AWS WAF

2016/03/29 - AWS WAF - 5 new 3 updated api methods

DeleteXssMatchSet (new) Link ¶

Permanently deletes an XssMatchSet . You can't delete an XssMatchSet if it's still used in any Rules or if it still contains any XssMatchTuple objects.

If you just want to remove an XssMatchSet from a Rule , use UpdateRule .

To permanently delete an XssMatchSet from AWS WAF, perform the following steps:

  • Update the XssMatchSet to remove filters, if any. For more information, see UpdateXssMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a DeleteXssMatchSet request.

  • Submit a DeleteXssMatchSet request.

Request Syntax

client.delete_xss_match_set(
    XssMatchSetId='string',
    ChangeToken='string'
)
type XssMatchSetId

string

param XssMatchSetId

[REQUIRED]

The XssMatchSetId of the XssMatchSet that you want to delete. XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    The response to a request to delete an XssMatchSet from AWS WAF.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the DeleteXssMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

UpdateXssMatchSet (new) Link ¶

Inserts or deletes XssMatchTuple objects (filters) in an XssMatchSet . For each XssMatchTuple object, you specify the following values:

  • Action : Whether to insert the object into or delete the object from the array. To change a XssMatchTuple , you delete the existing object and add a new one.

  • FieldToMatch : The part of web requests that you want AWS WAF to inspect and, if you want AWS WAF to inspect a header, the name of the header.

  • TextTransformation : Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks.

You use XssMatchSet objects to specify which CloudFront requests you want to allow, block, or count. For example, if you're receiving requests that contain cross-site scripting attacks in the request body and you want to block the requests, you can create an XssMatchSet with the applicable settings, and then configure AWS WAF to block the requests.

To create and configure an XssMatchSet , perform the following steps:

  • Submit a CreateXssMatchSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateIPSet request.

  • Submit an UpdateXssMatchSet request to specify the parts of web requests that you want AWS WAF to inspect for cross-site scripting attacks.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

Request Syntax

client.update_xss_match_set(
    XssMatchSetId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'XssMatchTuple': {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE'
            }
        },
    ]
)
type XssMatchSetId

string

param XssMatchSetId

[REQUIRED]

The XssMatchSetId of the XssMatchSet that you want to update. XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

type Updates

list

param Updates

[REQUIRED]

An array of XssMatchSetUpdate objects that you want to insert into or delete from a XssMatchSet . For more information, see the applicable data types:

  • XssMatchSetUpdate : Contains Action and XssMatchTuple

  • XssMatchTuple : Contains FieldToMatch and TextTransformation

  • FieldToMatch : Contains Data and Type

  • (dict) --

    Specifies the part of a web request that you want to inspect for cross-site scripting attacks and indicates whether you want to add the specification to an XssMatchSet or delete it from an XssMatchSet .

    • Action (string) -- [REQUIRED]

      Specify INSERT to add a XssMatchSetUpdate to an XssMatchSet . Use DELETE to remove a XssMatchSetUpdate from an XssMatchSet .

    • XssMatchTuple (dict) -- [REQUIRED]

      Specifies the part of a web request that you want AWS WAF to inspect for cross-site scripting attacks and, if you want AWS WAF to inspect a header, the name of the header.

      • FieldToMatch (dict) -- [REQUIRED]

        Specifies where in a web request to look for TargetString .

        • Type (string) -- [REQUIRED]

          The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

          • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

          • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

          • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

          • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

          • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

        • Data (string) --

          When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

          The name of the header is not case sensitive.

      • TextTransformation (string) -- [REQUIRED]

        Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on FieldToMatch before inspecting a request for a match.

        CMD_LINE

        When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

        • Delete the following characters: " ' ^

        • Delete spaces before the following characters: / (

        • Replace the following characters with a space: , ;

        • Replace multiple spaces with one space

        • Convert uppercase letters (A-Z) to lowercase (a-z)

        COMPRESS_WHITE_SPACE

        Use this option to replace the following characters with a space character (decimal 32):

        • f, formfeed, decimal 12

        • t, tab, decimal 9

        • n, newline, decimal 10

        • r, carriage return, decimal 13

        • v, vertical tab, decimal 11

        • non-breaking space, decimal 160

        COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

        HTML_ENTITY_DECODE

        Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

        • Replaces (ampersand)quot; with "

        • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

        • Replaces (ampersand)lt; with a "less than" symbol

        • Replaces (ampersand)gt; with >

        • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

        • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

        LOWERCASE

        Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

        URL_DECODE

        Use this option to decode a URL-encoded value.

        NONE

        Specify NONE if you don't want to perform any text transformations.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    The response to an UpdateXssMatchSets request.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateXssMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

CreateXssMatchSet (new) Link ¶

Creates an XssMatchSet , which you use to allow, block, or count requests that contain cross-site scripting attacks in the specified part of web requests. AWS WAF searches for character sequences that are likely to be malicious strings.

To create and configure an XssMatchSet , perform the following steps:

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateXssMatchSet request.

  • Submit a CreateXssMatchSet request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateXssMatchSet request.

  • Submit an UpdateXssMatchSet request to specify the parts of web requests in which you want to allow, block, or count cross-site scripting attacks.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

Request Syntax

client.create_xss_match_set(
    Name='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description for the XssMatchSet that you're creating. You can't change Name after you create the XssMatchSet .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'XssMatchSet': {
        'XssMatchSetId': 'string',
        'Name': 'string',
        'XssMatchTuples': [
            {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    The response to a CreateXssMatchSet request.

    • XssMatchSet (dict) --

      An XssMatchSet .

      • XssMatchSetId (string) --

        A unique identifier for an XssMatchSet . You use XssMatchSetId to get information about an XssMatchSet (see GetXssMatchSet ), update an XssMatchSet (see UpdateXssMatchSet ), insert an XssMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete an XssMatchSet from AWS WAF (see DeleteXssMatchSet ).

        XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

      • Name (string) --

        The name, if any, of the XssMatchSet .

      • XssMatchTuples (list) --

        Specifies the parts of web requests that you want to inspect for cross-site scripting attacks.

        • (dict) --

          Specifies the part of a web request that you want AWS WAF to inspect for cross-site scripting attacks and, if you want AWS WAF to inspect a header, the name of the header.

          • FieldToMatch (dict) --

            Specifies where in a web request to look for TargetString .

            • Type (string) --

              The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

              • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

              • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

              • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

              • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

              • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

            • Data (string) --

              When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

              The name of the header is not case sensitive.

          • TextTransformation (string) --

            Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on FieldToMatch before inspecting a request for a match.

            CMD_LINE

            When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

            • Delete the following characters: " ' ^

            • Delete spaces before the following characters: / (

            • Replace the following characters with a space: , ;

            • Replace multiple spaces with one space

            • Convert uppercase letters (A-Z) to lowercase (a-z)

            COMPRESS_WHITE_SPACE

            Use this option to replace the following characters with a space character (decimal 32):

            • f, formfeed, decimal 12

            • t, tab, decimal 9

            • n, newline, decimal 10

            • r, carriage return, decimal 13

            • v, vertical tab, decimal 11

            • non-breaking space, decimal 160

            COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

            HTML_ENTITY_DECODE

            Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

            • Replaces (ampersand)quot; with "

            • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

            • Replaces (ampersand)lt; with a "less than" symbol

            • Replaces (ampersand)gt; with >

            • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

            • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

            LOWERCASE

            Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

            URL_DECODE

            Use this option to decode a URL-encoded value.

            NONE

            Specify NONE if you don't want to perform any text transformations.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateXssMatchSet request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

ListXssMatchSets (new) Link ¶

Returns an array of XssMatchSet objects.

Request Syntax

client.list_xss_match_sets(
    NextMarker='string',
    Limit=123
)
type NextMarker

string

param NextMarker

If you specify a value for Limit and you have more XssMatchSet objects than the value of Limit , AWS WAF returns a NextMarker value in the response that allows you to list another group of XssMatchSets . For the second and subsequent ListXssMatchSets requests, specify the value of NextMarker from the previous response to get information about another batch of XssMatchSets .

type Limit

integer

param Limit

[REQUIRED]

Specifies the number of XssMatchSet objects that you want AWS WAF to return for this request. If you have more XssMatchSet objects than the number you specify for Limit , the response includes a NextMarker value that you can use to get another batch of Rules .

rtype

dict

returns

Response Syntax

{
    'NextMarker': 'string',
    'XssMatchSets': [
        {
            'XssMatchSetId': 'string',
            'Name': 'string'
        },
    ]
}

Response Structure

  • (dict) --

    The response to a ListXssMatchSets request.

    • NextMarker (string) --

      If you have more XssMatchSet objects than the number that you specified for Limit in the request, the response includes a NextMarker value. To list more XssMatchSet objects, submit another ListXssMatchSets request, and specify the NextMarker value from the response in the NextMarker value in the next request.

    • XssMatchSets (list) --

      An array of XssMatchSetSummary objects.

      • (dict) --

        The Id and Name of an XssMatchSet .

        • XssMatchSetId (string) --

          A unique identifier for an XssMatchSet . You use XssMatchSetId to get information about a XssMatchSet (see GetXssMatchSet ), update an XssMatchSet (see UpdateXssMatchSet ), insert an XssMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete an XssMatchSet from AWS WAF (see DeleteXssMatchSet ).

          XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

        • Name (string) --

          The name of the XssMatchSet , if any, specified by Id .

GetXssMatchSet (new) Link ¶

Returns the XssMatchSet that is specified by XssMatchSetId .

Request Syntax

client.get_xss_match_set(
    XssMatchSetId='string'
)
type XssMatchSetId

string

param XssMatchSetId

[REQUIRED]

The XssMatchSetId of the XssMatchSet that you want to get. XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

rtype

dict

returns

Response Syntax

{
    'XssMatchSet': {
        'XssMatchSetId': 'string',
        'Name': 'string',
        'XssMatchTuples': [
            {
                'FieldToMatch': {
                    'Type': 'URI'|'QUERY_STRING'|'HEADER'|'METHOD'|'BODY',
                    'Data': 'string'
                },
                'TextTransformation': 'NONE'|'COMPRESS_WHITE_SPACE'|'HTML_ENTITY_DECODE'|'LOWERCASE'|'CMD_LINE'|'URL_DECODE'
            },
        ]
    }
}

Response Structure

  • (dict) --

    The response to a GetXssMatchSet request.

    • XssMatchSet (dict) --

      Information about the XssMatchSet that you specified in the GetXssMatchSet request. For more information, see the following topics:

      • XssMatchSet : Contains Name , XssMatchSetId , and an array of XssMatchTuple objects

      • XssMatchTuple : Each XssMatchTuple object contains FieldToMatch and TextTransformation

      • FieldToMatch : Contains Data and Type

      • XssMatchSetId (string) --

        A unique identifier for an XssMatchSet . You use XssMatchSetId to get information about an XssMatchSet (see GetXssMatchSet ), update an XssMatchSet (see UpdateXssMatchSet ), insert an XssMatchSet into a Rule or delete one from a Rule (see UpdateRule ), and delete an XssMatchSet from AWS WAF (see DeleteXssMatchSet ).

        XssMatchSetId is returned by CreateXssMatchSet and by ListXssMatchSets .

      • Name (string) --

        The name, if any, of the XssMatchSet .

      • XssMatchTuples (list) --

        Specifies the parts of web requests that you want to inspect for cross-site scripting attacks.

        • (dict) --

          Specifies the part of a web request that you want AWS WAF to inspect for cross-site scripting attacks and, if you want AWS WAF to inspect a header, the name of the header.

          • FieldToMatch (dict) --

            Specifies where in a web request to look for TargetString .

            • Type (string) --

              The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

              • HEADER : A specified request header, for example, the value of the User-Agent or Referer header. If you choose HEADER for the type, specify the name of the header in Data .

              • METHOD : The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE , GET , HEAD , OPTIONS , PATCH , POST , and PUT .

              • QUERY_STRING : A query string, which is the part of a URL that appears after a ? character, if any.

              • URI : The part of a web request that identifies a resource, for example, /images/daily-ad.jpg .

              • BODY : The part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. The request body immediately follows the request headers. Note that only the first 8192 bytes of the request body are forwarded to AWS WAF for inspection. To allow or block requests based on the length of the body, you can create a size constraint set. For more information, see CreateSizeConstraintSet .

            • Data (string) --

              When the value of Type is HEADER , enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer . If the value of Type is any other value, omit Data .

              The name of the header is not case sensitive.

          • TextTransformation (string) --

            Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on FieldToMatch before inspecting a request for a match.

            CMD_LINE

            When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

            • Delete the following characters: " ' ^

            • Delete spaces before the following characters: / (

            • Replace the following characters with a space: , ;

            • Replace multiple spaces with one space

            • Convert uppercase letters (A-Z) to lowercase (a-z)

            COMPRESS_WHITE_SPACE

            Use this option to replace the following characters with a space character (decimal 32):

            • f, formfeed, decimal 12

            • t, tab, decimal 9

            • n, newline, decimal 10

            • r, carriage return, decimal 13

            • v, vertical tab, decimal 11

            • non-breaking space, decimal 160

            COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

            HTML_ENTITY_DECODE

            Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

            • Replaces (ampersand)quot; with "

            • Replaces (ampersand)nbsp; with a non-breaking space, decimal 160

            • Replaces (ampersand)lt; with a "less than" symbol

            • Replaces (ampersand)gt; with >

            • Replaces characters that are represented in hexadecimal format, (ampersand)#xhhhh; , with the corresponding characters

            • Replaces characters that are represented in decimal format, (ampersand)#nnnn; , with the corresponding characters

            LOWERCASE

            Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

            URL_DECODE

            Use this option to decode a URL-encoded value.

            NONE

            Specify NONE if you don't want to perform any text transformations.

CreateRule (updated) Link ¶
Changes (response)
{'Rule': {'Predicates': {'Type': ['XssMatch']}}}

Creates a Rule , which contains the IPSet objects, ByteMatchSet objects, and other predicates that identify the requests that you want to block. If you add more than one predicate to a Rule , a request must match all of the specifications to be allowed or blocked. For example, suppose you add the following to a Rule :

  • An IPSet that matches the IP address 192.0.2.44/32

  • A ByteMatchSet that matches BadBot in the User-Agent header

You then add the Rule to a WebACL and specify that you want to blocks requests that satisfy the Rule . For a request to be blocked, it must come from the IP address 192.0.2.44 and the User-Agent header in the request must contain the value BadBot .

To create and configure a Rule , perform the following steps:

  • Create and update the predicates that you want to include in the Rule . For more information, see CreateByteMatchSet , CreateIPSet , and CreateSqlInjectionMatchSet .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of a CreateRule request.

  • Submit a CreateRule request.

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

  • Submit an UpdateRule request to specify the predicates that you want to include in the Rule .

  • Create and update a WebACL that contains the Rule . For more information, see CreateWebACL .

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

Request Syntax

client.create_rule(
    Name='string',
    MetricName='string',
    ChangeToken='string'
)
type Name

string

param Name

[REQUIRED]

A friendly name or description of the Rule . You can't change the name of a Rule after you create it.

type MetricName

string

param MetricName

[REQUIRED]

A friendly name or description for the metrics for this Rule . The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace. You can't change the name of the metric after you create the Rule .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'Predicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            },
        ]
    },
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • Rule (dict) --

      The Rule returned in the CreateRule response.

      • RuleId (string) --

        A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

        RuleId is returned by CreateRule and by ListRules .

      • Name (string) --

        The friendly name or description for the Rule . You can't change the name of a Rule after you create it.

      • MetricName (string) --

      • Predicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a Rule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

    • ChangeToken (string) --

      The ChangeToken that you used to submit the CreateRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .

GetRule (updated) Link ¶
Changes (response)
{'Rule': {'Predicates': {'Type': ['XssMatch']}}}

Returns the Rule that is specified by the RuleId that you included in the GetRule request.

Request Syntax

client.get_rule(
    RuleId='string'
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the Rule that you want to get. RuleId is returned by CreateRule and by ListRules .

rtype

dict

returns

Response Syntax

{
    'Rule': {
        'RuleId': 'string',
        'Name': 'string',
        'MetricName': 'string',
        'Predicates': [
            {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) --

    • Rule (dict) --

      Information about the Rule that you specified in the GetRule request. For more information, see the following topics:

      • Rule : Contains MetricName , Name , an array of Predicate objects, and RuleId

      • Predicate : Each Predicate object contains DataId , Negated , and Type

      • RuleId (string) --

        A unique identifier for a Rule . You use RuleId to get more information about a Rule (see GetRule ), update a Rule (see UpdateRule ), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL ), or delete a Rule from AWS WAF (see DeleteRule ).

        RuleId is returned by CreateRule and by ListRules .

      • Name (string) --

        The friendly name or description for the Rule . You can't change the name of a Rule after you create it.

      • MetricName (string) --

      • Predicates (list) --

        The Predicates object contains one Predicate element for each ByteMatchSet , IPSet , or SqlInjectionMatchSet object that you want to include in a Rule .

        • (dict) --

          Specifies the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , and SizeConstraintSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

          • Negated (boolean) --

            Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

            Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

          • Type (string) --

            The type of predicate in a Rule , such as ByteMatchSet or IPSet .

          • DataId (string) --

            A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

UpdateRule (updated) Link ¶
Changes (request)
{'Updates': {'Predicate': {'Type': ['XssMatch']}}}

Inserts or deletes Predicate objects in a Rule . Each Predicate object identifies a predicate, such as a ByteMatchSet or an IPSet , that specifies the web requests that you want to allow, block, or count. If you add more than one predicate to a Rule , a request must match all of the specifications to be allowed, blocked, or counted. For example, suppose you add the following to a Rule :

  • A ByteMatchSet that matches the value BadBot in the User-Agent header

  • An IPSet that matches the IP address 192.0.2.44

You then add the Rule to a WebACL and specify that you want to block requests that satisfy the Rule . For a request to be blocked, the User-Agent header in the request must contain the value BadBot and the request must originate from the IP address 192.0.2.44.

To create and configure a Rule , perform the following steps:

  • Create and update the predicates that you want to include in the Rule .

  • Create the Rule . See CreateRule .

  • Use GetChangeToken to get the change token that you provide in the ChangeToken parameter of an UpdateRule request.

  • Submit an UpdateRule request to add predicates to the Rule .

  • Create and update a WebACL that contains the Rule . See CreateWebACL .

If you want to replace one ByteMatchSet or IPSet with another, you delete the existing one and add the new one.

For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide .

Request Syntax

client.update_rule(
    RuleId='string',
    ChangeToken='string',
    Updates=[
        {
            'Action': 'INSERT'|'DELETE',
            'Predicate': {
                'Negated': True|False,
                'Type': 'IPMatch'|'ByteMatch'|'SqlInjectionMatch'|'SizeConstraint'|'XssMatch',
                'DataId': 'string'
            }
        },
    ]
)
type RuleId

string

param RuleId

[REQUIRED]

The RuleId of the Rule that you want to update. RuleId is returned by CreateRule and by ListRules .

type ChangeToken

string

param ChangeToken

[REQUIRED]

The value returned by the most recent call to GetChangeToken .

type Updates

list

param Updates

[REQUIRED]

An array of RuleUpdate objects that you want to insert into or delete from a Rule . For more information, see the applicable data types:

  • RuleUpdate : Contains Action and Predicate

  • Predicate : Contains DataId , Negated , and Type

  • FieldToMatch : Contains Data and Type

  • (dict) --

    Specifies a Predicate (such as an IPSet ) and indicates whether you want to add it to a Rule or delete it from a Rule .

    • Action (string) -- [REQUIRED]

      Specify INSERT to add a Predicate to a Rule . Use DELETE to remove a Predicate from a Rule .

    • Predicate (dict) -- [REQUIRED]

      The ID of the Predicate (such as an IPSet ) that you want to add to a Rule .

      • Negated (boolean) -- [REQUIRED]

        Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow or block requests based on that IP address.

        Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet , IPSet , SqlInjectionMatchSet , XssMatchSet , or SizeConstraintSet . For example, if an IPSet includes the IP address 192.0.2.44 , AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44 .

      • Type (string) -- [REQUIRED]

        The type of predicate in a Rule , such as ByteMatchSet or IPSet .

      • DataId (string) -- [REQUIRED]

        A unique identifier for a predicate in a Rule , such as ByteMatchSetId or IPSetId . The ID is returned by the corresponding Create or List command.

rtype

dict

returns

Response Syntax

{
    'ChangeToken': 'string'
}

Response Structure

  • (dict) --

    • ChangeToken (string) --

      The ChangeToken that you used to submit the UpdateRule request. You can also use this value to query the status of the request. For more information, see GetChangeTokenStatus .