Class: AWSCDK::WAFv2::CfnWebACL::ManagedRuleGroupStatementProperty

Inherits:
Jsii::Struct
  • Object
show all
Defined in:
wa_fv2/cfn_web_acl.rb

Overview

A rule statement used to run the rules that are defined in a managed rule group.

To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ListAvailableManagedRuleGroups .

You cannot nest a ManagedRuleGroupStatement , for example for use inside a NotStatement or OrStatement . You cannot use a managed rule group statement inside another rule group. You can only use a managed rule group statement as a top-level statement in a rule that you define in a web ACL.

You are charged additional fees when you use the AWS WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet . For more information, see AWS WAF Pricing .

Instance Attribute Summary collapse

Class Method Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(name:, vendor_name:, excluded_rules: nil, managed_rule_group_configs: nil, rule_action_overrides: nil, scope_down_statement: nil, version: nil) ⇒ ManagedRuleGroupStatementProperty

Returns a new instance of ManagedRuleGroupStatementProperty.

Parameters:



3632
3633
3634
3635
3636
3637
3638
3639
3640
3641
3642
3643
3644
3645
3646
3647
# File 'wa_fv2/cfn_web_acl.rb', line 3632

def initialize(name:, vendor_name:, excluded_rules: nil, managed_rule_group_configs: nil, rule_action_overrides: nil, scope_down_statement: nil, version: nil)
  @name = name
  Jsii::Type.check_type(@name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "name")
  @vendor_name = vendor_name
  Jsii::Type.check_type(@vendor_name, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "vendorName")
  @excluded_rules = excluded_rules
  Jsii::Type.check_type(@excluded_rules, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLkV4Y2x1ZGVkUnVsZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "excludedRules") unless @excluded_rules.nil?
  @managed_rule_group_configs = managed_rule_group_configs
  Jsii::Type.check_type(@managed_rule_group_configs, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLk1hbmFnZWRSdWxlR3JvdXBDb25maWdQcm9wZXJ0eSJ9XX19LCJraW5kIjoiYXJyYXkifX1dfX0=")), "managedRuleGroupConfigs") unless @managed_rule_group_configs.nil?
  @rule_action_overrides = rule_action_overrides
  Jsii::Type.check_type(@rule_action_overrides, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImNvbGxlY3Rpb24iOnsiZWxlbWVudHR5cGUiOnsidW5pb24iOnsidHlwZXMiOlt7ImZxbiI6ImF3cy1jZGstbGliLklSZXNvbHZhYmxlIn0seyJmcW4iOiJhd3MtY2RrLWxpYi5hd3Nfd2FmdjIuQ2ZuV2ViQUNMLlJ1bGVBY3Rpb25PdmVycmlkZVByb3BlcnR5In1dfX0sImtpbmQiOiJhcnJheSJ9fV19fQ==")), "ruleActionOverrides") unless @rule_action_overrides.nil?
  @scope_down_statement = scope_down_statement.is_a?(Hash) ? ::AWSCDK::WAFv2::CfnWebACL::StatementProperty.new(**scope_down_statement.transform_keys(&:to_sym)) : scope_down_statement
  Jsii::Type.check_type(@scope_down_statement, JSON.parse(Base64.strict_decode64("eyJ1bmlvbiI6eyJ0eXBlcyI6W3siZnFuIjoiYXdzLWNkay1saWIuSVJlc29sdmFibGUifSx7ImZxbiI6ImF3cy1jZGstbGliLmF3c193YWZ2Mi5DZm5XZWJBQ0wuU3RhdGVtZW50UHJvcGVydHkifV19fQ==")), "scopeDownStatement") unless @scope_down_statement.nil?
  @version = version
  Jsii::Type.check_type(@version, JSON.parse(Base64.strict_decode64("eyJwcmltaXRpdmUiOiJzdHJpbmcifQ==")), "version") unless @version.nil?
end

Instance Attribute Details

#excluded_rulesAWSCDK::IResolvable, ... (readonly)

Rules in the referenced rule group whose actions are set to Count .

Instead of this option, use RuleActionOverrides . It accepts any valid action setting, including Count .



3669
3670
3671
# File 'wa_fv2/cfn_web_acl.rb', line 3669

def excluded_rules
  @excluded_rules
end

#managed_rule_group_configsAWSCDK::IResolvable, ... (readonly)

Additional information that's used by a managed rule group. Many managed rule groups don't require this.

The rule groups used for intelligent threat mitigation require additional configuration:

  • Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.
  • Use the AWSManagedRulesAntiDDoSRuleSet configuration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge.
  • Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.
  • Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.


3681
3682
3683
# File 'wa_fv2/cfn_web_acl.rb', line 3681

def managed_rule_group_configs
  @managed_rule_group_configs
end

#nameString (readonly)

The name of the managed rule group.

You use this, along with the vendor name, to identify the rule group.



3655
3656
3657
# File 'wa_fv2/cfn_web_acl.rb', line 3655

def name
  @name
end

#rule_action_overridesAWSCDK::IResolvable, ... (readonly)

Action settings to use in the place of the rule actions that are configured inside the rule group.

You specify one override for each rule whose action you want to change.

Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.

You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.



3692
3693
3694
# File 'wa_fv2/cfn_web_acl.rb', line 3692

def rule_action_overrides
  @rule_action_overrides
end

#scope_down_statementAWSCDK::IResolvable, ... (readonly)

An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group.

Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable Statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.



3699
3700
3701
# File 'wa_fv2/cfn_web_acl.rb', line 3699

def scope_down_statement
  @scope_down_statement
end

#vendor_nameString (readonly)

The name of the managed rule group vendor.

You use this, along with the rule group name, to identify a rule group.



3662
3663
3664
# File 'wa_fv2/cfn_web_acl.rb', line 3662

def vendor_name
  @vendor_name
end

#versionString? (readonly)

The version of the managed rule group to use.

If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.



3706
3707
3708
# File 'wa_fv2/cfn_web_acl.rb', line 3706

def version
  @version
end

Class Method Details

.jsii_propertiesObject



3708
3709
3710
3711
3712
3713
3714
3715
3716
3717
3718
# File 'wa_fv2/cfn_web_acl.rb', line 3708

def self.jsii_properties
  {
    :name => "name",
    :vendor_name => "vendorName",
    :excluded_rules => "excludedRules",
    :managed_rule_group_configs => "managedRuleGroupConfigs",
    :rule_action_overrides => "ruleActionOverrides",
    :scope_down_statement => "scopeDownStatement",
    :version => "version",
  }
end

Instance Method Details

#to_jsiiObject



3720
3721
3722
3723
3724
3725
3726
3727
3728
3729
3730
3731
3732
# File 'wa_fv2/cfn_web_acl.rb', line 3720

def to_jsii
  result = {}
  result.merge!({
    "name" => @name,
    "vendorName" => @vendor_name,
    "excludedRules" => @excluded_rules,
    "managedRuleGroupConfigs" => @managed_rule_group_configs,
    "ruleActionOverrides" => @rule_action_overrides,
    "scopeDownStatement" => @scope_down_statement,
    "version" => @version,
  })
  result.compact
end