For regional applications, you can use any of the endpoints in the list. -A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.For Amazon CloudFront applications, you must use the API endpoint listed for diff --git a/clients/client-wafv2/src/WAFV2.ts b/clients/client-wafv2/src/WAFV2.ts index bd008d124853..d7783e61b1a5 100644 --- a/clients/client-wafv2/src/WAFV2.ts +++ b/clients/client-wafv2/src/WAFV2.ts @@ -242,7 +242,7 @@ import { WAFV2Client } from "./WAFV2Client"; *
For regional applications, you can use any of the endpoints in the list. - * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront applications, you must use the API endpoint listed for @@ -276,10 +276,10 @@ export class WAFV2 extends WAFV2Client { /** * @public *
Associates a web ACL with a regional application resource, to protect the resource. - * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* associate a web ACL, in the CloudFront call UpdateDistribution, set the web ACL ID
- * to the Amazon Resource Name (ARN) of the web ACL. For information, see UpdateDistribution.
When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
*/ public associateWebACL( @@ -323,8 +323,8 @@ export class WAFV2 extends WAFV2Client { * Simple rules that cost little to run use fewer WCUs than more complex rules * that use more processing power. * Rule group capacity is fixed at creation, which helps users plan their - * web ACL WCU usage when they use a rule group. - * The WCU limit for web ACLs is 1,500. + * web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) + * in the WAF Developer Guide. */ public checkCapacity( args: CheckCapacityCommandInput, @@ -456,7 +456,7 @@ export class WAFV2 extends WAFV2Client { /** * @public *Creates a WebACL per the specifications provided.
- *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*/ public createWebACL( args: CreateWebACLCommandInput, @@ -696,7 +696,8 @@ export class WAFV2 extends WAFV2Client { *For Amazon CloudFront distributions, use the CloudFront call
- * ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId.
ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId
+ * in the Amazon CloudFront API Reference.
* For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
- * UpdateDistribution. For information, see UpdateDistribution.
UpdateDistribution. For information, see UpdateDistribution
+ * in the Amazon CloudFront API Reference.
* Disassociates the specified regional application resource from any existing web ACL - * association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* disassociate a web ACL, provide an empty web ACL ID in the CloudFront call
- * UpdateDistribution. For information, see UpdateDistribution.
UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.
*/
public disassociateWebACL(
args: DisassociateWebACLCommandInput,
@@ -2045,7 +2047,7 @@ export class WAFV2 extends WAFV2Client {
*
*
* When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
- *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*/ public updateWebACL( args: UpdateWebACLCommandInput, diff --git a/clients/client-wafv2/src/WAFV2Client.ts b/clients/client-wafv2/src/WAFV2Client.ts index 0a8cdc80c00b..8b1b2e672ee1 100644 --- a/clients/client-wafv2/src/WAFV2Client.ts +++ b/clients/client-wafv2/src/WAFV2Client.ts @@ -479,7 +479,7 @@ export interface WAFV2ClientResolvedConfig extends WAFV2ClientResolvedConfigType *For regional applications, you can use any of the endpoints in the list. - * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront applications, you must use the API endpoint listed for diff --git a/clients/client-wafv2/src/commands/AssociateWebACLCommand.ts b/clients/client-wafv2/src/commands/AssociateWebACLCommand.ts index 432490854b72..af1c41e299f5 100644 --- a/clients/client-wafv2/src/commands/AssociateWebACLCommand.ts +++ b/clients/client-wafv2/src/commands/AssociateWebACLCommand.ts @@ -36,10 +36,10 @@ export interface AssociateWebACLCommandOutput extends AssociateWebACLResponse, _ /** * @public *
Associates a web ACL with a regional application resource, to protect the resource. - * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* associate a web ACL, in the CloudFront call UpdateDistribution, set the web ACL ID
- * to the Amazon Resource Name (ARN) of the web ACL. For information, see UpdateDistribution.
When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
* @example * Use a bare-bones client and the command you need to make an API call. diff --git a/clients/client-wafv2/src/commands/CheckCapacityCommand.ts b/clients/client-wafv2/src/commands/CheckCapacityCommand.ts index 5810ed668630..398f4c574d2a 100644 --- a/clients/client-wafv2/src/commands/CheckCapacityCommand.ts +++ b/clients/client-wafv2/src/commands/CheckCapacityCommand.ts @@ -45,8 +45,8 @@ export interface CheckCapacityCommandOutput extends CheckCapacityResponse, __Met * Simple rules that cost little to run use fewer WCUs than more complex rules * that use more processing power. * Rule group capacity is fixed at creation, which helps users plan their - * web ACL WCU usage when they use a rule group. - * The WCU limit for web ACLs is 1,500. + * web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) + * in the WAF Developer Guide. * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript diff --git a/clients/client-wafv2/src/commands/CreateWebACLCommand.ts b/clients/client-wafv2/src/commands/CreateWebACLCommand.ts index 20b9351a4ba6..22c76a6b8b37 100644 --- a/clients/client-wafv2/src/commands/CreateWebACLCommand.ts +++ b/clients/client-wafv2/src/commands/CreateWebACLCommand.ts @@ -36,7 +36,7 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad /** * @public *Creates a WebACL per the specifications provided.
- *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -802,6 +802,13 @@ export interface CreateWebACLCommandOutput extends CreateWebACLResponse, __Metad * TokenDomains: [ // TokenDomains * "STRING_VALUE", * ], + * AssociationConfig: { // AssociationConfig + * RequestBody: { // RequestBody + * "For Amazon CloudFront distributions, use the CloudFront call
- * ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId.
ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId
+ * in the Amazon CloudFront API Reference.
* For Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call
- * UpdateDistribution. For information, see UpdateDistribution.
UpdateDistribution. For information, see UpdateDistribution
+ * in the Amazon CloudFront API Reference.
* Disassociates the specified regional application resource from any existing web ACL - * association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To
* disassociate a web ACL, provide an empty web ACL ID in the CloudFront call
- * UpdateDistribution. For information, see UpdateDistribution.
UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
diff --git a/clients/client-wafv2/src/commands/PutPermissionPolicyCommand.ts b/clients/client-wafv2/src/commands/PutPermissionPolicyCommand.ts
index 40cb1bf84b46..cdd588d2265c 100644
--- a/clients/client-wafv2/src/commands/PutPermissionPolicyCommand.ts
+++ b/clients/client-wafv2/src/commands/PutPermissionPolicyCommand.ts
@@ -102,7 +102,7 @@ export interface PutPermissionPolicyCommandOutput extends PutPermissionPolicyRes
* The policy specifications must conform to the following:
*The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
+ *The policy must be composed using IAM Policy version 2012-10-17.
*The policy must include specifications for Effect, Action, and Principal.
When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
- *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript @@ -816,6 +816,13 @@ export interface UpdateWebACLCommandOutput extends UpdateWebACLResponse, __Metad * TokenDomains: [ // TokenDomains * "STRING_VALUE", * ], + * AssociationConfig: { // AssociationConfig + * RequestBody: { // RequestBody + * "Custom request handling behavior that inserts custom headers into a web request. You can
* add custom request handling for WAF to use when the rule action doesn't block the request.
* For example, CaptchaAction for requests with valid t okens, and AllowAction.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ export interface CustomRequestHandling { /** *The HTTP headers to insert into the request. Duplicate header names are not allowed.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ InsertHeaders: CustomHTTPHeader[] | undefined; } @@ -91,8 +92,9 @@ export interface CustomRequestHandling { export interface AllowAction { /** *Defines custom handling for the web request.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ CustomRequestHandling?: CustomRequestHandling; } @@ -130,9 +132,11 @@ export type OversizeHandling = (typeof OversizeHandling)[keyof typeof OversizeHa export interface Body { /** *What WAF should do if the body is larger than WAF can inspect. - * WAF does not support inspecting the entire contents of the body of a web request - * when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to - * WAF by the underlying host service.
+ * WAF does not support inspecting the entire contents of the web request body if the body + * exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service + * only forwards the contents that are below the limit to WAF for inspection. + *The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions,
+ * you can increase the limit in the web ACL AssociationConfig, for additional processing fees.
The options for oversize handling are the following:
*You can combine the MATCH or NO_MATCH
- * settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
Default: CONTINUE
*
What WAF should do if the body is larger than WAF can inspect. - * WAF does not support inspecting the entire contents of the body of a web request - * when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to - * WAF by the underlying host service.
+ * WAF does not support inspecting the entire contents of the web request body if the body + * exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service + * only forwards the contents that are below the limit to WAF for inspection. + *The default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions,
+ * you can increase the limit in the web ACL AssociationConfig, for additional processing fees.
The options for oversize handling are the following:
*You can combine the MATCH or NO_MATCH
- * settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
Default: CONTINUE
*
Inspect the request body as plain text. The request body immediately follows the request * headers. This is the part of a request that contains any additional data that you want to * send to your web server as the HTTP request body, such as data from a form.
- *Only the first 8 KB (8192 bytes) of the request body are forwarded to WAF for - * inspection by the underlying host service. For information about how to handle oversized + *
A limited amount of the request body is forwarded to WAF for
+ * inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions,
+ * you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.
For information about how to handle oversized
* request bodies, see the Body object configuration.
Inspect the request body as JSON. The request body immediately follows the request * headers. This is the part of a request that contains any additional data that you want to * send to your web server as the HTTP request body, such as data from a form.
- *Only the first 8 KB (8192 bytes) of the request body are forwarded to WAF for - * inspection by the underlying host service. For information about how to handle oversized + *
A limited amount of the request body is forwarded to WAF for
+ * inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions,
+ * you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.
For information about how to handle oversized
* request bodies, see the JsonBody object configuration.
The inspection level to use for the Bot Control rule group. The common level is the least expensive. The * targeted level includes all common level rules and adds rules with more advanced inspection criteria. For - * details, see WAF Bot Control rule group.
+ * details, see WAF Bot Control rule group + * in the WAF Developer Guide. */ InspectionLevel: InspectionLevel | string | undefined; } @@ -1877,14 +1888,15 @@ export interface ManagedRuleGroupConfig { * @public *A custom response to send to the client. You can define a custom response for rule * actions and default web ACL actions that are set to BlockAction.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ export interface CustomResponse { /** *The HTTP status code to return to the client.
- *For a list of status codes that you can use in your custom responses, see Supported status codes for custom response in the - * WAF Developer Guide.
+ *For a list of status codes that you can use in your custom responses, see Supported status codes for custom response + * in the WAF Developer Guide.
*/ ResponseCode: number | undefined; @@ -1900,8 +1912,8 @@ export interface CustomResponse { /** *The HTTP headers to use in the response. Duplicate header names are not allowed.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ ResponseHeaders?: CustomHTTPHeader[]; } @@ -1915,8 +1927,9 @@ export interface CustomResponse { export interface BlockAction { /** *Defines a custom response for the web request.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ CustomResponse?: CustomResponse; } @@ -1955,8 +1968,9 @@ export interface BlockAction { export interface CaptchaAction { /** *Defines custom handling for the web request, used when the CAPTCHA inspection determines that the request's token is valid and unexpired.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ CustomRequestHandling?: CustomRequestHandling; } @@ -1999,8 +2013,9 @@ export interface CaptchaAction { export interface ChallengeAction { /** *Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ CustomRequestHandling?: CustomRequestHandling; } @@ -2014,8 +2029,9 @@ export interface ChallengeAction { export interface CountAction { /** *Defines custom handling for the web request.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
*/ CustomRequestHandling?: CustomRequestHandling; } @@ -2180,7 +2196,7 @@ export type ComparisonOperator = (typeof ComparisonOperator)[keyof typeof Compar /** * @public *A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
- *If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+ *If you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
The ARN must be in one of the following formats:
*For an Application Load Balancer: For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
+ * arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
*
*
For an Amazon API Gateway REST API: For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
+ * arn:partition:apigateway:region::/restapis/api-id/stages/stage-name
*
*
For an AppSync GraphQL API: For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
+ * arn:partition:appsync:region:account-id:apis/GraphQLApiId
*
*
For an Amazon Cognito user pool: For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id
+ * arn:partition:cognito-idp:region:account-id:userpool/user-pool-id
*
*
For an App Runner service: For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
+ * arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
*
*
Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *This is used in the AssociationConfig of the web ACL.
Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.
+ *Default: 16 KB (16,384 kilobytes)
+ *
Specifies custom configurations for the associations between the web ACL and protected resources.
+ *Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *Used for CAPTCHA and challenge token settings. Determines @@ -2656,7 +2737,7 @@ export interface VisibilityConfig { /** *
A boolean indicating whether the associated resource sends metrics to Amazon CloudWatch. For the * list of available metrics, see WAF - * Metrics.
+ * Metrics in the WAF Developer Guide. */ CloudWatchMetricsEnabled: boolean | undefined; @@ -2840,7 +2921,7 @@ export interface CreateIPSetRequest { Name: string | undefined; /** - *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*The payload of the custom response.
*You can use JSON escape strings in JSON content. To do this, you must specify JSON
* content in the ContentType setting.
For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ Content: string | undefined; } @@ -3338,7 +3419,7 @@ export interface DeleteIPSetRequest { Name: string | undefined; /** - *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*The web ACL capacity units (WCUs) required for this rule group. WAF uses web ACL - * capacity units (WCU) to calculate and control the operating resources that are used to run - * your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule - * type, to reflect each rule's relative cost. Rule group capacity is fixed at creation, so - * users can plan their web ACL WCU usage when they use a rule group. The WCU limit for web - * ACLs is 1,500.
+ *The web ACL capacity units (WCUs) required for this rule group.
+ *WAF uses WCUs to calculate and control the operating + * resources that are used to run your rules, rule groups, and web ACLs. WAF + * calculates capacity differently for each rule type, to reflect the relative cost of each rule. + * Simple rules that cost little to run use fewer WCUs than more complex rules + * that use more processing power. + * Rule group capacity is fixed at creation, which helps users plan their + * web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) + * in the WAF Developer Guide.
*/ Capacity?: number; @@ -3685,27 +3769,27 @@ export interface DisassociateWebACLRequest { *The ARN must be in one of the following formats:
*For an Application Load Balancer: For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
+ * arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
*
*
For an Amazon API Gateway REST API: For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
+ * arn:partition:apigateway:region::/restapis/api-id/stages/stage-name
*
*
For an AppSync GraphQL API: For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
+ * arn:partition:appsync:region:account-id:apis/GraphQLApiId
*
*
For an Amazon Cognito user pool: For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id
+ * arn:partition:cognito-idp:region:account-id:userpool/user-pool-id
*
*
For an App Runner service: For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
+ * arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
*
*
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*The ARN must be in one of the following formats:
*For an Application Load Balancer: For an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
+ * arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id
*
*
For an Amazon API Gateway REST API: For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name
+ * arn:partition:apigateway:region::/restapis/api-id/stages/stage-name
*
*
For an AppSync GraphQL API: For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId
+ * arn:partition:appsync:region:account-id:apis/GraphQLApiId
*
*
For an Amazon Cognito user pool: For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id
+ * arn:partition:cognito-idp:region:account-id:userpool/user-pool-id
*
*
For an App Runner service: For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
+ * arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id
*
*
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Used for web ACLs that are scoped for regional applications. - * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ * A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service. *If you don't provide a resource type, the call uses the resource type APPLICATION_LOAD_BALANCER.
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*The policy specifications must conform to the following:
*The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
+ *The policy must be composed using IAM Policy version 2012-10-17.
*The policy must include specifications for Effect, Action, and Principal.
The policy specifications must conform to the following:
*The policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
+ *The policy must be composed using IAM Policy version 2012-10-17.
*The policy must include specifications for Effect, Action, and Principal.
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
- *If you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
+ *If you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
The processing guidance for an Firewall Manager rule. This is like a regular rule Statement, but it can only contain a rule group reference.
+ *The processing guidance for an Firewall Manager rule. This is like a regular rule Statement, but it can only contain a single rule group reference.
*/ export interface FirewallManagerStatement { /** - *A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.
- *You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.
You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet or the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet. For more information, see WAF Pricing.
A statement used by Firewall Manager to run the rules that are defined in a managed rule group. This is managed by Firewall Manager for an Firewall Manager WAF policy.
*/ ManagedRuleGroupStatement?: ManagedRuleGroupStatement; /** - *A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.
- *You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You
- * can only use a rule group reference statement at the top level inside a web ACL.
A statement used by Firewall Manager to run the rules that are defined in a rule group. This is managed by Firewall Manager for an Firewall Manager WAF policy.
*/ RuleGroupReferenceStatement?: RuleGroupReferenceStatement; } @@ -6521,7 +6599,7 @@ export interface FirewallManagerRuleGroup { */ export interface CheckCapacityRequest { /** - *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordPublic suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
Specifies custom configurations for the associations between the web ACL and protected resources.
+ *Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
+ *Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
*A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordPublic suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
Specifies custom configurations for the associations between the web ACL and protected resources.
+ *Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
+ *A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
*/ export interface WebACL { /** @@ -7001,8 +7102,8 @@ export interface WebACL { * Simple rules that cost little to run use fewer WCUs than more complex rules * that use more processing power. * Rule group capacity is fixed at creation, which helps users plan their - * web ACL WCU usage when they use a rule group. - * The WCU limit for web ACLs is 1,500. + * web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) + * in the WAF Developer Guide. */ Capacity?: number; @@ -7055,10 +7156,11 @@ export interface WebACL { /** *A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
- *For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the - * WAF Developer Guide.
- *For information about the limits on count and size for custom request and response settings, see WAF quotas in the - * WAF Developer Guide.
+ *For information about customizing web requests and responses, + * see Customizing web requests and responses in WAF + * in the WAF Developer Guide.
+ *For information about the limits on count and size for custom request and response settings, see WAF quotas + * in the WAF Developer Guide.
*/ CustomResponseBodies?: RecordSpecifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
*/ TokenDomains?: string[]; + + /** + *Specifies custom configurations for the associations between the web ACL and protected resources.
+ *Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
+ *You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
+ *The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration in the WAF Developer Guide.
The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration
+ * in the WAF Developer Guide.
The inspection level to use for the Bot Control rule group. The common level is the least expensive. The \n targeted level includes all common level rules and adds rules with more advanced inspection criteria. For \n details, see WAF Bot Control rule group.
", + "smithy.api#documentation": "The inspection level to use for the Bot Control rule group. The common level is the least expensive. The \n targeted level includes all common level rules and adds rules with more advanced inspection criteria. For \n details, see WAF Bot Control rule group\n in the WAF Developer Guide.
", "smithy.api#required": {} } } @@ -232,7 +232,7 @@ "name": "wafv2" }, "aws.protocols#awsJson1_1": {}, - "smithy.api#documentation": "This is the latest version of the WAF API,\n released in November, 2019. The names of the entities that you use to access this API,\n like endpoints and namespaces, all have the versioning information added, like \"V2\" or\n \"v2\", to distinguish from the prior version. We recommend migrating your resources to\n this version, because it has a number of significant improvements.
\nIf you used WAF prior to this release, you can't use this WAFV2 API to access any\n WAF resources that you created before. You can access your old rules, web ACLs, and\n other WAF resources only through the WAF Classic APIs. The WAF Classic APIs\n have retained the prior names, endpoints, and namespaces.
\nFor information, including how to migrate your WAF resources to this version,\n see the WAF Developer Guide.
\nWAF is a web application firewall that lets you monitor the HTTP and HTTPS\n requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync\n GraphQL API, Amazon Cognito user pool, or App Runner service. WAF also lets you control access to your content,\n to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that\n you specify, such as the IP addresses that requests originate from or the values of query\n strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code\n (Forbidden), or with a custom response.
\nThis API guide is for developers who need detailed information about WAF API actions,\n data types, and errors. For detailed information about WAF features and guidance for configuring and using \n WAF, see the WAF Developer\n Guide.
\nYou can make calls using the endpoints listed in WAF endpoints and quotas.
\nFor regional applications, you can use any of the endpoints in the list.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront applications, you must use the API endpoint listed for\n US East (N. Virginia): us-east-1.
\nAlternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the\n programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
\nWe currently provide two versions of the WAF API: this API and the prior versions,\n the classic WAF APIs. This new API provides the same functionality as the older versions,\n with the following major improvements:
\nYou use one API for both global and regional applications. Where you need to\n distinguish the scope, you specify a Scope parameter and set it to\n CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a\n single call. You define all rule specifications in JSON format, and pass them to your\n rule group or web ACL calls.
\nThe limits WAF places on the use of rules more closely reflects the cost of\n running each type of rule. Rule groups include capacity settings, so you know the\n maximum cost of a rule group when you use it.
\nThis is the latest version of the WAF API,\n released in November, 2019. The names of the entities that you use to access this API,\n like endpoints and namespaces, all have the versioning information added, like \"V2\" or\n \"v2\", to distinguish from the prior version. We recommend migrating your resources to\n this version, because it has a number of significant improvements.
\nIf you used WAF prior to this release, you can't use this WAFV2 API to access any\n WAF resources that you created before. You can access your old rules, web ACLs, and\n other WAF resources only through the WAF Classic APIs. The WAF Classic APIs\n have retained the prior names, endpoints, and namespaces.
\nFor information, including how to migrate your WAF resources to this version,\n see the WAF Developer Guide.
\nWAF is a web application firewall that lets you monitor the HTTP and HTTPS\n requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync\n GraphQL API, Amazon Cognito user pool, or App Runner service. WAF also lets you control access to your content,\n to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that\n you specify, such as the IP addresses that requests originate from or the values of query\n strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code\n (Forbidden), or with a custom response.
\nThis API guide is for developers who need detailed information about WAF API actions,\n data types, and errors. For detailed information about WAF features and guidance for configuring and using \n WAF, see the WAF Developer\n Guide.
\nYou can make calls using the endpoints listed in WAF endpoints and quotas.
\nFor regional applications, you can use any of the endpoints in the list.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront applications, you must use the API endpoint listed for\n US East (N. Virginia): us-east-1.
\nAlternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the\n programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
\nWe currently provide two versions of the WAF API: this API and the prior versions,\n the classic WAF APIs. This new API provides the same functionality as the older versions,\n with the following major improvements:
\nYou use one API for both global and regional applications. Where you need to\n distinguish the scope, you specify a Scope parameter and set it to\n CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a\n single call. You define all rule specifications in JSON format, and pass them to your\n rule group or web ACL calls.
\nThe limits WAF places on the use of rules more closely reflects the cost of\n running each type of rule. Rule groups include capacity settings, so you know the\n maximum cost of a rule group when you use it.
\nDefines custom handling for the web request.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Defines custom handling for the web request.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } } }, @@ -2073,7 +1629,7 @@ } ], "traits": { - "smithy.api#documentation": "Associates a web ACL with a regional application resource, to protect the resource.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To\n associate a web ACL, in the CloudFront call UpdateDistribution, set the web ACL ID\n to the Amazon Resource Name (ARN) of the web ACL. For information, see UpdateDistribution.
When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
" + "smithy.api#documentation": "Associates a web ACL with a regional application resource, to protect the resource.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To\n associate a web ACL, in the CloudFront call UpdateDistribution, set the web ACL ID\n to the Amazon Resource Name (ARN) of the web ACL. For information, see UpdateDistribution in the Amazon CloudFront Developer Guide.
When you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
" } }, "com.amazonaws.wafv2#AssociateWebACLRequest": { @@ -2089,7 +1645,7 @@ "ResourceArn": { "target": "com.amazonaws.wafv2#ResourceArn", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to associate with the web ACL.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
The Amazon Resource Name (ARN) of the resource to associate with the web ACL.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:partition:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nSpecifies custom configurations for the associations between the web ACL and protected resources.
\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nDefines a custom response for the web request.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Defines a custom response for the web request.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } } }, @@ -2125,7 +1706,7 @@ "OversizeHandling": { "target": "com.amazonaws.wafv2#OversizeHandling", "traits": { - "smithy.api#documentation": "What WAF should do if the body is larger than WAF can inspect. \n WAF does not support inspecting the entire contents of the body of a web request\n when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to\n WAF by the underlying host service.
\nThe options for oversize handling are the following:
\n\n CONTINUE - Inspect the body normally, according to the rule inspection criteria.
\n MATCH - Treat the web request as matching the rule statement. WAF\n applies the rule action to the request.
\n NO_MATCH - Treat the web request as not matching the rule\n statement.
You can combine the MATCH or NO_MATCH\n settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
Default: CONTINUE\n
What WAF should do if the body is larger than WAF can inspect. \n WAF does not support inspecting the entire contents of the web request body if the body \n exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service \n only forwards the contents that are below the limit to WAF for inspection.
\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, \n you can increase the limit in the web ACL AssociationConfig, for additional processing fees.
The options for oversize handling are the following:
\n\n CONTINUE - Inspect the body normally, according to the rule inspection criteria.
\n MATCH - Treat the web request as matching the rule statement. WAF\n applies the rule action to the request.
\n NO_MATCH - Treat the web request as not matching the rule\n statement.
You can combine the MATCH or NO_MATCH\n settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
Default: CONTINUE\n
Defines custom handling for the web request, used when the CAPTCHA inspection determines that the request's token is valid and unexpired.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Defines custom handling for the web request, used when the CAPTCHA inspection determines that the request's token is valid and unexpired.
For information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } } }, @@ -2267,7 +1848,7 @@ "CustomRequestHandling": { "target": "com.amazonaws.wafv2#CustomRequestHandling", "traits": { - "smithy.api#documentation": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Defines custom handling for the web request, used when the challenge inspection determines that the request's token is valid and unexpired.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } } }, @@ -2353,7 +1934,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the web ACL capacity unit (WCU) requirements for a specified scope and set of rules. \n You can use this to check the capacity requirements for the rules you want to use in a \n RuleGroup or WebACL. \n
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. \n The WCU limit for web ACLs is 1,500.
" + "smithy.api#documentation": "Returns the web ACL capacity unit (WCU) requirements for a specified scope and set of rules. \n You can use this to check the capacity requirements for the rules you want to use in a \n RuleGroup or WebACL. \n
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
" } }, "com.amazonaws.wafv2#CheckCapacityRequest": { @@ -2362,7 +1943,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nDefines custom handling for the web request.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Defines custom handling for the web request.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } } }, @@ -4125,7 +3706,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe web ACL capacity units (WCUs) required for this rule group.
\nWhen you create your own rule group, you define this, and you cannot change it after creation. \n When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity \n for a set of rules using CheckCapacity.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. \n The WCU limit for web ACLs is 1,500.
", + "smithy.api#documentation": "The web ACL capacity units (WCUs) required for this rule group.
\nWhen you create your own rule group, you define this, and you cannot change it after creation. \n When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity \n for a set of rules using CheckCapacity.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
", "smithy.api#required": {} } }, @@ -4367,7 +3948,7 @@ "CustomResponseBodies": { "target": "com.amazonaws.wafv2#CustomResponseBodies", "traits": { - "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } } }, @@ -4442,7 +4023,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates a WebACL per the specifications provided.
\nA web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
" + "smithy.api#documentation": "Creates a WebACL per the specifications provided.
\nA web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
" } }, "com.amazonaws.wafv2#CreateWebACLRequest": { @@ -4458,7 +4039,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nA map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } }, "CaptchaConfig": { @@ -4517,6 +4098,12 @@ "traits": { "smithy.api#documentation": "Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
\nExample JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }\n
Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
Specifies custom configurations for the associations between the web ACL and protected resources.
\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nThe HTTP headers to insert into the request. Duplicate header names are not allowed.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
", + "smithy.api#documentation": "The HTTP headers to insert into the request. Duplicate header names are not allowed.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "Custom request handling behavior that inserts custom headers into a web request. You can\n add custom request handling for WAF to use when the rule action doesn't block the request. \n For example, CaptchaAction for requests with valid t okens, and AllowAction.
For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "Custom request handling behavior that inserts custom headers into a web request. You can\n add custom request handling for WAF to use when the rule action doesn't block the request. \n For example, CaptchaAction for requests with valid t okens, and AllowAction.
For information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } }, "com.amazonaws.wafv2#CustomResponse": { @@ -4611,7 +4198,7 @@ "ResponseCode": { "target": "com.amazonaws.wafv2#ResponseStatusCode", "traits": { - "smithy.api#documentation": "The HTTP status code to return to the client.
\nFor a list of status codes that you can use in your custom responses, see Supported status codes for custom response in the \n WAF Developer Guide.
", + "smithy.api#documentation": "The HTTP status code to return to the client.
\nFor a list of status codes that you can use in your custom responses, see Supported status codes for custom response \n in the WAF Developer Guide.
", "smithy.api#required": {} } }, @@ -4624,12 +4211,12 @@ "ResponseHeaders": { "target": "com.amazonaws.wafv2#CustomHTTPHeaders", "traits": { - "smithy.api#documentation": "The HTTP headers to use in the response. Duplicate header names are not allowed.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "The HTTP headers to use in the response. Duplicate header names are not allowed.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } } }, "traits": { - "smithy.api#documentation": "A custom response to send to the client. You can define a custom response for rule\n actions and default web ACL actions that are set to BlockAction.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A custom response to send to the client. You can define a custom response for rule\n actions and default web ACL actions that are set to BlockAction.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
" } }, "com.amazonaws.wafv2#CustomResponseBodies": { @@ -4659,7 +4246,7 @@ "Content": { "target": "com.amazonaws.wafv2#ResponseContent", "traits": { - "smithy.api#documentation": "The payload of the custom response.
\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON\n content in the ContentType setting.
For information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
", + "smithy.api#documentation": "The payload of the custom response.
\nYou can use JSON escape strings in JSON content. To do this, you must specify JSON\n content in the ContentType setting.
For information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
", "smithy.api#required": {} } } @@ -4804,7 +4391,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nDeletes the specified WebACL.
\nYou can only use this if ManagedByFirewallManager is false in the specified\n WebACL.
Before deleting any web ACL, first disassociate it from all resources.
\nTo retrieve a list of the resources that are associated with a web ACL, use the\n following calls:
\nFor regional resources, call ListResourcesForWebACL.
\nFor Amazon CloudFront distributions, use the CloudFront call\n ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId.
To disassociate a resource from a web ACL, use the following calls:
\nFor regional resources, call DisassociateWebACL.
\nFor Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call\n UpdateDistribution. For information, see UpdateDistribution.
Deletes the specified WebACL.
\nYou can only use this if ManagedByFirewallManager is false in the specified\n WebACL.
Before deleting any web ACL, first disassociate it from all resources.
\nTo retrieve a list of the resources that are associated with a web ACL, use the\n following calls:
\nFor regional resources, call ListResourcesForWebACL.
\nFor Amazon CloudFront distributions, use the CloudFront call\n ListDistributionsByWebACLId. For information, see ListDistributionsByWebACLId \n in the Amazon CloudFront API Reference.
To disassociate a resource from a web ACL, use the following calls:
\nFor regional resources, call DisassociateWebACL.
\nFor Amazon CloudFront distributions, provide an empty web ACL ID in the CloudFront call\n UpdateDistribution. For information, see UpdateDistribution\n in the Amazon CloudFront API Reference.
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe web ACL capacity units (WCUs) required for this rule group. WAF uses web ACL\n capacity units (WCU) to calculate and control the operating resources that are used to run\n your rules, rule groups, and web ACLs. WAF calculates capacity differently for each rule\n type, to reflect each rule's relative cost. Rule group capacity is fixed at creation, so\n users can plan their web ACL WCU usage when they use a rule group. The WCU limit for web\n ACLs is 1,500.
" + "smithy.api#documentation": "The web ACL capacity units (WCUs) required for this rule group.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
" } }, "Rules": { @@ -5314,7 +4901,7 @@ } ], "traits": { - "smithy.api#documentation": "Disassociates the specified regional application resource from any existing web ACL\n association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To\n disassociate a web ACL, provide an empty web ACL ID in the CloudFront call\n UpdateDistribution. For information, see UpdateDistribution.
Disassociates the specified regional application resource from any existing web ACL\n association. A resource can have at most one web ACL association. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nFor Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To\n disassociate a web ACL, provide an empty web ACL ID in the CloudFront call\n UpdateDistribution. For information, see UpdateDistribution in the Amazon CloudFront API Reference.
The Amazon Resource Name (ARN) of the resource to disassociate from the web ACL.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
The Amazon Resource Name (ARN) of the resource to disassociate from the web ACL.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:partition:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
Inspect the request body as plain text. The request body immediately follows the request\n headers. This is the part of a request that contains any additional data that you want to\n send to your web server as the HTTP request body, such as data from a form.
\nOnly the first 8 KB (8192 bytes) of the request body are forwarded to WAF for\n inspection by the underlying host service. For information about how to handle oversized\n request bodies, see the Body object configuration.
Inspect the request body as plain text. The request body immediately follows the request\n headers. This is the part of a request that contains any additional data that you want to\n send to your web server as the HTTP request body, such as data from a form.
\nA limited amount of the request body is forwarded to WAF for\n inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions,\n you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.
For information about how to handle oversized\n request bodies, see the Body object configuration.
Inspect the request body as JSON. The request body immediately follows the request\n headers. This is the part of a request that contains any additional data that you want to\n send to your web server as the HTTP request body, such as data from a form.
\nOnly the first 8 KB (8192 bytes) of the request body are forwarded to WAF for\n inspection by the underlying host service. For information about how to handle oversized\n request bodies, see the JsonBody object configuration.
Inspect the request body as JSON. The request body immediately follows the request\n headers. This is the part of a request that contains any additional data that you want to\n send to your web server as the HTTP request body, such as data from a form.
\nA limited amount of the request body is forwarded to WAF for\n inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 kilobytes) and for CloudFront distributions, the limit is 16 KB (16,384 kilobytes). For CloudFront distributions,\n you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.
For information about how to handle oversized\n request bodies, see the JsonBody object configuration.
A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.
\nYou cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.
You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet or the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet. For more information, see WAF Pricing.
A statement used by Firewall Manager to run the rules that are defined in a managed rule group. This is managed by Firewall Manager for an Firewall Manager WAF policy.
" } }, "RuleGroupReferenceStatement": { "target": "com.amazonaws.wafv2#RuleGroupReferenceStatement", "traits": { - "smithy.api#documentation": "A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.
\nYou cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You \n can only use a rule group reference statement at the top level inside a web ACL.
A statement used by Firewall Manager to run the rules that are defined in a rule group. This is managed by Firewall Manager for an Firewall Manager WAF policy.
" } } }, "traits": { - "smithy.api#documentation": "The processing guidance for an Firewall Manager rule. This is like a regular rule Statement, but it can only contain a rule group reference.
" + "smithy.api#documentation": "The processing guidance for an Firewall Manager rule. This is like a regular rule Statement, but it can only contain a single rule group reference.
" } }, "com.amazonaws.wafv2#ForwardedIPConfig": { @@ -5879,7 +5466,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe Amazon Resource Name (ARN) of the resource whose web ACL you want to retrieve.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:aws:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:aws:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:aws:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:aws:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:aws:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
The Amazon Resource Name (ARN) of the resource whose web ACL you want to retrieve.
\nThe ARN must be in one of the following formats:
\nFor an Application Load Balancer: arn:partition:elasticloadbalancing:region:account-id:loadbalancer/app/load-balancer-name/load-balancer-id\n \n
For an Amazon API Gateway REST API: arn:partition:apigateway:region::/restapis/api-id/stages/stage-name\n \n
For an AppSync GraphQL API: arn:partition:appsync:region:account-id:apis/GraphQLApiId\n \n
For an Amazon Cognito user pool: arn:partition:cognito-idp:region:account-id:userpool/user-pool-id\n \n
For an App Runner service: arn:partition:apprunner:region:account-id:service/apprunner-service-name/apprunner-service-id\n \n
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration in the WAF Developer Guide.
The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration \nin the WAF Developer Guide.
What WAF should do if the body is larger than WAF can inspect. \n WAF does not support inspecting the entire contents of the body of a web request\n when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to\n WAF by the underlying host service.
\nThe options for oversize handling are the following:
\n\n CONTINUE - Inspect the body normally, according to the rule inspection criteria.
\n MATCH - Treat the web request as matching the rule statement. WAF\n applies the rule action to the request.
\n NO_MATCH - Treat the web request as not matching the rule\n statement.
You can combine the MATCH or NO_MATCH\n settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over 8 KB.
Default: CONTINUE\n
What WAF should do if the body is larger than WAF can inspect. \n WAF does not support inspecting the entire contents of the web request body if the body \n exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service \n only forwards the contents that are below the limit to WAF for inspection.
\nThe default limit is 8 KB (8,192 kilobytes) for regional resources and 16 KB (16,384 kilobytes) for CloudFront distributions. For CloudFront distributions, \n you can increase the limit in the web ACL AssociationConfig, for additional processing fees.
The options for oversize handling are the following:
\n\n CONTINUE - Inspect the body normally, according to the rule inspection criteria.
\n MATCH - Treat the web request as matching the rule statement. WAF\n applies the rule action to the request.
\n NO_MATCH - Treat the web request as not matching the rule\n statement.
You can combine the MATCH or NO_MATCH\n settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.
Default: CONTINUE\n
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nUsed for web ACLs that are scoped for regional applications.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nIf you don't provide a resource type, the call uses the resource type APPLICATION_LOAD_BALANCER.
Default: APPLICATION_LOAD_BALANCER\n
Used for web ACLs that are scoped for regional applications.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nIf you don't provide a resource type, the call uses the resource type APPLICATION_LOAD_BALANCER.
Default: APPLICATION_LOAD_BALANCER\n
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe web ACL capacity units (WCUs) required for this rule group.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. \n The WCU limit for web ACLs is 1,500.
" + "smithy.api#documentation": "The web ACL capacity units (WCUs) required for this rule group.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
" } }, "ForecastedLifetime": { @@ -9009,6 +8596,12 @@ "traits": { "smithy.api#enumValue": "ATP_RULE_SET_RESPONSE_INSPECTION" } + }, + "ASSOCIATED_RESOURCE_TYPE": { + "target": "smithy.api#Unit", + "traits": { + "smithy.api#enumValue": "ASSOCIATED_RESOURCE_TYPE" + } } } }, @@ -9238,7 +8831,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nThe policy to attach to the specified rule group.
\nThe policy specifications must conform to the following:
\nThe policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
\nThe policy must include specifications for Effect, Action, and Principal.
\n Effect must specify Allow.
\n Action must specify wafv2:CreateWebACL, wafv2:UpdateWebACL, and \n wafv2:PutFirewallManagerRuleGroups and may optionally specify wafv2:GetRuleGroup. \n WAF rejects any extra actions or wildcard actions in the policy.
The policy must not include a Resource parameter.
For more information, see IAM Policies.
", + "smithy.api#documentation": "The policy to attach to the specified rule group.
\nThe policy specifications must conform to the following:
\nThe policy must be composed using IAM Policy version 2012-10-17.
\nThe policy must include specifications for Effect, Action, and Principal.
\n Effect must specify Allow.
\n Action must specify wafv2:CreateWebACL, wafv2:UpdateWebACL, and \n wafv2:PutFirewallManagerRuleGroups and may optionally specify wafv2:GetRuleGroup. \n WAF rejects any extra actions or wildcard actions in the policy.
The policy must not include a Resource parameter.
For more information, see IAM Policies.
", "smithy.api#required": {} } } @@ -9642,6 +9235,30 @@ "smithy.api#documentation": "High level information for an SDK release.
" } }, + "com.amazonaws.wafv2#RequestBody": { + "type": "map", + "key": { + "target": "com.amazonaws.wafv2#AssociatedResourceType" + }, + "value": { + "target": "com.amazonaws.wafv2#RequestBodyAssociatedResourceTypeConfig" + } + }, + "com.amazonaws.wafv2#RequestBodyAssociatedResourceTypeConfig": { + "type": "structure", + "members": { + "DefaultSizeInspectionLimit": { + "target": "com.amazonaws.wafv2#SizeInspectionLimit", + "traits": { + "smithy.api#documentation": "Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.
\nDefault: 16 KB (16,384 kilobytes)\n
Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nThis is used in the AssociationConfig of the web ACL.
The web ACL capacity units (WCUs) required for this rule group.
\nWhen you create your own rule group, you define this, and you cannot change it after creation. \n When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity \n for a set of rules using CheckCapacity.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. \n The WCU limit for web ACLs is 1,500.
", + "smithy.api#documentation": "The web ACL capacity units (WCUs) required for this rule group.
\nWhen you create your own rule group, you define this, and you cannot change it after creation. \n When you add or modify the rules in a rule group, WAF enforces this limit. You can check the capacity \n for a set of rules using CheckCapacity.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
", "smithy.api#required": {} } }, @@ -10206,7 +9823,7 @@ "CustomResponseBodies": { "target": "com.amazonaws.wafv2#CustomResponseBodies", "traits": { - "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } }, "AvailableLabels": { @@ -10551,7 +10168,36 @@ } }, "traits": { - "smithy.api#documentation": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
\nIf you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
\nIf you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
\nIf you configure WAF to inspect the request body, WAF inspects only the first 8192 bytes (8 KB). If the request body for your web requests never exceeds 8192 bytes, you could use a size constraint statement to block requests that have a request body greater than 8192 bytes.
\nIf you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.
\nIf you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 kilobytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 kilobytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.
If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nA map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } } }, @@ -11623,7 +11269,7 @@ } ], "traits": { - "smithy.api#documentation": "Updates the specified WebACL. While updating a web ACL, WAF provides\n continuous coverage to the resources that you have associated with the web ACL.
\nThis operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call.
\nTo modify a web ACL, do the following:
\nRetrieve it by calling GetWebACL\n
\nUpdate its settings as needed
\nProvide the complete web ACL specification to this call
\nWhen you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
\nA web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
" + "smithy.api#documentation": "Updates the specified WebACL. While updating a web ACL, WAF provides\n continuous coverage to the resources that you have associated with the web ACL.
\nThis operation completely replaces the mutable specifications that you already have for the web ACL with the ones that you provide to this call.
\nTo modify a web ACL, do the following:
\nRetrieve it by calling GetWebACL\n
\nUpdate its settings as needed
\nProvide the complete web ACL specification to this call
\nWhen you make changes to web ACLs or web ACL components, like rules and rule groups, WAF propagates the changes everywhere that the web ACL and its components are stored and used. Your changes are applied within seconds, but there might be a brief period of inconsistency when the changes have arrived in some places and not in others. So, for example, if you change a rule action setting, the action might be the old action in one area and the new action in another area. Or if you add an IP address to an IP set used in a blocking rule, the new address might briefly be blocked in one area while still allowed in another. This temporary inconsistency can occur when you first associate a web ACL with an Amazon Web Services resource and when you change a web ACL that is already associated with a resource. Generally, any inconsistencies of this type last only a few seconds.
\nA web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
" } }, "com.amazonaws.wafv2#UpdateWebACLRequest": { @@ -11639,7 +11285,7 @@ "Scope": { "target": "com.amazonaws.wafv2#Scope", "traits": { - "smithy.api#documentation": "Specifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, a Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nSpecifies whether this is for an Amazon CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
\nTo work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
\nCLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1.
API and SDKs - For all calls, use the Region endpoint us-east-1.
\nA map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } }, "CaptchaConfig": { @@ -11706,6 +11352,12 @@ "traits": { "smithy.api#documentation": "Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
\nExample JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }\n
Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
Specifies custom configurations for the associations between the web ACL and protected resources.
\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nA boolean indicating whether the associated resource sends metrics to Amazon CloudWatch. For the\n list of available metrics, see WAF\n Metrics.
", + "smithy.api#documentation": "A boolean indicating whether the associated resource sends metrics to Amazon CloudWatch. For the\n list of available metrics, see WAF\n Metrics in the WAF Developer Guide.
", "smithy.api#required": {} } }, @@ -11938,7 +11590,7 @@ } }, "traits": { - "smithy.api#documentation": "The operation failed because the specified policy isn't in the proper format.
\nThe policy specifications must conform to the following:
\nThe policy must be composed using IAM Policy version 2012-10-17 or version 2015-01-01.
\nThe policy must include specifications for Effect, Action, and Principal.
\n Effect must specify Allow.
\n Action must specify wafv2:CreateWebACL, wafv2:UpdateWebACL, and \n wafv2:PutFirewallManagerRuleGroups and may optionally specify wafv2:GetRuleGroup. \n WAF rejects any extra actions or wildcard actions in the policy.
The policy must not include a Resource parameter.
For more information, see IAM Policies.
", + "smithy.api#documentation": "The operation failed because the specified policy isn't in the proper format.
\nThe policy specifications must conform to the following:
\nThe policy must be composed using IAM Policy version 2012-10-17.
\nThe policy must include specifications for Effect, Action, and Principal.
\n Effect must specify Allow.
\n Action must specify wafv2:CreateWebACL, wafv2:UpdateWebACL, and \n wafv2:PutFirewallManagerRuleGroups and may optionally specify wafv2:GetRuleGroup. \n WAF rejects any extra actions or wildcard actions in the policy.
The policy must not include a Resource parameter.
For more information, see IAM Policies.
", "smithy.api#error": "client" } }, @@ -12116,7 +11768,7 @@ "target": "com.amazonaws.wafv2#ConsumedCapacity", "traits": { "smithy.api#default": 0, - "smithy.api#documentation": "The web ACL capacity units (WCUs) currently being used by this web ACL.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. \n The WCU limit for web ACLs is 1,500.
" + "smithy.api#documentation": "The web ACL capacity units (WCUs) currently being used by this web ACL.
\nWAF uses WCUs to calculate and control the operating\n resources that are used to run your rules, rule groups, and web ACLs. WAF\n calculates capacity differently for each rule type, to reflect the relative cost of each rule. \n Simple rules that cost little to run use fewer WCUs than more complex rules\n\t\t\t\tthat use more processing power. \n\t\t\t\tRule group capacity is fixed at creation, which helps users plan their \n web ACL WCU usage when they use a rule group. For more information, see WAF web ACL capacity units (WCU) \n in the WAF Developer Guide.
" } }, "PreProcessFirewallManagerRuleGroups": { @@ -12147,7 +11799,7 @@ "CustomResponseBodies": { "target": "com.amazonaws.wafv2#CustomResponseBodies", "traits": { - "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" + "smithy.api#documentation": "A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the web ACL, and then use them in the rules and default actions that you define in the web ACL.
\nFor information about customizing web requests and responses, \n see Customizing web requests and responses in WAF \n in the WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas \n in the WAF Developer Guide.
" } }, "CaptchaConfig": { @@ -12167,10 +11819,16 @@ "traits": { "smithy.api#documentation": "Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
" } + }, + "AssociationConfig": { + "target": "com.amazonaws.wafv2#AssociationConfig", + "traits": { + "smithy.api#documentation": "Specifies custom configurations for the associations between the web ACL and protected resources.
\nUse this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 kilobytes).
\nYou are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.
\nA web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, Amazon Cognito user pool, or an App Runner service.
" + "smithy.api#documentation": "A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has an action defined (allow, block, or count) for requests that match the statement of the rule. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, or an App Runner service.
" } }, "com.amazonaws.wafv2#WebACLSummaries": {