Class: AWSCDK::WAFv2::CfnWebACL::ManagedRuleGroupStatementProperty
- Inherits:
-
Jsii::Struct
- Object
- Jsii::Struct
- AWSCDK::WAFv2::CfnWebACL::ManagedRuleGroupStatementProperty
- Defined in:
- wa_fv2/cfn_web_acl.rb
Overview
A rule statement used to run the rules that are defined in a managed rule group.
To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ListAvailableManagedRuleGroups .
You cannot nest a ManagedRuleGroupStatement , for example for use inside a NotStatement or OrStatement . You cannot use a managed rule group statement inside another rule group. You can only use a managed rule group statement as a top-level statement in a rule that you define in a web ACL.
You are charged additional fees when you use the AWS WAF Bot Control managed rule group
AWSManagedRulesBotControlRuleSet, the AWS WAF Fraud Control account takeover prevention (ATP) managed rule groupAWSManagedRulesATPRuleSet, or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule groupAWSManagedRulesACFPRuleSet. For more information, see AWS WAF Pricing .
Instance Attribute Summary collapse
-
#excluded_rules ⇒ AWSCDK::IResolvable, ...
readonly
Rules in the referenced rule group whose actions are set to
Count. -
#managed_rule_group_configs ⇒ AWSCDK::IResolvable, ...
readonly
Additional information that's used by a managed rule group.
-
#name ⇒ String
readonly
The name of the managed rule group.
-
#rule_action_overrides ⇒ AWSCDK::IResolvable, ...
readonly
Action settings to use in the place of the rule actions that are configured inside the rule group.
-
#scope_down_statement ⇒ AWSCDK::IResolvable, ...
readonly
An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group.
-
#vendor_name ⇒ String
readonly
The name of the managed rule group vendor.
-
#version ⇒ String?
readonly
The version of the managed rule group to use.
Class Method Summary collapse
Instance Method Summary collapse
-
#initialize(name:, vendor_name:, excluded_rules: nil, managed_rule_group_configs: nil, rule_action_overrides: nil, scope_down_statement: nil, version: nil) ⇒ ManagedRuleGroupStatementProperty
constructor
A new instance of ManagedRuleGroupStatementProperty.
- #to_jsii ⇒ Object
Constructor Details
#initialize(name:, vendor_name:, excluded_rules: nil, managed_rule_group_configs: nil, rule_action_overrides: nil, scope_down_statement: nil, version: nil) ⇒ ManagedRuleGroupStatementProperty
Returns a new instance of ManagedRuleGroupStatementProperty.
3632 3633 3634 3635 3636 3637 3638 3639 3640 3641 3642 3643 3644 3645 3646 3647 |
# File 'wa_fv2/cfn_web_acl.rb', line 3632 def initialize(name:, vendor_name:, excluded_rules: nil, managed_rule_group_configs: nil, rule_action_overrides: nil, scope_down_statement: nil, version: nil) @name = name Jsii::Type.check_type(@name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "name") @vendor_name = vendor_name Jsii::Type.check_type(@vendor_name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "vendorName") @excluded_rules = excluded_rules Jsii::Type.check_type(@excluded_rules, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLkV4Y2x1ZGVkUnVsZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "excludedRules") unless @excluded_rules.nil? @managed_rule_group_configs = managed_rule_group_configs Jsii::Type.check_type(@managed_rule_group_configs, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLk1hbmFnZWRSdWxlR3JvdXBDb25maWdQcm9wZXJ0eSJ9XX19LCJraW5kIjoiYXJyYXkifX1dfX0=")), "managedRuleGroupConfigs") unless @managed_rule_group_configs.nil? @rule_action_overrides = rule_action_overrides Jsii::Type.check_type(@rule_action_overrides, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLlJ1bGVBY3Rpb25PdmVycmlkZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "ruleActionOverrides") unless @rule_action_overrides.nil? @scope_down_statement = scope_down_statement.is_a?(Hash) ? ::AWSCDK::WAFv2::CfnWebACL::StatementProperty.new(**scope_down_statement.transform_keys(&:to_sym)) : scope_down_statement Jsii::Type.check_type(@scope_down_statement, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c193YWZ2Mi5DZm5XZWJBQ0wuU3RhdGVtZW50UHJvcGVydHkifV19fQ==")), "scopeDownStatement") unless @scope_down_statement.nil? @version = version Jsii::Type.check_type(@version, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "version") unless @version.nil? end |
Instance Attribute Details
#excluded_rules ⇒ AWSCDK::IResolvable, ... (readonly)
Rules in the referenced rule group whose actions are set to Count .
Instead of this option, use
RuleActionOverrides. It accepts any valid action setting, includingCount.
3669 3670 3671 |
# File 'wa_fv2/cfn_web_acl.rb', line 3669 def excluded_rules @excluded_rules end |
#managed_rule_group_configs ⇒ AWSCDK::IResolvable, ... (readonly)
Additional information that's used by a managed rule group. Many managed rule groups don't require this.
The rule groups used for intelligent threat mitigation require additional configuration:
- Use the
AWSManagedRulesACFPRuleSetconfiguration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields. - Use the
AWSManagedRulesAntiDDoSRuleSetconfiguration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge. - Use the
AWSManagedRulesATPRuleSetconfiguration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password. - Use the
AWSManagedRulesBotControlRuleSetconfiguration object to configure the protection level that you want the Bot Control rule group to use.
3681 3682 3683 |
# File 'wa_fv2/cfn_web_acl.rb', line 3681 def managed_rule_group_configs @managed_rule_group_configs end |
#name ⇒ String (readonly)
The name of the managed rule group.
You use this, along with the vendor name, to identify the rule group.
3655 3656 3657 |
# File 'wa_fv2/cfn_web_acl.rb', line 3655 def name @name end |
#rule_action_overrides ⇒ AWSCDK::IResolvable, ... (readonly)
Action settings to use in the place of the rule actions that are configured inside the rule group.
You specify one override for each rule whose action you want to change.
Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.
You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
3692 3693 3694 |
# File 'wa_fv2/cfn_web_acl.rb', line 3692 def rule_action_overrides @rule_action_overrides end |
#scope_down_statement ⇒ AWSCDK::IResolvable, ... (readonly)
An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group.
Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable Statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
3699 3700 3701 |
# File 'wa_fv2/cfn_web_acl.rb', line 3699 def scope_down_statement @scope_down_statement end |
#vendor_name ⇒ String (readonly)
The name of the managed rule group vendor.
You use this, along with the rule group name, to identify a rule group.
3662 3663 3664 |
# File 'wa_fv2/cfn_web_acl.rb', line 3662 def vendor_name @vendor_name end |
#version ⇒ String? (readonly)
The version of the managed rule group to use.
If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.
3706 3707 3708 |
# File 'wa_fv2/cfn_web_acl.rb', line 3706 def version @version end |
Class Method Details
.jsii_properties ⇒ Object
3708 3709 3710 3711 3712 3713 3714 3715 3716 3717 3718 |
# File 'wa_fv2/cfn_web_acl.rb', line 3708 def self.jsii_properties { :name => "name", :vendor_name => "vendorName", :excluded_rules => "excludedRules", :managed_rule_group_configs => "managedRuleGroupConfigs", :rule_action_overrides => "ruleActionOverrides", :scope_down_statement => "scopeDownStatement", :version => "version", } end |
Instance Method Details
#to_jsii ⇒ Object
3720 3721 3722 3723 3724 3725 3726 3727 3728 3729 3730 3731 3732 |
# File 'wa_fv2/cfn_web_acl.rb', line 3720 def to_jsii result = {} result.merge!({ "name" => @name, "vendorName" => @vendor_name, "excludedRules" => @excluded_rules, "managedRuleGroupConfigs" => @managed_rule_group_configs, "ruleActionOverrides" => @rule_action_overrides, "scopeDownStatement" => @scope_down_statement, "version" => @version, }) result.compact end |