule request to specify the predicates that you want to include in the Rule .

  • Create and update a WebACL that contains the Rule . For more information, see CreateWebACL .

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.create_rule(
    Name='string',
    MetricName='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the Rule . You can't change the name of a Rule after you create it.

type MetricName

string

param MetricName

[REQUIRED]

A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the Rule .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'Predicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • Rule (dict) --

      The Rule returned in the CreateRule response.

      • RuleId (string) --

        A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

        RuleId is returned by CreateRule and by ListRules .

      • Name (string) --

        The friendly name or description for the Rule . You can't change the name of a Rule after you create it.

      • MetricName (string) --

        A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the Rule .

      • Predicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a Rule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

GetRateBasedRule (updated) Link ¶
Changes (response)
{'Rule': {'MatchPredicates': {'Type': ['GeoMatch', 'RegexMatch']}}}

Returns the RateBasedRule that is specified by the RuleId that you included in the GetRateBasedRule request.

See also: AWS API Documentation

Request Syntax

client.get_rate_based_rule(
    RuleId='string'
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule that you want to get. RuleId is returned by CreateRateBasedRule and by ListRateBasedRules .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'MatchPredicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            },
        ],
        'RateKey': 'IP',
        'RateLimit': 123
    }
}

Response Structure

  • (dict) --

    • Rule (dict) --

      Information about the RateBasedRule that you specified in the GetRateBasedRule request.

      • RuleId (string) --

        A unique identifier for a RateBasedRule . You use RuleId to get more information about a RateBasedRule (see GetRateBasedRule ), update a RateBasedRule (see UpdateRateBasedRule ), insert a RateBasedRule into a WebACL or delete one from a WebACL (see UpdateWebACL ), or delete a RateBasedRule from AWS WAF (see DeleteRateBasedRule ).

      • Name (string) --

        A friendly name or description for a RateBasedRule . You can't change the name of a RateBasedRule after you create it.

      • MetricName (string) --

        A friendly name or description for the metrics for a RateBasedRule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the RateBasedRule .

      • MatchPredicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a RateBasedRule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

      • RateKey (string) --

        The field that AWS WAF uses to determine if requests are likely arriving from single source and thus subject to rate monitoring. The only valid value for RateKey is IP . IP indicates that requests arriving from the same IP address are subject to the RateLimit that is specified in the RateBasedRule .

      • RateLimit (integer) --

        The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

GetRule (updated) Link ¶
Changes (response)
{'Rule': {'Predicates': {'Type': ['GeoMatch', 'RegexMatch']}}}

Returns the Rule that is specified by the RuleId that you included in the GetRule request.

See also: AWS API Documentation

Request Syntax

client.get_rule(
    RuleId='string'
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the Rule that you want to get. RuleId is returned by CreateRule and by ListRules .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'Predicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    • Rule (dict) --

      Information about the Rule that you specified in the GetRule request. For more information, see the following topics:

      • Rule : Contains MetricName , Name , an array of Predicate objects, and RuleId

      • Predicate : Each Predicate object contains DataId , Negated , and Type

      • RuleId (string) --

        A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

        RuleId is returned by CreateRule and by ListRules .

      • Name (string) --

        The friendly name or description for the Rule . You can't change the name of a Rule after you create it.

      • MetricName (string) --

        A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change MetricName after you create the Rule .

      • Predicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a Rule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

UpdateRateBasedRule (updated) Link ¶
Changes (request)
{'Updates': {'Predicate': {'Type': ['GeoMatch', 'RegexMatch']}}}

Inserts or deletes Predicate objects in a rule and updates the RateLimit in the rule.

Each Predicate object identifies a predicate, such as a ByteMatchSet or an IPSet , that specifies the web requests that you want to block or count. The RateLimit specifies the number of requests every five minutes that triggers the rule.

If you add more than one predicate to a RateBasedRule , a request must match all the predicates and exceed the RateLimit to be counted or blocked. For example, suppose you add the following to a RateBasedRule :

  • An IPSet that matches the IP address 192.0.2.44/32

  • A ByteMatchSet that matches BadBot in the User-Agent header

Further, you specify a RateLimit of 15,000.

You then add the RateBasedRule to a WebACL and specify that you want to block requests that satisfy the rule. For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot . Further, requests that match these two conditions much be received at a rate of more than 15,000 every five minutes. If the rate drops below this limit, AWS WAF no longer blocks the requests.

As a second example, suppose you want to limit requests to a particular page on your site. To do this, you could add the following to a RateBasedRule :

  • A ByteMatchSet with FieldToMatch of URI

  • A PositionalConstraint of STARTS_WITH

  • A TargetString of login

Further, you specify a RateLimit of 15,000.

By adding this RateBasedRule to a WebACL , you could limit requests to your login page without affecting the rest of your site.

See also: AWS API Documentation

Request Syntax

client.update_rate_based_rule(
    RuleId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'Predicate': {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            }
        },
    ],
    RateLimit=123
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the RateBasedRule that you want to update. RuleId is returned by CreateRateBasedRule and by ListRateBasedRules .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

type Updates

list

param Updates

[REQUIRED]

An array of RuleUpdate objects that you want to insert into or delete from a RateBasedRule .

  • (dict) --

    Specifies a Predicate (such as an IPSet ) and indicates whether you want to add it to a Rule or delete it from a Rule .

    • Action (string) -- [REQUIRED]

      Specify INSERT to add a Predicate to a Rule . Use DELETE to remove a Predicate from a Rule .

    • Predicate (dict) -- [REQUIRED]

      The ID of the Predicate (such as an IPSet ) that you want to add to a Rule .

      • Negated (boolean) -- [REQUIRED]

        Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

        Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

      • Type (string) -- [REQUIRED]

        The type of predicate in a Rule , such as ByteMatchSet or IPSet .

      • DataId (string) -- [REQUIRED]

        A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

type RateLimit

integer

param RateLimit

[REQUIRED]

The maximum number of requests, which have an identical value in the field specified by the RateKey , allowed in a five-minute period. If the number of requests exceeds the RateLimit and the other predicates specified in the rule are also met, AWS WAF triggers the action that is specified for this rule.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateRateBasedRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

UpdateRule (updated) Link ¶
Changes (request)
{'Updates': {'Predicate': {'Type': ['GeoMatch', 'RegexMatch']}}}

Inserts or deletes Predicate objects in a Rule . Each Predicate object identifies a predicate, such as a ByteMatchSet or an IPSet , that specifies the web requests that you want to allow, block, or count. If you add more than one predicate to a Rule , a request must match all of the specifications to be allowed, blocked, or counted. For example, suppose you add the following to a Rule :

  • A ByteMatchSet that matches the value BadBot in the User-Agent header

  • An IPSet that matches the IP address 192.0.2.44

You then add the Rule to a WebACL and specify that you want to block requests that satisfy the Rule . For a request to be blocked, the User-Agent header in the request must contain the value BadBot and the request must originate from the IP address 192.0.2.44.

To create and configure a Rule , perform the following steps:

  • Create and update the predicates that you want to include in the Rule .

  • Create the Rule . See CreateRule .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

  • Submit an UpdateRule request to add predicates to the Rule .

  • Create and update a WebACL that contains the Rule . See CreateWebACL .

If you want to replace one ByteMatchSet or IPSet with another, you delete the existing one and add the new one.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

See also: AWS API Documentation

Request Syntax

client.update_rule(
    RuleId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'Predicate': {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'GeoMatch'|'SizeConstraint'|'XssMatch'|'RegexMatch',
                'DataId': 'string'
            }
        },
    ]
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the Rule that you want to update. RuleId is returned by CreateRule and by ListRules .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

type Updates

list

param Updates

[REQUIRED]

An array of RuleUpdate objects that you want to insert into or delete from a Rule . For more information, see the applicable data types:

  • RuleUpdate : Contains Action and Predicate

  • Predicate : Contains DataId , Negated , and Type

  • FieldToMatch : Contains Data and Type

  • (dict) --

    Specifies a Predicate (such as an IPSet ) and indicates whether you want to add it to a Rule or delete it from a Rule .

    • Action (string) -- [REQUIRED]

      Specify INSERT to add a Predicate to a Rule . Use DELETE to remove a Predicate from a Rule .

    • Predicate (dict) -- [REQUIRED]

      The ID of the Predicate (such as an IPSet ) that you want to add to a Rule .

      • Negated (boolean) -- [REQUIRED]

        Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

        Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , RegexMatchSet , GeoMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

      • Type (string) -- [REQUIRED]

        The type of predicate in a Rule , such as ByteMatchSet or IPSet .

      • DataId (string) -- [REQUIRED]

        A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .