From e4f0c48860cd3d6b81488bcf60e297e19bae9b33 Mon Sep 17 00:00:00 2001 From: awstools Date: Mon, 25 Sep 2023 18:17:44 +0000 Subject: [PATCH] feat(client-wafv2): You can now perform an exact match against the web request's JA3 fingerprint. --- .../src/commands/CheckCapacityCommand.ts | 15 + .../src/commands/CreateRuleGroupCommand.ts | 15 + .../src/commands/CreateWebACLCommand.ts | 17 +- .../GetLoggingConfigurationCommand.ts | 3 + .../src/commands/GetRuleGroupCommand.ts | 15 + .../src/commands/GetWebACLCommand.ts | 15 + .../commands/GetWebACLForResourceCommand.ts | 15 + .../ListLoggingConfigurationsCommand.ts | 3 + .../PutLoggingConfigurationCommand.ts | 6 + .../src/commands/UpdateRuleGroupCommand.ts | 15 + .../src/commands/UpdateWebACLCommand.ts | 17 +- clients/client-wafv2/src/models/models_0.ts | 338 +++++++----------- .../client-wafv2/src/protocols/Aws_json1_1.ts | 5 + codegen/sdk-codegen/aws-models/wafv2.json | 91 +++-- 14 files changed, 316 insertions(+), 254 deletions(-) diff --git a/clients/client-wafv2/src/commands/CheckCapacityCommand.ts b/clients/client-wafv2/src/commands/CheckCapacityCommand.ts index 0da5cdbfc352b..9f518452e5e1b 100644 --- a/clients/client-wafv2/src/commands/CheckCapacityCommand.ts +++ b/clients/client-wafv2/src/commands/CheckCapacityCommand.ts @@ -118,6 +118,9 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // TextTransformations // required * { // TextTransformation @@ -182,6 +185,9 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -242,6 +248,9 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -297,6 +306,9 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * Size: Number("long"), // required @@ -439,6 +451,9 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { diff --git a/clients/client-wafv2/src/commands/CreateRuleGroupCommand.ts b/clients/client-wafv2/src/commands/CreateRuleGroupCommand.ts index 36ef1e3996216..787bd81be42bf 100644 --- a/clients/client-wafv2/src/commands/CreateRuleGroupCommand.ts +++ b/clients/client-wafv2/src/commands/CreateRuleGroupCommand.ts @@ -111,6 +111,9 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _ * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // TextTransformations // required * { // TextTransformation @@ -175,6 +178,9 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -235,6 +241,9 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -290,6 +299,9 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * Size: Number("long"), // required @@ -432,6 +444,9 @@ export interface CreateRuleGroupCommandOutput extends CreateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { diff --git a/clients/client-wafv2/src/commands/CreateWebACLCommand.ts b/clients/client-wafv2/src/commands/CreateWebACLCommand.ts index 0fe1a23282392..54cb153ed65de 100644 --- a/clients/client-wafv2/src/commands/CreateWebACLCommand.ts +++ b/clients/client-wafv2/src/commands/CreateWebACLCommand.ts @@ -38,7 +38,7 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad /** * @public *

Creates a WebACL per the specifications provided.

- *

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

+ *

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -134,6 +134,9 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // TextTransformations // required * { // TextTransformation @@ -198,6 +201,9 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -258,6 +264,9 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -313,6 +322,9 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * Size: Number("long"), // required @@ -445,6 +457,9 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { diff --git a/clients/client-wafv2/src/commands/GetLoggingConfigurationCommand.ts b/clients/client-wafv2/src/commands/GetLoggingConfigurationCommand.ts index 86136c4f58530..2f3d9816a8616 100644 --- a/clients/client-wafv2/src/commands/GetLoggingConfigurationCommand.ts +++ b/clients/client-wafv2/src/commands/GetLoggingConfigurationCommand.ts @@ -110,6 +110,9 @@ export interface GetLoggingConfigurationCommandOutput extends GetLoggingConfigur * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ], * // ManagedByFirewallManager: true || false, diff --git a/clients/client-wafv2/src/commands/GetRuleGroupCommand.ts b/clients/client-wafv2/src/commands/GetRuleGroupCommand.ts index f0fe4c9b9b5f4..cdca2c7f66ce9 100644 --- a/clients/client-wafv2/src/commands/GetRuleGroupCommand.ts +++ b/clients/client-wafv2/src/commands/GetRuleGroupCommand.ts @@ -120,6 +120,9 @@ export interface GetRuleGroupCommandOutput extends GetRuleGroupResponse, __Metad * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // TextTransformations // required * // { // TextTransformation @@ -184,6 +187,9 @@ export interface GetRuleGroupCommandOutput extends GetRuleGroupResponse, __Metad * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -244,6 +250,9 @@ export interface GetRuleGroupCommandOutput extends GetRuleGroupResponse, __Metad * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -299,6 +308,9 @@ export interface GetRuleGroupCommandOutput extends GetRuleGroupResponse, __Metad * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * // Size: Number("long"), // required @@ -441,6 +453,9 @@ export interface GetRuleGroupCommandOutput extends GetRuleGroupResponse, __Metad * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { diff --git a/clients/client-wafv2/src/commands/GetWebACLCommand.ts b/clients/client-wafv2/src/commands/GetWebACLCommand.ts index d5209dc4cd2ca..23fc690f6927d 100644 --- a/clients/client-wafv2/src/commands/GetWebACLCommand.ts +++ b/clients/client-wafv2/src/commands/GetWebACLCommand.ts @@ -142,6 +142,9 @@ export interface GetWebACLCommandOutput extends GetWebACLResponse, __MetadataBea * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // TextTransformations // required * // { // TextTransformation @@ -206,6 +209,9 @@ export interface GetWebACLCommandOutput extends GetWebACLResponse, __MetadataBea * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -266,6 +272,9 @@ export interface GetWebACLCommandOutput extends GetWebACLResponse, __MetadataBea * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -321,6 +330,9 @@ export interface GetWebACLCommandOutput extends GetWebACLResponse, __MetadataBea * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * // Size: Number("long"), // required @@ -453,6 +465,9 @@ export interface GetWebACLCommandOutput extends GetWebACLResponse, __MetadataBea * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { diff --git a/clients/client-wafv2/src/commands/GetWebACLForResourceCommand.ts b/clients/client-wafv2/src/commands/GetWebACLForResourceCommand.ts index 6da96d727de49..97de8ca8636ee 100644 --- a/clients/client-wafv2/src/commands/GetWebACLForResourceCommand.ts +++ b/clients/client-wafv2/src/commands/GetWebACLForResourceCommand.ts @@ -140,6 +140,9 @@ export interface GetWebACLForResourceCommandOutput extends GetWebACLForResourceR * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // TextTransformations // required * // { // TextTransformation @@ -204,6 +207,9 @@ export interface GetWebACLForResourceCommandOutput extends GetWebACLForResourceR * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -264,6 +270,9 @@ export interface GetWebACLForResourceCommandOutput extends GetWebACLForResourceR * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { @@ -319,6 +328,9 @@ export interface GetWebACLForResourceCommandOutput extends GetWebACLForResourceR * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * // Size: Number("long"), // required @@ -451,6 +463,9 @@ export interface GetWebACLForResourceCommandOutput extends GetWebACLForResourceR * // HeaderOrder: { * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // TextTransformations: [ // required * // { diff --git a/clients/client-wafv2/src/commands/ListLoggingConfigurationsCommand.ts b/clients/client-wafv2/src/commands/ListLoggingConfigurationsCommand.ts index af254d7423d80..40a1ae7e8519c 100644 --- a/clients/client-wafv2/src/commands/ListLoggingConfigurationsCommand.ts +++ b/clients/client-wafv2/src/commands/ListLoggingConfigurationsCommand.ts @@ -113,6 +113,9 @@ export interface ListLoggingConfigurationsCommandOutput extends ListLoggingConfi * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ], * // ManagedByFirewallManager: true || false, diff --git a/clients/client-wafv2/src/commands/PutLoggingConfigurationCommand.ts b/clients/client-wafv2/src/commands/PutLoggingConfigurationCommand.ts index 907fa563910f4..6571da938d38b 100644 --- a/clients/client-wafv2/src/commands/PutLoggingConfigurationCommand.ts +++ b/clients/client-wafv2/src/commands/PutLoggingConfigurationCommand.ts @@ -147,6 +147,9 @@ export interface PutLoggingConfigurationCommandOutput extends PutLoggingConfigur * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ], * ManagedByFirewallManager: true || false, @@ -234,6 +237,9 @@ export interface PutLoggingConfigurationCommandOutput extends PutLoggingConfigur * // HeaderOrder: { // HeaderOrder * // OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * // }, + * // JA3Fingerprint: { // JA3Fingerprint + * // FallbackBehavior: "MATCH" || "NO_MATCH", // required + * // }, * // }, * // ], * // ManagedByFirewallManager: true || false, diff --git a/clients/client-wafv2/src/commands/UpdateRuleGroupCommand.ts b/clients/client-wafv2/src/commands/UpdateRuleGroupCommand.ts index 8d8c2aa3ebb63..a080ebc7d8a6f 100644 --- a/clients/client-wafv2/src/commands/UpdateRuleGroupCommand.ts +++ b/clients/client-wafv2/src/commands/UpdateRuleGroupCommand.ts @@ -128,6 +128,9 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _ * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // TextTransformations // required * { // TextTransformation @@ -192,6 +195,9 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -252,6 +258,9 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -307,6 +316,9 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * Size: Number("long"), // required @@ -449,6 +461,9 @@ export interface UpdateRuleGroupCommandOutput extends UpdateRuleGroupResponse, _ * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { diff --git a/clients/client-wafv2/src/commands/UpdateWebACLCommand.ts b/clients/client-wafv2/src/commands/UpdateWebACLCommand.ts index 12c41208bde20..4651efe2fc57c 100644 --- a/clients/client-wafv2/src/commands/UpdateWebACLCommand.ts +++ b/clients/client-wafv2/src/commands/UpdateWebACLCommand.ts @@ -56,7 +56,7 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * * *

When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.

- *

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

+ *

A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -153,6 +153,9 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * HeaderOrder: { // HeaderOrder * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { // JA3Fingerprint + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // TextTransformations // required * { // TextTransformation @@ -217,6 +220,9 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -277,6 +283,9 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { @@ -332,6 +341,9 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * ComparisonOperator: "EQ" || "NE" || "LE" || "LT" || "GE" || "GT", // required * Size: Number("long"), // required @@ -464,6 +476,9 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * HeaderOrder: { * OversizeHandling: "CONTINUE" || "MATCH" || "NO_MATCH", // required * }, + * JA3Fingerprint: { + * FallbackBehavior: "MATCH" || "NO_MATCH", // required + * }, * }, * TextTransformations: [ // required * { diff --git a/clients/client-wafv2/src/models/models_0.ts b/clients/client-wafv2/src/models/models_0.ts index 6b4f9126b90f2..a6bf59a05b53f 100644 --- a/clients/client-wafv2/src/models/models_0.ts +++ b/clients/client-wafv2/src/models/models_0.ts @@ -417,6 +417,47 @@ export interface Headers { OversizeHandling: OversizeHandling | string | undefined; } +/** + * @public + * @enum + */ +export const FallbackBehavior = { + MATCH: "MATCH", + NO_MATCH: "NO_MATCH", +} as const; + +/** + * @public + */ +export type FallbackBehavior = (typeof FallbackBehavior)[keyof typeof FallbackBehavior]; + +/** + * @public + *

Match against the request's JA3 fingerprint header. The header contains a hash fingerprint of the TLS Client Hello packet for the request.

+ * + *

You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to + * EXACTLY.

+ * + */ +export interface JA3Fingerprint { + /** + * @public + *

The match status to assign to the web request if the request doesn't have a JA3 fingerprint.

+ *

You can specify the following fallback behaviors:

+ * + */ + FallbackBehavior: FallbackBehavior | string | undefined; +} + /** * @public * @enum @@ -781,6 +822,16 @@ export interface FieldToMatch { * WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer.

*/ HeaderOrder?: HeaderOrder; + + /** + * @public + *

Match against the request's JA3 fingerprint header. The header contains a hash fingerprint of the TLS Client Hello packet for the request.

+ * + *

You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to + * EXACTLY.

+ * + */ + JA3Fingerprint?: JA3Fingerprint; } /** @@ -850,164 +901,8 @@ export interface TextTransformation { /** * @public - *

You can specify the following transformation types:

- *

- * BASE64_DECODE - Decode a - * Base64-encoded string.

- *

- * BASE64_DECODE_EXT - Decode a - * Base64-encoded string, but use a forgiving implementation that ignores - * characters that aren't valid.

- *

- * CMD_LINE - Command-line transformations. These are - * helpful in reducing effectiveness of attackers who inject an operating system command-line - * command and use unusual formatting to disguise some or all of the command.

- * - *

- * COMPRESS_WHITE_SPACE - Replace these characters - * with a space character (decimal 32):

- * - *

- * COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

- *

- * CSS_DECODE - Decode characters that were encoded - * using CSS 2.x escape rules syndata.html#characters. This function uses up to - * two bytes in the decoding process, so it can help to uncover ASCII characters that were - * encoded using CSS encoding that wouldn’t typically be encoded. It's also useful in - * countering evasion, which is a combination of a backslash and non-hexadecimal characters. - * For example, ja\vascript for javascript.

- *

- * ESCAPE_SEQ_DECODE - Decode the following ANSI C - * escape sequences: \a, \b, \f, \n, - * \r, \t, \v, \\, \?, - * \', \", \xHH (hexadecimal), \0OOO - * (octal). Encodings that aren't valid remain in the output.

- *

- * HEX_DECODE - Decode a string of hexadecimal - * characters into a binary.

- *

- * HTML_ENTITY_DECODE - Replace HTML-encoded - * characters with unencoded characters. HTML_ENTITY_DECODE performs these - * operations:

- * - *

- * JS_DECODE - Decode JavaScript escape sequences. If - * a - * \ - * u - * HHHH - * code is in the full-width ASCII code range of FF01-FF5E, then the higher byte - * is used to detect and adjust the lower byte. If not, only the lower byte is used and the - * higher byte is zeroed, causing a possible loss of information.

- *

- * LOWERCASE - Convert uppercase letters (A-Z) to - * lowercase (a-z).

- *

- * MD5 - Calculate an MD5 hash from the data in the - * input. The computed hash is in a raw binary form.

- *

- * NONE - Specify NONE if you don't want - * any text transformations.

- *

- * NORMALIZE_PATH - Remove multiple slashes, directory - * self-references, and directory back-references that are not at the beginning of the input - * from an input string.

- *

- * NORMALIZE_PATH_WIN - This is the same as - * NORMALIZE_PATH, but first converts backslash characters to forward slashes.

- *

- * REMOVE_NULLS - Remove all NULL bytes - * from the input.

- *

- * REPLACE_COMMENTS - Replace each occurrence of a - * C-style comment (/* ... *\/) with a single space. Multiple consecutive - * occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII - * 0x20). However, a standalone termination of a comment (*\/) is not acted upon.

- *

- * REPLACE_NULLS - Replace NULL bytes in the input - * with space characters (ASCII 0x20).

- *

- * SQL_HEX_DECODE - Decode SQL hex data. Example - * (0x414243) will be decoded to (ABC).

- *

- * URL_DECODE - Decode a URL-encoded value.

- *

- * URL_DECODE_UNI - Like URL_DECODE, but - * with support for Microsoft-specific %u encoding. If the code is in the - * full-width ASCII code range of FF01-FF5E, the higher byte is used to detect - * and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is - * zeroed.

- *

- * UTF8_TO_UNICODE - Convert all UTF-8 character - * sequences to Unicode. This helps input normalization, and minimizing false-positives and - * false-negatives for non-English languages.

+ *

For detailed descriptions of each of the transformation types, see Text transformations + * in the WAF Developer Guide.

*/ Type: TextTransformationType | string | undefined; } @@ -1037,6 +932,11 @@ export interface ByteMatchStatement { * *
  • *

    + * JA3Fingerprint: The string to match against the web request's JA3 fingerprint header. The header contains a hash fingerprint of the TLS Client Hello packet for + * the request.

    + *
    • + *
  • + *

    * HeaderOrder: The comma-separated list of header names to match for. WAF creates a * string that contains the ordered list of header names, from the headers in the web request, and then matches against that string.

    *
    • @@ -1069,7 +969,7 @@ export interface ByteMatchStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; @@ -1385,20 +1285,6 @@ export const CountryCode = { */ export type CountryCode = (typeof CountryCode)[keyof typeof CountryCode]; -/** - * @public - * @enum - */ -export const FallbackBehavior = { - MATCH: "MATCH", - NO_MATCH: "NO_MATCH", -} as const; - -/** - * @public - */ -export type FallbackBehavior = (typeof FallbackBehavior)[keyof typeof FallbackBehavior]; - /** * @public *

    The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.

    @@ -2076,7 +1962,15 @@ export interface AWSManagedRulesACFPRuleSet { /** * @public *

    The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests.

    - *

    For example, for the URL https://example.com/web/signup, you would provide the path /web/signup.

    + *

    For example, for the URL https://example.com/web/newaccount, you would provide + * the path /web/newaccount. Account creation page paths that + * start with the path that you provide are considered a match. For example + * /web/newaccount matches the account creation paths + * /web/newaccount, /web/newaccount/, + * /web/newaccountPage, and + * /web/newaccount/thisPage, but doesn't match the path + * /home/web/newaccount or + * /website/newaccount.

    */ CreationPath: string | undefined; @@ -2086,7 +1980,15 @@ export interface AWSManagedRulesACFPRuleSet { * *

    This page must accept GET text/html requests.

    *     - *

    For example, for the URL https://example.com/web/register, you would provide the path /web/register.

    + *

    For example, for the URL https://example.com/web/registration, you would provide + * the path /web/registration. Registration page paths that + * start with the path that you provide are considered a match. For example + * /web/registration matches the registration paths + * /web/registration, /web/registration/, + * /web/registrationPage, and + * /web/registration/thisPage, but doesn't match the path + * /home/web/registration or + * /website/registration.

    */ RegistrationPagePath: string | undefined; @@ -2187,7 +2089,7 @@ export interface AWSManagedRulesATPRuleSet { * @public *

    The path of the login endpoint for your application. For example, for the URL * https://example.com/web/login, you would provide the path - * /web/login.

    + * /web/login. Login paths that start with the path that you provide are considered a match. For example /web/login matches the login paths /web/login, /web/login/, /web/loginPage, and /web/login/thisPage, but doesn't match the login path /home/web/login or /website/login.

    *

    The rule group inspects only HTTP POST requests to your specified login endpoint.

    */ LoginPath: string | undefined; @@ -2383,7 +2285,7 @@ export interface CustomResponse { /** * @public - *

    The HTTP headers to use in the response. Duplicate header names are not allowed.

    + *

    The HTTP headers to use in the response. You can specify any header name except for content-type. Duplicate header names are not allowed.

    *

    For information about the limits on count and size for custom request and response settings, see WAF quotas * in the WAF Developer Guide.

    */ @@ -2599,7 +2501,7 @@ export interface RateLimitCookie { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2631,7 +2533,7 @@ export interface RateLimitHeader { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2685,7 +2587,7 @@ export interface RateLimitQueryArgument { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2698,7 +2600,7 @@ export interface RateLimitQueryArgument { export interface RateLimitQueryString { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2711,7 +2613,7 @@ export interface RateLimitQueryString { export interface RateLimitUriPath { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2813,7 +2715,7 @@ export interface RegexMatchStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2839,7 +2741,7 @@ export interface RegexPatternSetReferenceStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2847,8 +2749,8 @@ export interface RegexPatternSetReferenceStatement { /** * @public *

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    - *

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You - * can only use a rule group reference statement at the top level inside a web ACL.

    + *

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You cannot use a rule group + * reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.

    */ export interface RuleGroupReferenceStatement { /** @@ -2919,7 +2821,7 @@ export interface SizeConstraintStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -2951,7 +2853,7 @@ export interface SqliMatchStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; @@ -2987,7 +2889,7 @@ export interface XssMatchStatement { /** * @public - *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    + *

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    */ TextTransformations: TextTransformation[] | undefined; } @@ -3756,21 +3658,21 @@ export interface CreateIPSetRequest { /** * @public - *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    + *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    *

    Example address strings:

    * *

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    @@ -4982,21 +4884,21 @@ export interface IPSet { /** * @public - *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    + *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    *

    Example address strings:

    * *

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    @@ -7340,21 +7242,21 @@ export interface UpdateIPSetRequest { /** * @public - *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    + *

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    *

    Example address strings:

    * *

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    @@ -7612,8 +7514,8 @@ export interface Statement { /** * @public *

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    - *

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You - * can only use a rule group reference statement at the top level inside a web ACL.

    + *

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You cannot use a rule group + * reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.

    */ RuleGroupReferenceStatement?: RuleGroupReferenceStatement; @@ -7723,7 +7625,8 @@ export interface Statement { /** * @public *

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    - *

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.

    + *

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group + * inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL.

    * *

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    *     @@ -7747,7 +7650,8 @@ export interface Statement { /** * @public *

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    - *

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.

    + *

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group + * inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL.

    * *

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    *     @@ -7988,8 +7892,8 @@ export interface RateBasedStatement { /** * @public - *

    A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to allow, block, or count. - * Each rule includes one top-level Statement that WAF uses to + *

    A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to manage in some way. + * Each rule includes one top-level Statement that WAF uses to * identify matching web requests, and parameters that govern how WAF handles them.

    */ export interface Rule { @@ -8263,7 +8167,7 @@ export interface CreateRuleGroupRequest { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ @@ -8333,7 +8237,7 @@ export interface CreateWebACLRequest { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ @@ -8444,7 +8348,7 @@ export interface RuleGroup { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ @@ -8540,7 +8444,7 @@ export interface UpdateRuleGroupRequest { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ @@ -8616,7 +8520,7 @@ export interface UpdateWebACLRequest { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ @@ -8697,7 +8601,7 @@ export interface GetRuleGroupResponse { /** * @public - *

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    + *

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    */ export interface WebACL { /** @@ -8736,7 +8640,7 @@ export interface WebACL { /** * @public *

    The Rule statements used to identify the web requests that you - * want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching + * want to manage. Each rule includes one top-level statement that WAF uses to identify matching * web requests, and parameters that govern how WAF handles them. *

    */ diff --git a/clients/client-wafv2/src/protocols/Aws_json1_1.ts b/clients/client-wafv2/src/protocols/Aws_json1_1.ts index 3d57a97a6a59a..c8a1066e9aa8a 100644 --- a/clients/client-wafv2/src/protocols/Aws_json1_1.ts +++ b/clients/client-wafv2/src/protocols/Aws_json1_1.ts @@ -236,6 +236,7 @@ import { ImmunityTimeProperty, IPSetForwardedIPConfig, IPSetReferenceStatement, + JA3Fingerprint, JsonBody, JsonMatchPattern, Label, @@ -4700,6 +4701,8 @@ const se_GetSampledRequestsRequest = (input: GetSampledRequestsRequest, context: // se_IPSetReferenceStatement omitted. +// se_JA3Fingerprint omitted. + // se_JsonBody omitted. // se_JsonMatchPattern omitted. @@ -5360,6 +5363,8 @@ const de_GetWebACLResponse = (output: any, context: __SerdeContext): GetWebACLRe // de_IPSetSummary omitted. +// de_JA3Fingerprint omitted. + // de_JsonBody omitted. // de_JsonMatchPattern omitted. diff --git a/codegen/sdk-codegen/aws-models/wafv2.json b/codegen/sdk-codegen/aws-models/wafv2.json index a98dfa221086d..ded2fbbafef5a 100644 --- a/codegen/sdk-codegen/aws-models/wafv2.json +++ b/codegen/sdk-codegen/aws-models/wafv2.json @@ -104,14 +104,14 @@ "CreationPath": { "target": "com.amazonaws.wafv2#CreationPathString", "traits": { - "smithy.api#documentation": "

    The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests.

    \n

    For example, for the URL https://example.com/web/signup, you would provide the path /web/signup.

    ", + "smithy.api#documentation": "

    The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests.

    \n

    For example, for the URL https://example.com/web/newaccount, you would provide\n\tthe path /web/newaccount. Account creation page paths that\n\tstart with the path that you provide are considered a match. For example\n\t/web/newaccount matches the account creation paths\n\t\t/web/newaccount, /web/newaccount/,\n\t\t/web/newaccountPage, and\n\t\t/web/newaccount/thisPage, but doesn't match the path\n\t\t/home/web/newaccount or\n\t\t/website/newaccount.

    ", "smithy.api#required": {} } }, "RegistrationPagePath": { "target": "com.amazonaws.wafv2#RegistrationPagePathString", "traits": { - "smithy.api#documentation": "

    The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.

    \n \n

    This page must accept GET text/html requests.

    \n     \n

    For example, for the URL https://example.com/web/register, you would provide the path /web/register.

    ", + "smithy.api#documentation": "

    The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users.

    \n \n

    This page must accept GET text/html requests.

    \n     \n

    For example, for the URL https://example.com/web/registration, you would provide\n\tthe path /web/registration. Registration page paths that\n\tstart with the path that you provide are considered a match. For example\n\t /web/registration matches the registration paths\n\t /web/registration, /web/registration/,\n\t /web/registrationPage, and\n\t /web/registration/thisPage, but doesn't match the path\n\t /home/web/registration or\n\t /website/registration.

    ", "smithy.api#required": {} } }, @@ -146,7 +146,7 @@ "LoginPath": { "target": "com.amazonaws.wafv2#String", "traits": { - "smithy.api#documentation": "

    The path of the login endpoint for your application. For example, for the URL\n https://example.com/web/login, you would provide the path\n /web/login.

    \n

    The rule group inspects only HTTP POST requests to your specified login endpoint.

    ", + "smithy.api#documentation": "

    The path of the login endpoint for your application. For example, for the URL\n https://example.com/web/login, you would provide the path\n /web/login. Login paths that start with the path that you provide are considered a match. For example /web/login matches the login paths /web/login, /web/login/, /web/loginPage, and /web/login/thisPage, but doesn't match the login path /home/web/login or /website/login.

    \n

    The rule group inspects only HTTP POST requests to your specified login endpoint.

    ", "smithy.api#required": {} } }, @@ -1874,7 +1874,7 @@ "SearchString": { "target": "com.amazonaws.wafv2#SearchString", "traits": { - "smithy.api#documentation": "

    A string value that you want WAF to search for. WAF searches only in the part of\n web requests that you designate for inspection in FieldToMatch. The\n maximum length of the value is 200 bytes.

    \n

    Valid values depend on the component that you specify for inspection in\n FieldToMatch:

    \n \n

    If SearchString includes alphabetic characters A-Z and a-z, note that the\n value is case sensitive.

    \n

    \n If you're using the WAF API\n

    \n

    Specify a base64-encoded version of the value. The maximum length of the value before\n you base64-encode it is 200 bytes.

    \n

    For example, suppose the value of Type is HEADER and the value\n of Data is User-Agent. If you want to search the\n User-Agent header for the value BadBot, you base64-encode\n BadBot using MIME base64-encoding and include the resulting value,\n QmFkQm90, in the value of SearchString.

    \n

    \n If you're using the CLI or one of the Amazon Web Services SDKs\n

    \n

    The value that you want WAF to search for. The SDK automatically base64 encodes the\n value.

    ", + "smithy.api#documentation": "

    A string value that you want WAF to search for. WAF searches only in the part of\n web requests that you designate for inspection in FieldToMatch. The\n maximum length of the value is 200 bytes.

    \n

    Valid values depend on the component that you specify for inspection in\n FieldToMatch:

    \n \n

    If SearchString includes alphabetic characters A-Z and a-z, note that the\n value is case sensitive.

    \n

    \n If you're using the WAF API\n

    \n

    Specify a base64-encoded version of the value. The maximum length of the value before\n you base64-encode it is 200 bytes.

    \n

    For example, suppose the value of Type is HEADER and the value\n of Data is User-Agent. If you want to search the\n User-Agent header for the value BadBot, you base64-encode\n BadBot using MIME base64-encoding and include the resulting value,\n QmFkQm90, in the value of SearchString.

    \n

    \n If you're using the CLI or one of the Amazon Web Services SDKs\n

    \n

    The value that you want WAF to search for. The SDK automatically base64 encodes the\n value.

    ", "smithy.api#required": {} } }, @@ -1888,7 +1888,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } }, @@ -3913,7 +3913,7 @@ "Addresses": { "target": "com.amazonaws.wafv2#IPAddresses", "traits": { - "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", + "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", "smithy.api#required": {} } }, @@ -4116,7 +4116,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -4210,7 +4210,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Creates a WebACL per the specifications provided.

    \n

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " + "smithy.api#documentation": "

    Creates a WebACL per the specifications provided.

    \n

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " } }, "com.amazonaws.wafv2#CreateWebACLRequest": { @@ -4246,7 +4246,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -4408,7 +4408,7 @@ "ResponseHeaders": { "target": "com.amazonaws.wafv2#CustomHTTPHeaders", "traits": { - "smithy.api#documentation": "

    The HTTP headers to use in the response. Duplicate header names are not allowed.

    \n

    For information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.

    " + "smithy.api#documentation": "

    The HTTP headers to use in the response. You can specify any header name except for content-type. Duplicate header names are not allowed.

    \n

    For information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.

    " } } }, @@ -5456,6 +5456,12 @@ "traits": { "smithy.api#documentation": "

    Inspect a string containing the list of the request's header names, ordered as they appear in the web request\nthat WAF receives for inspection. \n WAF generates the string and then uses that as the field to match component in its inspection. \n WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer.

    " } + }, + "JA3Fingerprint": { + "target": "com.amazonaws.wafv2#JA3Fingerprint", + "traits": { + "smithy.api#documentation": "

    Match against the request's JA3 fingerprint header. The header contains a hash fingerprint of the TLS Client Hello packet for the request.

    \n \n

    You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to \n EXACTLY.

    \n     " + } } }, "traits": { @@ -6854,7 +6860,7 @@ "Addresses": { "target": "com.amazonaws.wafv2#IPAddresses", "traits": { - "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", + "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", "smithy.api#required": {} } } @@ -6992,6 +6998,21 @@ } } }, + "com.amazonaws.wafv2#JA3Fingerprint": { + "type": "structure", + "members": { + "FallbackBehavior": { + "target": "com.amazonaws.wafv2#FallbackBehavior", + "traits": { + "smithy.api#documentation": "

    The match status to assign to the web request if the request doesn't have a JA3 fingerprint.

    \n

    You can specify the following fallback behaviors:

    \n ", + "smithy.api#required": {} + } + } + }, + "traits": { + "smithy.api#documentation": "

    Match against the request's JA3 fingerprint header. The header contains a hash fingerprint of the TLS Client Hello packet for the request.

    \n \n

    You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to \n EXACTLY.

    \n     " + } + }, "com.amazonaws.wafv2#JsonBody": { "type": "structure", "members": { @@ -8385,7 +8406,7 @@ } }, "traits": { - "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    \n

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.

    \n \n

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    \n     " + "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    \n

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group \n inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL.

    \n \n

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    \n     " } }, "com.amazonaws.wafv2#ManagedRuleGroupSummaries": { @@ -9783,7 +9804,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -9819,7 +9840,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -9863,7 +9884,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -9878,7 +9899,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -9893,7 +9914,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -9948,7 +9969,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -10015,7 +10036,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -10627,7 +10648,7 @@ } }, "traits": { - "smithy.api#documentation": "

    A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to allow, block, or count.\n Each rule includes one top-level Statement that WAF uses to\n identify matching web requests, and parameters that govern how WAF handles them.

    " + "smithy.api#documentation": "

    A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to manage in some way. \n Each rule includes one top-level Statement that WAF uses to\n identify matching web requests, and parameters that govern how WAF handles them.

    " } }, "com.amazonaws.wafv2#RuleAction": { @@ -10743,7 +10764,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -10806,7 +10827,7 @@ } }, "traits": { - "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    \n

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You \n can only use a rule group reference statement at the top level inside a web ACL.

    " + "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    \n

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You cannot use a rule group\n reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.

    " } }, "com.amazonaws.wafv2#RuleGroupSummaries": { @@ -11101,7 +11122,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -11155,7 +11176,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } }, @@ -11206,7 +11227,7 @@ "RuleGroupReferenceStatement": { "target": "com.amazonaws.wafv2#RuleGroupReferenceStatement", "traits": { - "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    \n

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You \n can only use a rule group reference statement at the top level inside a web ACL.

    " + "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    \n

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You cannot use a rule group\n reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.

    " } }, "IPSetReferenceStatement": { @@ -11248,7 +11269,7 @@ "ManagedRuleGroupStatement": { "target": "com.amazonaws.wafv2#ManagedRuleGroupStatement", "traits": { - "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    \n

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.

    \n \n

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    \n     " + "smithy.api#documentation": "

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    \n

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group \n inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL.

    \n \n

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

    \n     " } }, "LabelMatchStatement": { @@ -11459,7 +11480,7 @@ "Type": { "target": "com.amazonaws.wafv2#TextTransformationType", "traits": { - "smithy.api#documentation": "

    You can specify the following transformation types:

    \n

    \n BASE64_DECODE - Decode a\n Base64-encoded string.

    \n

    \n BASE64_DECODE_EXT - Decode a\n Base64-encoded string, but use a forgiving implementation that ignores\n characters that aren't valid.

    \n

    \n CMD_LINE - Command-line transformations. These are\n helpful in reducing effectiveness of attackers who inject an operating system command-line \n command and use unusual formatting to disguise some or all of the command.

    \n \n

    \n COMPRESS_WHITE_SPACE - Replace these characters\n with a space character (decimal 32):

    \n \n

    \n COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

    \n

    \n CSS_DECODE - Decode characters that were encoded\n using CSS 2.x escape rules syndata.html#characters. This function uses up to\n two bytes in the decoding process, so it can help to uncover ASCII characters that were\n encoded using CSS encoding that wouldn’t typically be encoded. It's also useful in\n countering evasion, which is a combination of a backslash and non-hexadecimal characters.\n For example, ja\\vascript for javascript.

    \n

    \n ESCAPE_SEQ_DECODE - Decode the following ANSI C\n escape sequences: \\a, \\b, \\f, \\n,\n \\r, \\t, \\v, \\\\, \\?,\n \\', \\\", \\xHH (hexadecimal), \\0OOO\n (octal). Encodings that aren't valid remain in the output.

    \n

    \n HEX_DECODE - Decode a string of hexadecimal\n characters into a binary.

    \n

    \n HTML_ENTITY_DECODE - Replace HTML-encoded\n characters with unencoded characters. HTML_ENTITY_DECODE performs these\n operations:

    \n \n

    \n JS_DECODE - Decode JavaScript escape sequences. If\n a\n \\\n u\n HHHH\n code is in the full-width ASCII code range of FF01-FF5E, then the higher byte\n is used to detect and adjust the lower byte. If not, only the lower byte is used and the\n higher byte is zeroed, causing a possible loss of information.

    \n

    \n LOWERCASE - Convert uppercase letters (A-Z) to\n lowercase (a-z).

    \n

    \n MD5 - Calculate an MD5 hash from the data in the\n input. The computed hash is in a raw binary form.

    \n

    \n NONE - Specify NONE if you don't want\n any text transformations.

    \n

    \n NORMALIZE_PATH - Remove multiple slashes, directory\n self-references, and directory back-references that are not at the beginning of the input\n from an input string.

    \n

    \n NORMALIZE_PATH_WIN - This is the same as\n NORMALIZE_PATH, but first converts backslash characters to forward slashes.

    \n

    \n REMOVE_NULLS - Remove all NULL bytes\n from the input.

    \n

    \n REPLACE_COMMENTS - Replace each occurrence of a\n C-style comment (/* ... */) with a single space. Multiple consecutive\n occurrences are not compressed. Unterminated comments are also replaced with a space (ASCII\n 0x20). However, a standalone termination of a comment (*/) is not acted upon.

    \n

    \n REPLACE_NULLS - Replace NULL bytes in the input\n with space characters (ASCII 0x20).

    \n

    \n SQL_HEX_DECODE - Decode SQL hex data. Example\n (0x414243) will be decoded to (ABC).

    \n

    \n URL_DECODE - Decode a URL-encoded value.

    \n

    \n URL_DECODE_UNI - Like URL_DECODE, but\n with support for Microsoft-specific %u encoding. If the code is in the\n full-width ASCII code range of FF01-FF5E, the higher byte is used to detect\n and adjust the lower byte. Otherwise, only the lower byte is used and the higher byte is\n zeroed.

    \n

    \n UTF8_TO_UNICODE - Convert all UTF-8 character\n sequences to Unicode. This helps input normalization, and minimizing false-positives and\n false-negatives for non-English languages.

    ", + "smithy.api#documentation": "

    For detailed descriptions of each of the transformation types, see Text transformations \n in the WAF Developer Guide.

    ", "smithy.api#required": {} } } @@ -11809,7 +11830,7 @@ "Addresses": { "target": "com.amazonaws.wafv2#IPAddresses", "traits": { - "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", + "smithy.api#documentation": "

    Contains an array of strings that specifies zero or more IP addresses or blocks of IP addresses that you want WAF to inspect for in incoming requests. All addresses must be specified using Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0.

    \n

    Example address strings:

    \n \n

    For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    \n

    Example JSON Addresses specifications:

    \n ", "smithy.api#required": {} } }, @@ -12119,7 +12140,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -12208,7 +12229,7 @@ } ], "traits": { - "smithy.api#documentation": "

    Updates the specified WebACL. While updating a web ACL, WAF provides\n continuous coverage to the resources that you have associated with the web ACL.

    \n \n

    This operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call.

    \n

    To modify a web ACL, do the following:

    \n
      \n
    1. \n

      Retrieve it by calling GetWebACL\n

      \n
      2. \n
    2. \n

      Update its settings as needed

      \n
      3. \n
    3. \n

      Provide the complete web ACL specification to this call

      \n
      4. \n
    \n     \n

    When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.

    \n

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " + "smithy.api#documentation": "

    Updates the specified WebACL. While updating a web ACL, WAF provides\n continuous coverage to the resources that you have associated with the web ACL.

    \n \n

    This operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call.

    \n

    To modify a web ACL, do the following:

    \n
      \n
    1. \n

      Retrieve it by calling GetWebACL\n

      \n
      2. \n
    2. \n

      Update its settings as needed

      \n
      3. \n
    3. \n

      Provide the complete web ACL specification to this call

      \n
      4. \n
    \n     \n

    When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.

    \n

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " } }, "com.amazonaws.wafv2#UpdateWebACLRequest": { @@ -12251,7 +12272,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -12705,7 +12726,7 @@ "Rules": { "target": "com.amazonaws.wafv2#Rules", "traits": { - "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to allow, block, or count. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " + "smithy.api#documentation": "

    The Rule statements used to identify the web requests that you \n want to manage. Each rule includes one top-level statement that WAF uses to identify matching \n web requests, and parameters that govern how WAF handles them. \n

    " } }, "VisibilityConfig": { @@ -12779,7 +12800,7 @@ } }, "traits": { - "smithy.api#documentation": "

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " + "smithy.api#documentation": "

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

    " } }, "com.amazonaws.wafv2#WebACLSummaries": { @@ -12839,7 +12860,7 @@ "TextTransformations": { "target": "com.amazonaws.wafv2#TextTransformations", "traits": { - "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the component contents.

    ", + "smithy.api#documentation": "

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. Text transformations are used in rule match statements, to transform the FieldToMatch request component before inspecting it, and they're used in rate-based rule statements, to transform request components before using them as custom aggregation keys. If you specify one or more transformations to apply, WAF performs all transformations on the specified content, starting from the lowest priority setting, and then uses the transformed component contents.

    ", "smithy.api#required": {} } } @@ -12849,4 +12870,4 @@ } } } -} \ No newline at end of file +}