web_acls
Creates, updates, deletes or gets a web_acl resource or lists web_acls in a region
Overview
| Name | web_acls |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a WebACL, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | awscc.wafv2.web_acls |
Fields
- get (all properties)
- list (identifiers only)
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
default_action | object | Default Action WebACL will take against ingress traffic when there is no matching Rule. |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
data_protection_config | object | Collection of dataProtects. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
captcha_config | object | |
challenge_config | object | |
token_domains | array | List of domains to accept in web request tokens, in addition to the domain of the protected resource. |
association_config | object | AssociationConfig for body inspection |
on_source_ddo_sprotection_config | object | Configures the options for on-source DDoS protection provided by supported resource type. |
region | string | AWS region. |
| Name | Datatype | Description |
|---|---|---|
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
region | string | AWS region. |
For more information, see AWS::WAFv2::WebACL.
Methods
| Name | Resource | Accessible by | Required Params |
|---|---|---|---|
create_resource | web_acls | INSERT | DefaultAction, Scope, VisibilityConfig, region |
delete_resource | web_acls | DELETE | Identifier, region |
update_resource | web_acls | UPDATE | Identifier, PatchDocument, region |
list_resources | web_acls_list_only | SELECT | region |
get_resource | web_acls | SELECT | Identifier, region |
SELECT examples
- get (all properties)
- list (identifiers only)
Gets all properties from an individual web_acl.
SELECT
region,
arn,
capacity,
default_action,
description,
name,
id,
scope,
rules,
visibility_config,
data_protection_config,
tags,
label_namespace,
custom_response_bodies,
captcha_config,
challenge_config,
token_domains,
association_config,
on_source_ddo_sprotection_config
FROM awscc.wafv2.web_acls
WHERE
region = 'us-east-1' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
Lists all web_acls in a region.
SELECT
region,
name,
id,
scope
FROM awscc.wafv2.web_acls_list_only
WHERE
region = 'us-east-1';
INSERT example
Use the following StackQL query and manifest file to create a new web_acl resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO awscc.wafv2.web_acls (
DefaultAction,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ default_action }}',
'{{ scope }}',
'{{ visibility_config }}',
'{{ region }}';
/*+ create */
INSERT INTO awscc.wafv2.web_acls (
DefaultAction,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
DataProtectionConfig,
Tags,
CustomResponseBodies,
CaptchaConfig,
ChallengeConfig,
TokenDomains,
AssociationConfig,
OnSourceDDoSProtectionConfig,
region
)
SELECT
'{{ default_action }}',
'{{ description }}',
'{{ name }}',
'{{ scope }}',
'{{ rules }}',
'{{ visibility_config }}',
'{{ data_protection_config }}',
'{{ tags }}',
'{{ custom_response_bodies }}',
'{{ captcha_config }}',
'{{ challenge_config }}',
'{{ token_domains }}',
'{{ association_config }}',
'{{ on_source_ddo_sprotection_config }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: web_acl
props:
- name: default_action
value:
allow:
custom_request_handling:
insert_headers:
- name: '{{ name }}'
value: '{{ value }}'
block:
custom_response:
response_code: '{{ response_code }}'
custom_response_body_key: '{{ custom_response_body_key }}'
response_headers:
- null
- name: description
value: '{{ description }}'
- name: name
value: '{{ name }}'
- name: scope
value: '{{ scope }}'
- name: rules
value:
- name: null
priority: '{{ priority }}'
statement:
byte_match_statement:
search_string: '{{ search_string }}'
search_string_base64: '{{ search_string_base64 }}'
field_to_match:
single_header:
name: '{{ name }}'
single_query_argument:
name: '{{ name }}'
all_query_arguments: {}
uri_path: {}
query_string: {}
body:
oversize_handling: '{{ oversize_handling }}'
method: {}
json_body:
match_pattern:
all: {}
included_paths:
- '{{ included_paths[0] }}'
match_scope: '{{ match_scope }}'
invalid_fallback_behavior: '{{ invalid_fallback_behavior }}'
oversize_handling: null
headers:
match_pattern:
all: {}
included_headers:
- '{{ included_headers[0] }}'
excluded_headers:
- '{{ excluded_headers[0] }}'
match_scope: '{{ match_scope }}'
oversize_handling: null
cookies:
match_pattern:
all: {}
included_cookies:
- '{{ included_cookies[0] }}'
excluded_cookies:
- '{{ excluded_cookies[0] }}'
match_scope: null
oversize_handling: null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
uri_fragment:
fallback_behavior: '{{ fallback_behavior }}'
text_transformations:
- priority: '{{ priority }}'
type: '{{ type }}'
positional_constraint: '{{ positional_constraint }}'
sqli_match_statement:
field_to_match: null
text_transformations:
- null
sensitivity_level: '{{ sensitivity_level }}'
xss_match_statement:
field_to_match: null
text_transformations:
- null
size_constraint_statement:
field_to_match: null
comparison_operator: '{{ comparison_operator }}'
size: null
text_transformations:
- null
geo_match_statement:
country_codes:
- '{{ country_codes[0] }}'
forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
rule_group_reference_statement:
arn: '{{ arn }}'
excluded_rules:
- name: null
rule_action_overrides:
- name: null
action_to_use:
allow: null
block: null
count:
custom_request_handling: null
captcha:
custom_request_handling: null
challenge:
custom_request_handling: null
ip_set_reference_statement:
arn: null
ip_set_forwarded_ip_config:
header_name: '{{ header_name }}'
fallback_behavior: '{{ fallback_behavior }}'
position: '{{ position }}'
regex_pattern_set_reference_statement:
arn: null
field_to_match: null
text_transformations:
- null
managed_rule_group_statement:
name: null
vendor_name: '{{ vendor_name }}'
version: '{{ version }}'
excluded_rules:
- null
scope_down_statement: null
managed_rule_group_configs:
- login_path: '{{ login_path }}'
payload_type: '{{ payload_type }}'
username_field:
identifier: '{{ identifier }}'
password_field: null
aws_managed_rules_bot_control_rule_set:
inspection_level: '{{ inspection_level }}'
enable_machine_learning: '{{ enable_machine_learning }}'
aws_managed_rules_at_prule_set:
login_path: '{{ login_path }}'
enable_regex_in_path: '{{ enable_regex_in_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
response_inspection:
status_code:
success_codes:
- '{{ success_codes[0] }}'
failure_codes:
- '{{ failure_codes[0] }}'
header:
name: '{{ name }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
body_contains:
success_strings:
- '{{ success_strings[0] }}'
failure_strings:
- '{{ failure_strings[0] }}'
json:
identifier: '{{ identifier }}'
success_values:
- '{{ success_values[0] }}'
failure_values:
- '{{ failure_values[0] }}'
aws_managed_rules_ac_fp_rule_set:
creation_path: '{{ creation_path }}'
registration_page_path: '{{ registration_page_path }}'
request_inspection:
payload_type: '{{ payload_type }}'
username_field: null
password_field: null
email_field: null
phone_number_fields:
- null
address_fields:
- null
response_inspection: null
enable_regex_in_path: '{{ enable_regex_in_path }}'
aws_managed_rules_anti_ddo_srule_set:
client_side_action_config:
challenge:
usage_of_action: '{{ usage_of_action }}'
sensitivity: '{{ sensitivity }}'
exempt_uri_regular_expressions:
- regex_string: '{{ regex_string }}'
sensitivity_to_block: null
rule_action_overrides:
- null
rate_based_statement:
limit: '{{ limit }}'
evaluation_window_sec: '{{ evaluation_window_sec }}'
aggregate_key_type: '{{ aggregate_key_type }}'
custom_keys:
- cookie:
name: '{{ name }}'
text_transformations:
- null
forwarded_ip: {}
header:
name: '{{ name }}'
text_transformations:
- null
h_tt_pmethod: {}
ip: {}
label_namespace:
namespace: '{{ namespace }}'
query_argument:
name: '{{ name }}'
text_transformations:
- null
query_string:
text_transformations:
- null
uri_path:
text_transformations:
- null
j_a3_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
j_a4_fingerprint:
fallback_behavior: '{{ fallback_behavior }}'
a_sn: {}
scope_down_statement: null
forwarded_ip_config: null
and_statement:
statements:
- null
or_statement:
statements:
- null
not_statement:
statement: null
label_match_statement:
scope: '{{ scope }}'
key: '{{ key }}'
regex_match_statement:
regex_string: '{{ regex_string }}'
field_to_match: null
text_transformations:
- null
asn_match_statement:
asn_list:
- '{{ asn_list[0] }}'
forwarded_ip_config: null
action: null
override_action:
count: {}
none: {}
rule_labels:
- name: '{{ name }}'
visibility_config:
sampled_requests_enabled: '{{ sampled_requests_enabled }}'
cloud_watch_metrics_enabled: '{{ cloud_watch_metrics_enabled }}'
metric_name: '{{ metric_name }}'
captcha_config:
immunity_time_property:
immunity_time: '{{ immunity_time }}'
challenge_config:
immunity_time_property: null
- name: visibility_config
value: null
- name: data_protection_config
value:
data_protections:
- field:
field_type: '{{ field_type }}'
field_keys:
- '{{ field_keys[0] }}'
action: '{{ action }}'
exclude_rule_match_details: '{{ exclude_rule_match_details }}'
exclude_rate_based_details: '{{ exclude_rate_based_details }}'
- name: tags
value:
- key: '{{ key }}'
value: '{{ value }}'
- name: custom_response_bodies
value: {}
- name: captcha_config
value: null
- name: challenge_config
value: null
- name: token_domains
value:
- '{{ token_domains[0] }}'
- name: association_config
value:
request_body: {}
- name: on_source_ddo_sprotection_config
value:
a_lb_low_reputation_mode: '{{ a_lb_low_reputation_mode }}'
UPDATE example
Use the following StackQL query and manifest file to update a web_acl resource, using stack-deploy.
/*+ update */
UPDATE awscc.wafv2.web_acls
SET PatchDocument = string('{{ {
"DefaultAction": default_action,
"Description": description,
"Rules": rules,
"VisibilityConfig": visibility_config,
"DataProtectionConfig": data_protection_config,
"Tags": tags,
"CustomResponseBodies": custom_response_bodies,
"CaptchaConfig": captcha_config,
"ChallengeConfig": challenge_config,
"TokenDomains": token_domains,
"AssociationConfig": association_config,
"OnSourceDDoSProtectionConfig": on_source_ddo_sprotection_config
} | generate_patch_document }}')
WHERE
region = '{{ region }}' AND
Identifier = '{{ name }}|{{ id }}|{{ scope }}';
DELETE example
/*+ delete */
DELETE FROM awscc.wafv2.web_acls
WHERE
Identifier = '{{ name }}|{{ id }}|{{ scope }}' AND
region = 'us-east-1';
Permissions
To operate on the web_acls resource, the following permissions are required:
- Create
- Delete
- Read
- Update
- List
wafv2:CreateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource,
wafv2:TagResource,
wafv2:UntagResource
wafv2:DeleteWebACL,
wafv2:GetWebACL
wafv2:GetWebACL,
wafv2:ListTagsForResource
wafv2:UpdateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource,
wafv2:TagResource,
wafv2:UntagResource
wafv2:listWebACLs