WAF is a web application firewall that lets you monitor the HTTP and HTTPS -requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync -GraphQL API, or an Amazon Cognito user pool. WAF also lets you control access to your content. Based on conditions that +requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync +GraphQL API, or Amazon Cognito user pool. WAF also lets you control access to your content, +to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that you specify, such as the IP addresses that requests originate from or the values of query -strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, the AppSync GraphQL -API, or the Amazon Cognito user pool responds to requests either with the requested content or with an HTTP 403 status code -(Forbidden). You also can configure CloudFront to return a custom error page when a request is -blocked.
+strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code +(Forbidden), or with a custom response.This API guide is for developers who need detailed information about WAF API actions, -data types, and errors. For detailed information about WAF features and an overview of -how to use WAF, see the WAF Developer +data types, and errors. For detailed information about WAF features and guidance for configuring and using +WAF, see the WAF Developer Guide.
You can make calls using the endpoints listed in WAF endpoints and quotas.
WAF is a web application firewall that lets you monitor the HTTP and HTTPS - * requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync - * GraphQL API, or an Amazon Cognito user pool. WAF also lets you control access to your content. Based on conditions that + * requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync + * GraphQL API, or Amazon Cognito user pool. WAF also lets you control access to your content, + * to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that * you specify, such as the IP addresses that requests originate from or the values of query - * strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, the AppSync GraphQL - * API, or the Amazon Cognito user pool responds to requests either with the requested content or with an HTTP 403 status code - * (Forbidden). You also can configure CloudFront to return a custom error page when a request is - * blocked.
+ * strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code + * (Forbidden), or with a custom response. *This API guide is for developers who need detailed information about WAF API actions, - * data types, and errors. For detailed information about WAF features and an overview of - * how to use WAF, see the WAF Developer + * data types, and errors. For detailed information about WAF features and guidance for configuring and using + * WAF, see the WAF Developer * Guide.
*You can make calls using the endpoints listed in WAF endpoints and quotas.
*WAF is a web application firewall that lets you monitor the HTTP and HTTPS - * requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync - * GraphQL API, or an Amazon Cognito user pool. WAF also lets you control access to your content. Based on conditions that + * requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync + * GraphQL API, or Amazon Cognito user pool. WAF also lets you control access to your content, + * to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that * you specify, such as the IP addresses that requests originate from or the values of query - * strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, the AppSync GraphQL - * API, or the Amazon Cognito user pool responds to requests either with the requested content or with an HTTP 403 status code - * (Forbidden). You also can configure CloudFront to return a custom error page when a request is - * blocked.
+ * strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code + * (Forbidden), or with a custom response. *This API guide is for developers who need detailed information about WAF API actions, - * data types, and errors. For detailed information about WAF features and an overview of - * how to use WAF, see the WAF Developer + * data types, and errors. For detailed information about WAF features and guidance for configuring and using + * WAF, see the WAF Developer * Guide.
*You can make calls using the endpoints listed in WAF endpoints and quotas.
*A string value that you want WAF to search for. WAF searches only in the part of * web requests that you designate for inspection in FieldToMatch. The - * maximum length of the value is 50 bytes.
+ * maximum length of the value is 200 bytes. *Valid values depend on the component that you specify for inspection in
* FieldToMatch:
Specify a base64-encoded version of the value. The maximum length of the value before - * you base64-encode it is 50 bytes.
+ * you base64-encode it is 200 bytes. *For example, suppose the value of Type is HEADER and the value
* of Data is User-Agent. If you want to search the
* User-Agent header for the value BadBot, you base64-encode
@@ -1372,26 +1372,10 @@ export interface ExcludedRule {
Name: string | undefined;
}
-export enum InspectionLevel {
- COMMON = "COMMON",
- TARGETED = "TARGETED",
-}
-
/**
- *
Details for your use of the Bot Control managed rule group, used in ManagedRuleGroupConfig.
The inspection level to use for the Bot Control rule group. The common level is the least expensive. The - * targeted level includes all common level rules and adds rules with more advanced inspection criteria. For - * details, see WAF Bot Control rule group.
- */ - InspectionLevel: InspectionLevel | string | undefined; -} - -/** - *Details about your login page password field, used in a
- * ManagedRuleGroupConfig.
Details about your login page password field for request inspection, used in the
+ * AWSManagedRulesATPRuleSet
+ * RequestInspection configuration.
Details about your login page username field, used in a
- * ManagedRuleGroupConfig.
Details about your login page username field for request inspection, used in the
+ * AWSManagedRulesATPRuleSet
+ * RequestInspection configuration.
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
+ *This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.
In these settings, you specify how your application accepts login attempts + * by providing the request payload type and the names of the fields + * within the request body where the username and password are provided.
+ */ +export interface RequestInspection { + /** + *The payload type for your login endpoint, either JSON or form encoded.
+ */ + PayloadType: PayloadType | string | undefined; + + /** + *Details about your login page username field.
+ *How you specify this depends on the payload type.
+ *For JSON payloads, specify the field name in JSON + * pointer syntax. For information about the JSON Pointer + * syntax, see the Internet Engineering Task Force (IETF) + * documentation JavaScript + * Object Notation (JSON) Pointer.
+ *For example, for the JSON payload { "login": { "username": "THE_USERNAME", "password": "THE_PASSWORD" } },
+ * the username field specification is
+ * /login/username and the password field
+ * specification is /login/password.
For form encoded payload types, use the HTML form names.
+ *For example, for an HTML form with input elements
+ * named username1 and password1,
+ * the username field specification is
+ * username1 and the password field
+ * specification is password1.
Details about your login page password field.
+ *How you specify this depends on the payload type.
+ *For JSON payloads, specify the field name in JSON + * pointer syntax. For information about the JSON Pointer + * syntax, see the Internet Engineering Task Force (IETF) + * documentation JavaScript + * Object Notation (JSON) Pointer.
+ *For example, for the JSON payload { "login": { "username": "THE_USERNAME", "password": "THE_PASSWORD" } },
+ * the username field specification is
+ * /login/username and the password field
+ * specification is /login/password.
For form encoded payload types, use the HTML form names.
+ *For example, for an HTML form with input elements
+ * named username1 and password1,
+ * the username field specification is
+ * username1 and the password field
+ * specification is password1.
Configures inspection of the response body. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
+ *JSON example: "SuccessStrings": [ "Login successful", "Welcome to our site!" ]
+ *
Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
+ *JSON example: "FailureStrings": [ "Login failed" ]
+ *
Configures inspection of the response header. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
The name of the header to match against. The name must be an exact match, including case.
+ *JSON example: "Name": [ "LoginResult" ]
+ *
Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+ *JSON example: "SuccessValues": [ "LoginPassed", "Successful login" ]
+ *
Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+ *JSON example: "FailureValues": [ "LoginFailed", "Failed login" ]
+ *
Configures inspection of the response JSON. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.
+ *JSON example: "Identifier": [ "/login/success" ]
+ *
Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+ *JSON example: "SuccessValues": [ "True", "Succeeded" ]
+ *
Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
+ *JSON example: "FailureValues": [ "False", "Failed" ]
+ *
Configures inspection of the response status code. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
+ *JSON example: "SuccessCodes": [ 200, 201 ]
+ *
Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
+ *JSON example: "FailureCodes": [ 400, 404 ]
+ *
The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
+ *The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels + * and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
+ *Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
+ *This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.
Enable login response inspection by configuring exactly one component of the response to inspect. You can't configure more than one. If you don't configure any of the response inspection options, response inspection is disabled.
+ */ +export interface ResponseInspection { + /** + *Configures inspection of the response status code.
+ */ + StatusCode?: ResponseInspectionStatusCode; + + /** + *Configures inspection of the response header.
+ */ + Header?: ResponseInspectionHeader; + + /** + *Configures inspection of the response body.
+ */ + BodyContains?: ResponseInspectionBodyContains; + + /** + *Configures inspection of the response JSON.
+ */ + Json?: ResponseInspectionJson; +} + +/** + *Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig.
The path of the login endpoint for your application. For example, for the URL
+ * https://example.com/web/login, you would provide the path
+ * /web/login.
The rule group inspects only HTTP POST requests to your specified login endpoint.
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
+ */ + RequestInspection?: RequestInspection; + + /** + *The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
+ *The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels + * and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
+ *Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
+ *Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet. This configuration is used in ManagedRuleGroupConfig.
The inspection level to use for the Bot Control rule group. The common level is the least expensive. The + * targeted level includes all common level rules and adds rules with more advanced inspection criteria. For + * details, see WAF Bot Control rule group.
+ */ + InspectionLevel: InspectionLevel | string | undefined; +} + /** *Additional information that's used by a managed rule group. Many managed rule groups don't require this.
+ *Use the AWSManagedRulesATPRuleSet configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the
* protection level that you want the Bot Control rule group to use.
For example specifications, see the examples section of CreateWebACL.
*/ export interface ManagedRuleGroupConfig { /** - *The path of the login endpoint for your application. For example, for the URL
- * https://example.com/web/login, you would provide the path
- * /web/login.
Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet.
The payload type for your login endpoint, either JSON or form encoded.
+ * @deprecated + * + *Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet
+ * RequestInspection.
Details about your login page username field.
+ * @deprecated + * + *Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet
+ * RequestInspection.
Details about your login page password field.
+ * @deprecated + * + *Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet
+ * RequestInspection.
Additional configuration for using the account takeover prevention (ATP) managed rule group, AWSManagedRulesATPRuleSet.
+ * Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide
+ * the information about how your distribution responds to login requests. This configuration replaces the individual configuration fields in ManagedRuleGroupConfig and provides additional feature configuration.
For information + * about using the ATP managed rule group, see WAF Fraud Control account takeover prevention (ATP) rule group + * and WAF Fraud Control account takeover prevention (ATP) + * in the WAF Developer Guide.
+ */ + AWSManagedRulesATPRuleSet?: AWSManagedRulesATPRuleSet; } /** @@ -1899,6 +2148,7 @@ export class WAFInvalidOperationException extends __BaseException { export enum ParameterExceptionField { AND_STATEMENT = "AND_STATEMENT", ASSOCIABLE_RESOURCE = "ASSOCIABLE_RESOURCE", + ATP_RULE_SET_RESPONSE_INSPECTION = "ATP_RULE_SET_RESPONSE_INSPECTION", BODY_PARSING_FALLBACK_BEHAVIOR = "BODY_PARSING_FALLBACK_BEHAVIOR", BYTE_MATCH_STATEMENT = "BYTE_MATCH_STATEMENT", CHALLENGE_CONFIG = "CHALLENGE_CONFIG", @@ -5276,7 +5526,7 @@ export interface Statement { *You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
*An IP match statement with an IP set that specified the address 192.0.2.44.
+ *An IP match statement with an IP set that specifies the address 192.0.2.44.
*A string match statement that searches in the User-Agent header for the string BadBot.
@@ -5368,6 +5618,7 @@ export interface ManagedRuleGroupStatement { /** *Additional information that's used by a managed rule group. Many managed rule groups don't require this.
+ *Use the AWSManagedRulesATPRuleSet configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the
* protection level that you want the Bot Control rule group to use.
You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
*An IP match statement with an IP set that specified the address 192.0.2.44.
+ *An IP match statement with an IP set that specifies the address 192.0.2.44.
*A string match statement that searches in the User-Agent header for the string BadBot.
@@ -6388,21 +6639,70 @@ export const ExcludedRuleFilterSensitiveLog = (obj: ExcludedRule): any => ({ /** * @internal */ -export const AWSManagedRulesBotControlRuleSetFilterSensitiveLog = (obj: AWSManagedRulesBotControlRuleSet): any => ({ +export const PasswordFieldFilterSensitiveLog = (obj: PasswordField): any => ({ ...obj, }); /** * @internal */ -export const PasswordFieldFilterSensitiveLog = (obj: PasswordField): any => ({ +export const UsernameFieldFilterSensitiveLog = (obj: UsernameField): any => ({ ...obj, }); /** * @internal */ -export const UsernameFieldFilterSensitiveLog = (obj: UsernameField): any => ({ +export const RequestInspectionFilterSensitiveLog = (obj: RequestInspection): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ResponseInspectionBodyContainsFilterSensitiveLog = (obj: ResponseInspectionBodyContains): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ResponseInspectionHeaderFilterSensitiveLog = (obj: ResponseInspectionHeader): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ResponseInspectionJsonFilterSensitiveLog = (obj: ResponseInspectionJson): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ResponseInspectionStatusCodeFilterSensitiveLog = (obj: ResponseInspectionStatusCode): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const ResponseInspectionFilterSensitiveLog = (obj: ResponseInspection): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const AWSManagedRulesATPRuleSetFilterSensitiveLog = (obj: AWSManagedRulesATPRuleSet): any => ({ + ...obj, +}); + +/** + * @internal + */ +export const AWSManagedRulesBotControlRuleSetFilterSensitiveLog = (obj: AWSManagedRulesBotControlRuleSet): any => ({ ...obj, }); diff --git a/clients/client-wafv2/src/protocols/Aws_json1_1.ts b/clients/client-wafv2/src/protocols/Aws_json1_1.ts index 11115ebc13a3..f9078a1d4b8f 100644 --- a/clients/client-wafv2/src/protocols/Aws_json1_1.ts +++ b/clients/client-wafv2/src/protocols/Aws_json1_1.ts @@ -149,6 +149,7 @@ import { AndStatement, AssociateWebACLRequest, AssociateWebACLResponse, + AWSManagedRulesATPRuleSet, AWSManagedRulesBotControlRuleSet, BlockAction, Body, @@ -296,6 +297,12 @@ import { RegexPatternSetReferenceStatement, RegexPatternSetSummary, ReleaseSummary, + RequestInspection, + ResponseInspection, + ResponseInspectionBodyContains, + ResponseInspectionHeader, + ResponseInspectionJson, + ResponseInspectionStatusCode, Rule, RuleAction, RuleActionOverride, @@ -3870,6 +3877,21 @@ const serializeAws_json1_1AssociateWebACLRequest = (input: AssociateWebACLReques }; }; +const serializeAws_json1_1AWSManagedRulesATPRuleSet = ( + input: AWSManagedRulesATPRuleSet, + context: __SerdeContext +): any => { + return { + ...(input.LoginPath != null && { LoginPath: input.LoginPath }), + ...(input.RequestInspection != null && { + RequestInspection: serializeAws_json1_1RequestInspection(input.RequestInspection, context), + }), + ...(input.ResponseInspection != null && { + ResponseInspection: serializeAws_json1_1ResponseInspection(input.ResponseInspection, context), + }), + }; +}; + const serializeAws_json1_1AWSManagedRulesBotControlRuleSet = ( input: AWSManagedRulesBotControlRuleSet, context: __SerdeContext @@ -4672,6 +4694,12 @@ const serializeAws_json1_1LoggingFilter = (input: LoggingFilter, context: __Serd const serializeAws_json1_1ManagedRuleGroupConfig = (input: ManagedRuleGroupConfig, context: __SerdeContext): any => { return { + ...(input.AWSManagedRulesATPRuleSet != null && { + AWSManagedRulesATPRuleSet: serializeAws_json1_1AWSManagedRulesATPRuleSet( + input.AWSManagedRulesATPRuleSet, + context + ), + }), ...(input.AWSManagedRulesBotControlRuleSet != null && { AWSManagedRulesBotControlRuleSet: serializeAws_json1_1AWSManagedRulesBotControlRuleSet( input.AWSManagedRulesBotControlRuleSet, @@ -4852,6 +4880,162 @@ const serializeAws_json1_1RegularExpressionList = (input: Regex[], context: __Se }); }; +const serializeAws_json1_1RequestInspection = (input: RequestInspection, context: __SerdeContext): any => { + return { + ...(input.PasswordField != null && { + PasswordField: serializeAws_json1_1PasswordField(input.PasswordField, context), + }), + ...(input.PayloadType != null && { PayloadType: input.PayloadType }), + ...(input.UsernameField != null && { + UsernameField: serializeAws_json1_1UsernameField(input.UsernameField, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspection = (input: ResponseInspection, context: __SerdeContext): any => { + return { + ...(input.BodyContains != null && { + BodyContains: serializeAws_json1_1ResponseInspectionBodyContains(input.BodyContains, context), + }), + ...(input.Header != null && { Header: serializeAws_json1_1ResponseInspectionHeader(input.Header, context) }), + ...(input.Json != null && { Json: serializeAws_json1_1ResponseInspectionJson(input.Json, context) }), + ...(input.StatusCode != null && { + StatusCode: serializeAws_json1_1ResponseInspectionStatusCode(input.StatusCode, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspectionBodyContains = ( + input: ResponseInspectionBodyContains, + context: __SerdeContext +): any => { + return { + ...(input.FailureStrings != null && { + FailureStrings: serializeAws_json1_1ResponseInspectionBodyContainsFailureStrings(input.FailureStrings, context), + }), + ...(input.SuccessStrings != null && { + SuccessStrings: serializeAws_json1_1ResponseInspectionBodyContainsSuccessStrings(input.SuccessStrings, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspectionBodyContainsFailureStrings = ( + input: string[], + context: __SerdeContext +): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionBodyContainsSuccessStrings = ( + input: string[], + context: __SerdeContext +): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionHeader = ( + input: ResponseInspectionHeader, + context: __SerdeContext +): any => { + return { + ...(input.FailureValues != null && { + FailureValues: serializeAws_json1_1ResponseInspectionHeaderFailureValues(input.FailureValues, context), + }), + ...(input.Name != null && { Name: input.Name }), + ...(input.SuccessValues != null && { + SuccessValues: serializeAws_json1_1ResponseInspectionHeaderSuccessValues(input.SuccessValues, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspectionHeaderFailureValues = (input: string[], context: __SerdeContext): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionHeaderSuccessValues = (input: string[], context: __SerdeContext): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionJson = (input: ResponseInspectionJson, context: __SerdeContext): any => { + return { + ...(input.FailureValues != null && { + FailureValues: serializeAws_json1_1ResponseInspectionJsonFailureValues(input.FailureValues, context), + }), + ...(input.Identifier != null && { Identifier: input.Identifier }), + ...(input.SuccessValues != null && { + SuccessValues: serializeAws_json1_1ResponseInspectionJsonSuccessValues(input.SuccessValues, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspectionJsonFailureValues = (input: string[], context: __SerdeContext): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionJsonSuccessValues = (input: string[], context: __SerdeContext): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionStatusCode = ( + input: ResponseInspectionStatusCode, + context: __SerdeContext +): any => { + return { + ...(input.FailureCodes != null && { + FailureCodes: serializeAws_json1_1ResponseInspectionStatusCodeFailureCodes(input.FailureCodes, context), + }), + ...(input.SuccessCodes != null && { + SuccessCodes: serializeAws_json1_1ResponseInspectionStatusCodeSuccessCodes(input.SuccessCodes, context), + }), + }; +}; + +const serializeAws_json1_1ResponseInspectionStatusCodeFailureCodes = ( + input: number[], + context: __SerdeContext +): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + +const serializeAws_json1_1ResponseInspectionStatusCodeSuccessCodes = ( + input: number[], + context: __SerdeContext +): any => { + return input + .filter((e: any) => e != null) + .map((entry) => { + return entry; + }); +}; + const serializeAws_json1_1Rule = (input: Rule, context: __SerdeContext): any => { return { ...(input.Action != null && { Action: serializeAws_json1_1RuleAction(input.Action, context) }), @@ -5251,6 +5435,23 @@ const deserializeAws_json1_1AssociateWebACLResponse = ( return {} as any; }; +const deserializeAws_json1_1AWSManagedRulesATPRuleSet = ( + output: any, + context: __SerdeContext +): AWSManagedRulesATPRuleSet => { + return { + LoginPath: __expectString(output.LoginPath), + RequestInspection: + output.RequestInspection != null + ? deserializeAws_json1_1RequestInspection(output.RequestInspection, context) + : undefined, + ResponseInspection: + output.ResponseInspection != null + ? deserializeAws_json1_1ResponseInspection(output.ResponseInspection, context) + : undefined, + } as any; +}; + const deserializeAws_json1_1AWSManagedRulesBotControlRuleSet = ( output: any, context: __SerdeContext @@ -6225,6 +6426,10 @@ const deserializeAws_json1_1LoggingFilter = (output: any, context: __SerdeContex const deserializeAws_json1_1ManagedRuleGroupConfig = (output: any, context: __SerdeContext): ManagedRuleGroupConfig => { return { + AWSManagedRulesATPRuleSet: + output.AWSManagedRulesATPRuleSet != null + ? deserializeAws_json1_1AWSManagedRulesATPRuleSet(output.AWSManagedRulesATPRuleSet, context) + : undefined, AWSManagedRulesBotControlRuleSet: output.AWSManagedRulesBotControlRuleSet != null ? deserializeAws_json1_1AWSManagedRulesBotControlRuleSet(output.AWSManagedRulesBotControlRuleSet, context) @@ -6622,6 +6827,16 @@ const deserializeAws_json1_1ReleaseSummary = (output: any, context: __SerdeConte } as any; }; +const deserializeAws_json1_1RequestInspection = (output: any, context: __SerdeContext): RequestInspection => { + return { + PasswordField: + output.PasswordField != null ? deserializeAws_json1_1PasswordField(output.PasswordField, context) : undefined, + PayloadType: __expectString(output.PayloadType), + UsernameField: + output.UsernameField != null ? deserializeAws_json1_1UsernameField(output.UsernameField, context) : undefined, + } as any; +}; + const deserializeAws_json1_1ResourceArns = (output: any, context: __SerdeContext): string[] => { const retVal = (output || []) .filter((e: any) => e != null) @@ -6634,6 +6849,198 @@ const deserializeAws_json1_1ResourceArns = (output: any, context: __SerdeContext return retVal; }; +const deserializeAws_json1_1ResponseInspection = (output: any, context: __SerdeContext): ResponseInspection => { + return { + BodyContains: + output.BodyContains != null + ? deserializeAws_json1_1ResponseInspectionBodyContains(output.BodyContains, context) + : undefined, + Header: output.Header != null ? deserializeAws_json1_1ResponseInspectionHeader(output.Header, context) : undefined, + Json: output.Json != null ? deserializeAws_json1_1ResponseInspectionJson(output.Json, context) : undefined, + StatusCode: + output.StatusCode != null + ? deserializeAws_json1_1ResponseInspectionStatusCode(output.StatusCode, context) + : undefined, + } as any; +}; + +const deserializeAws_json1_1ResponseInspectionBodyContains = ( + output: any, + context: __SerdeContext +): ResponseInspectionBodyContains => { + return { + FailureStrings: + output.FailureStrings != null + ? deserializeAws_json1_1ResponseInspectionBodyContainsFailureStrings(output.FailureStrings, context) + : undefined, + SuccessStrings: + output.SuccessStrings != null + ? deserializeAws_json1_1ResponseInspectionBodyContainsSuccessStrings(output.SuccessStrings, context) + : undefined, + } as any; +}; + +const deserializeAws_json1_1ResponseInspectionBodyContainsFailureStrings = ( + output: any, + context: __SerdeContext +): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionBodyContainsSuccessStrings = ( + output: any, + context: __SerdeContext +): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionHeader = ( + output: any, + context: __SerdeContext +): ResponseInspectionHeader => { + return { + FailureValues: + output.FailureValues != null + ? deserializeAws_json1_1ResponseInspectionHeaderFailureValues(output.FailureValues, context) + : undefined, + Name: __expectString(output.Name), + SuccessValues: + output.SuccessValues != null + ? deserializeAws_json1_1ResponseInspectionHeaderSuccessValues(output.SuccessValues, context) + : undefined, + } as any; +}; + +const deserializeAws_json1_1ResponseInspectionHeaderFailureValues = ( + output: any, + context: __SerdeContext +): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionHeaderSuccessValues = ( + output: any, + context: __SerdeContext +): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionJson = (output: any, context: __SerdeContext): ResponseInspectionJson => { + return { + FailureValues: + output.FailureValues != null + ? deserializeAws_json1_1ResponseInspectionJsonFailureValues(output.FailureValues, context) + : undefined, + Identifier: __expectString(output.Identifier), + SuccessValues: + output.SuccessValues != null + ? deserializeAws_json1_1ResponseInspectionJsonSuccessValues(output.SuccessValues, context) + : undefined, + } as any; +}; + +const deserializeAws_json1_1ResponseInspectionJsonFailureValues = (output: any, context: __SerdeContext): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionJsonSuccessValues = (output: any, context: __SerdeContext): string[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectString(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionStatusCode = ( + output: any, + context: __SerdeContext +): ResponseInspectionStatusCode => { + return { + FailureCodes: + output.FailureCodes != null + ? deserializeAws_json1_1ResponseInspectionStatusCodeFailureCodes(output.FailureCodes, context) + : undefined, + SuccessCodes: + output.SuccessCodes != null + ? deserializeAws_json1_1ResponseInspectionStatusCodeSuccessCodes(output.SuccessCodes, context) + : undefined, + } as any; +}; + +const deserializeAws_json1_1ResponseInspectionStatusCodeFailureCodes = ( + output: any, + context: __SerdeContext +): number[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectInt32(entry) as any; + }); + return retVal; +}; + +const deserializeAws_json1_1ResponseInspectionStatusCodeSuccessCodes = ( + output: any, + context: __SerdeContext +): number[] => { + const retVal = (output || []) + .filter((e: any) => e != null) + .map((entry: any) => { + if (entry === null) { + return null as any; + } + return __expectInt32(entry) as any; + }); + return retVal; +}; + const deserializeAws_json1_1Rule = (output: any, context: __SerdeContext): Rule => { return { Action: output.Action != null ? deserializeAws_json1_1RuleAction(output.Action, context) : undefined, diff --git a/codegen/sdk-codegen/aws-models/wafv2.json b/codegen/sdk-codegen/aws-models/wafv2.json index 5693e89661a3..82d59f96aa92 100644 --- a/codegen/sdk-codegen/aws-models/wafv2.json +++ b/codegen/sdk-codegen/aws-models/wafv2.json @@ -29,6 +29,33 @@ ] }, "shapes": { + "com.amazonaws.wafv2#AWSManagedRulesATPRuleSet": { + "type": "structure", + "members": { + "LoginPath": { + "target": "com.amazonaws.wafv2#String", + "traits": { + "smithy.api#documentation": "The path of the login endpoint for your application. For example, for the URL\n https://example.com/web/login, you would provide the path\n /web/login.
The rule group inspects only HTTP POST requests to your specified login endpoint.
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
" + } + }, + "ResponseInspection": { + "target": "com.amazonaws.wafv2#ResponseInspection", + "traits": { + "smithy.api#documentation": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels \n and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
\nResponse inspection is available only in web ACLs that protect Amazon CloudFront distributions.
\nDetails for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig.
Details for your use of the Bot Control managed rule group, used in ManagedRuleGroupConfig.
Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet. This configuration is used in ManagedRuleGroupConfig.
This is the latest version of the WAF API,\n released in November, 2019. The names of the entities that you use to access this API,\n like endpoints and namespaces, all have the versioning information added, like \"V2\" or\n \"v2\", to distinguish from the prior version. We recommend migrating your resources to\n this version, because it has a number of significant improvements.
\nIf you used WAF prior to this release, you can't use this WAFV2 API to access any\n WAF resources that you created before. You can access your old rules, web ACLs, and\n other WAF resources only through the WAF Classic APIs. The WAF Classic APIs\n have retained the prior names, endpoints, and namespaces.
\nFor information, including how to migrate your WAF resources to this version,\n see the WAF Developer Guide.
\nWAF is a web application firewall that lets you monitor the HTTP and HTTPS\n requests that are forwarded to Amazon CloudFront, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync\n GraphQL API, or an Amazon Cognito user pool. WAF also lets you control access to your content. Based on conditions that\n you specify, such as the IP addresses that requests originate from or the values of query\n strings, the Amazon API Gateway REST API, CloudFront distribution, the Application Load Balancer, the AppSync GraphQL\n API, or the Amazon Cognito user pool responds to requests either with the requested content or with an HTTP 403 status code\n (Forbidden). You also can configure CloudFront to return a custom error page when a request is\n blocked.
\nThis API guide is for developers who need detailed information about WAF API actions,\n data types, and errors. For detailed information about WAF features and an overview of\n how to use WAF, see the WAF Developer\n Guide.
\nYou can make calls using the endpoints listed in WAF endpoints and quotas.
\nFor regional applications, you can use any of the endpoints in the list.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.
\nFor Amazon CloudFront applications, you must use the API endpoint listed for\n US East (N. Virginia): us-east-1.
\nAlternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the\n programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
\nWe currently provide two versions of the WAF API: this API and the prior versions,\n the classic WAF APIs. This new API provides the same functionality as the older versions,\n with the following major improvements:
\nYou use one API for both global and regional applications. Where you need to\n distinguish the scope, you specify a Scope parameter and set it to\n CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a\n single call. You define all rule specifications in JSON format, and pass them to your\n rule group or web ACL calls.
\nThe limits WAF places on the use of rules more closely reflects the cost of\n running each type of rule. Rule groups include capacity settings, so you know the\n maximum cost of a rule group when you use it.
\nThis is the latest version of the WAF API,\n released in November, 2019. The names of the entities that you use to access this API,\n like endpoints and namespaces, all have the versioning information added, like \"V2\" or\n \"v2\", to distinguish from the prior version. We recommend migrating your resources to\n this version, because it has a number of significant improvements.
\nIf you used WAF prior to this release, you can't use this WAFV2 API to access any\n WAF resources that you created before. You can access your old rules, web ACLs, and\n other WAF resources only through the WAF Classic APIs. The WAF Classic APIs\n have retained the prior names, endpoints, and namespaces.
\nFor information, including how to migrate your WAF resources to this version,\n see the WAF Developer Guide.
\nWAF is a web application firewall that lets you monitor the HTTP and HTTPS\n requests that are forwarded to an Amazon CloudFront distribution, Amazon API Gateway REST API, Application Load Balancer, AppSync\n GraphQL API, or Amazon Cognito user pool. WAF also lets you control access to your content,\n to protect the Amazon Web Services resource that WAF is monitoring. Based on conditions that\n you specify, such as the IP addresses that requests originate from or the values of query\n strings, the protected resource responds to requests with either the requested content, an HTTP 403 status code\n (Forbidden), or with a custom response.
\nThis API guide is for developers who need detailed information about WAF API actions,\n data types, and errors. For detailed information about WAF features and guidance for configuring and using \n WAF, see the WAF Developer\n Guide.
\nYou can make calls using the endpoints listed in WAF endpoints and quotas.
\nFor regional applications, you can use any of the endpoints in the list.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.
\nFor Amazon CloudFront applications, you must use the API endpoint listed for\n US East (N. Virginia): us-east-1.
\nAlternatively, you can use one of the Amazon Web Services SDKs to access an API that's tailored to the\n programming language or platform that you're using. For more information, see Amazon Web Services SDKs.
\nWe currently provide two versions of the WAF API: this API and the prior versions,\n the classic WAF APIs. This new API provides the same functionality as the older versions,\n with the following major improvements:
\nYou use one API for both global and regional applications. Where you need to\n distinguish the scope, you specify a Scope parameter and set it to\n CLOUDFRONT or REGIONAL.
You can define a web ACL or rule group with a single call, and update it with a\n single call. You define all rule specifications in JSON format, and pass them to your\n rule group or web ACL calls.
\nThe limits WAF places on the use of rules more closely reflects the cost of\n running each type of rule. Rule groups include capacity settings, so you know the\n maximum cost of a rule group when you use it.
\nA string value that you want WAF to search for. WAF searches only in the part of\n web requests that you designate for inspection in FieldToMatch. The\n maximum length of the value is 50 bytes.
\nValid values depend on the component that you specify for inspection in\n FieldToMatch:
\n Method: The HTTP method that you want WAF to search for. This\n indicates the type of operation specified in the request.
\n UriPath: The value that you want WAF to search for in the URI path,\n for example, /images/daily-ad.jpg.
If SearchString includes alphabetic characters A-Z and a-z, note that the\n value is case sensitive.
\n If you're using the WAF API\n
\nSpecify a base64-encoded version of the value. The maximum length of the value before\n you base64-encode it is 50 bytes.
\nFor example, suppose the value of Type is HEADER and the value\n of Data is User-Agent. If you want to search the\n User-Agent header for the value BadBot, you base64-encode\n BadBot using MIME base64-encoding and include the resulting value,\n QmFkQm90, in the value of SearchString.
\n If you're using the CLI or one of the Amazon Web Services SDKs\n
\nThe value that you want WAF to search for. The SDK automatically base64 encodes the\n value.
", + "smithy.api#documentation": "A string value that you want WAF to search for. WAF searches only in the part of\n web requests that you designate for inspection in FieldToMatch. The\n maximum length of the value is 200 bytes.
\nValid values depend on the component that you specify for inspection in\n FieldToMatch:
\n Method: The HTTP method that you want WAF to search for. This\n indicates the type of operation specified in the request.
\n UriPath: The value that you want WAF to search for in the URI path,\n for example, /images/daily-ad.jpg.
If SearchString includes alphabetic characters A-Z and a-z, note that the\n value is case sensitive.
\n If you're using the WAF API\n
\nSpecify a base64-encoded version of the value. The maximum length of the value before\n you base64-encode it is 200 bytes.
\nFor example, suppose the value of Type is HEADER and the value\n of Data is User-Agent. If you want to search the\n User-Agent header for the value BadBot, you base64-encode\n BadBot using MIME base64-encoding and include the resulting value,\n QmFkQm90, in the value of SearchString.
\n If you're using the CLI or one of the Amazon Web Services SDKs\n
\nThe value that you want WAF to search for. The SDK automatically base64 encodes the\n value.
", "smithy.api#required": {} } }, @@ -2387,6 +2373,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#CheckCapacityResponse": { @@ -2399,6 +2388,9 @@ "smithy.api#documentation": "The capacity required by the rules and scope.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#ComparisonOperator": { @@ -4163,6 +4155,9 @@ "smithy.api#documentation": "An array of key:value pairs to associate with the resource.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#CreateIPSetResponse": { @@ -4174,6 +4169,9 @@ "smithy.api#documentation": "High-level information about an IPSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to use the address set in a Rule.
An array of key:value pairs to associate with the resource.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#CreateRegexPatternSetResponse": { @@ -4261,6 +4262,9 @@ "smithy.api#documentation": "High-level information about a RegexPatternSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RegexPatternSet, and the ARN, that you provide to the RegexPatternSetReferenceStatement to use the pattern set in a Rule.
A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#CreateRuleGroupResponse": { @@ -4377,6 +4384,9 @@ "smithy.api#documentation": "High-level information about a RuleGroup, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RuleGroup, and the ARN, that you provide to the RuleGroupReferenceStatement to use the rule group in a Rule.
Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
\nExample JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }\n
Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
High-level information about a WebACL, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a WebACL, and the ARN, that you provide to operations like AssociateWebACL.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The version of the rule group. You can only use a version that is not scheduled for\n expiration. If you don't provide this, WAF uses the vendor's default version.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#DescribeManagedRuleGroupResponse": { @@ -5225,6 +5286,9 @@ "smithy.api#documentation": "The labels that one or more rules in this rule group match against in label match statements. These labels are defined in a LabelMatchStatement specification, in the Statement definition of a rule.
The presigned download URL for the specified SDK release.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GeoMatchStatement": { @@ -5794,6 +5890,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetIPSetResponse": { @@ -5811,6 +5910,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The LoggingConfiguration for the specified web ACL.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GetManagedRuleSet": { @@ -5912,6 +6020,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetManagedRuleSetResponse": { @@ -5929,6 +6040,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
Information for a specified SDK release, including release notes and tags.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GetPermissionPolicy": { @@ -6020,6 +6140,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetPermissionPolicyResponse": { @@ -6031,6 +6154,9 @@ "smithy.api#documentation": "The IAM policy that is attached to the specified rule group.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GetRateBasedStatementManagedKeys": { @@ -6096,6 +6222,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetRateBasedStatementManagedKeysResponse": { @@ -6113,6 +6242,9 @@ "smithy.api#documentation": "The keys that are of Internet Protocol version 6 (IPv6).
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GetRegexPatternSet": { @@ -6165,6 +6297,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetRegexPatternSetResponse": { @@ -6182,6 +6317,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
The Amazon Resource Name (ARN) of the entity.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetRuleGroupResponse": { @@ -6254,6 +6395,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
Usually, TimeWindow is the time range that you specified in the\n GetSampledRequests request. However, if your Amazon Web Services resource received more\n than 5,000 requests during the time range that you specified in the request,\n GetSampledRequests returns the time range for the first 5,000 requests.\n Times are in Coordinated Universal Time (UTC) format.
The web ACL that is associated with the resource. If there is no associated resource,\n WAF returns a null web ACL.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#GetWebACLRequest": { @@ -6446,6 +6602,9 @@ "smithy.api#required": {} } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#GetWebACLResponse": { @@ -6469,6 +6628,9 @@ "smithy.api#documentation": "The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF client application integration in the WAF Developer Guide.
The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
The name of the version that's currently set as the default.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#ListAvailableManagedRuleGroups": { @@ -7176,6 +7344,9 @@ "smithy.api#documentation": "The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
Array of IPSets. This may not be the full list of IPSets that you have defined. See the\n Limit specification for this request.
The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
When you request a list of objects with a Limit setting, if the number of objects that are still available\n for retrieval exceeds the limit, WAF returns a NextMarker \n value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
Your managed rule sets.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#ListMaxItems": { @@ -7442,6 +7634,9 @@ "smithy.api#documentation": "The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
When you request a list of objects with a Limit setting, if the number of objects that are still available\n for retrieval exceeds the limit, WAF returns a NextMarker \n value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.
The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
Used for web ACLs that are scoped for regional applications.\n A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, an AppSync GraphQL API, or an Amazon Cognito user pool.
\nIf you don't provide a resource type, the call uses the resource type APPLICATION_LOAD_BALANCER.
Default: APPLICATION_LOAD_BALANCER\n
The array of Amazon Resource Names (ARNs) of the associated resources.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#ListRuleGroups": { @@ -7625,6 +7835,9 @@ "smithy.api#documentation": "The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
The collection of tagging definitions for the resource.
" } } + }, + "traits": { + "smithy.api#output": {} } }, "com.amazonaws.wafv2#ListWebACLs": { @@ -7762,6 +7984,9 @@ "smithy.api#documentation": "The maximum number of objects that you want WAF to return for this request. If more \n objects are available, in the response, WAF provides a \n NextMarker value that you can use in a subsequent call to get the next batch of objects.
The path of the login endpoint for your application. For example, for the URL\n https://example.com/web/login, you would provide the path\n /web/login.
Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet.
The payload type for your login endpoint, either JSON or form encoded.
" + "smithy.api#deprecated": { + "message": "Deprecated. Use AWSManagedRulesATPRuleSet RequestInspection PayloadType" + }, + "smithy.api#documentation": "Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet\n RequestInspection.
Details about your login page username field.
" + "smithy.api#deprecated": { + "message": "Deprecated. Use AWSManagedRulesATPRuleSet RequestInspection UsernameField" + }, + "smithy.api#documentation": "Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet\n RequestInspection.
Details about your login page password field.
" + "smithy.api#deprecated": { + "message": "Deprecated. Use AWSManagedRulesATPRuleSet RequestInspection PasswordField" + }, + "smithy.api#documentation": "Instead of this setting, provide your configuration under AWSManagedRulesATPRuleSet\n RequestInspection.
Additional configuration for using the Bot Control managed rule group. Use this to specify the \n inspection level that you want to use. For information \n about using the Bot Control managed rule group, see WAF Bot Control rule group \n and WAF Bot Control\n in the WAF Developer Guide.
" } + }, + "AWSManagedRulesATPRuleSet": { + "target": "com.amazonaws.wafv2#AWSManagedRulesATPRuleSet", + "traits": { + "smithy.api#documentation": "Additional configuration for using the account takeover prevention (ATP) managed rule group, AWSManagedRulesATPRuleSet. \n Use this to provide login request information to the rule group. For web ACLs that protect CloudFront distributions, use this to also provide\n the information about how your distribution responds to login requests. This configuration replaces the individual configuration fields in ManagedRuleGroupConfig and provides additional feature configuration.
For information \n about using the ATP managed rule group, see WAF Fraud Control account takeover prevention (ATP) rule group \n and WAF Fraud Control account takeover prevention (ATP)\n in the WAF Developer Guide.
" + } } }, "traits": { - "smithy.api#documentation": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.
\nUse the AWSManagedRulesBotControlRuleSet configuration object to configure the \n protection level that you want the Bot Control rule group to use.
For example specifications, see the examples section of CreateWebACL.
" + "smithy.api#documentation": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.
\nUse the AWSManagedRulesATPRuleSet configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the \n protection level that you want the Bot Control rule group to use.
For example specifications, see the examples section of CreateWebACL.
" } }, "com.amazonaws.wafv2#ManagedRuleGroupConfigs": { "type": "list", "member": { "target": "com.amazonaws.wafv2#ManagedRuleGroupConfig" - }, - "traits": { - "smithy.api#length": { - "min": 1 - } } }, "com.amazonaws.wafv2#ManagedRuleGroupStatement": { @@ -7969,7 +8210,7 @@ "ManagedRuleGroupConfigs": { "target": "com.amazonaws.wafv2#ManagedRuleGroupConfigs", "traits": { - "smithy.api#documentation": "Additional information that's used by a managed rule group. Many managed rule groups don't require this.
\nUse the AWSManagedRulesBotControlRuleSet configuration object to configure the \n protection level that you want the Bot Control rule group to use.
Additional information that's used by a managed rule group. Many managed rule groups don't require this.
\nUse the AWSManagedRulesATPRuleSet configuration object for the account takeover prevention managed rule group, to provide information such as the sign-in page of your application and the type of content to accept or reject from the client.
Use the AWSManagedRulesBotControlRuleSet configuration object to configure the \n protection level that you want the Bot Control rule group to use.
Details about your login page password field, used in a\n ManagedRuleGroupConfig.
Details about your login page password field for request inspection, used in the \n AWSManagedRulesATPRuleSet\n RequestInspection configuration.
The versions of the named managed rule group that you want to offer to your customers.\n
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#PutManagedRuleSetVersionsResponse": { @@ -9026,6 +9282,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.
\nWAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.
\nWhen the rule action triggers, WAF blocks additional requests from the IP address until the request rate falls below the limit.
\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
\nAn IP match statement with an IP set that specified the address 192.0.2.44.
\nA string match statement that searches in the User-Agent header for the string BadBot.
\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.
\nYou cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.
\nWAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.
\nWhen the rule action triggers, WAF blocks additional requests from the IP address until the request rate falls below the limit.
\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
\nAn IP match statement with an IP set that specifies the address 192.0.2.44.
\nA string match statement that searches in the User-Agent header for the string BadBot.
\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.
\nYou cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.
High level information for an SDK release.
" } }, + "com.amazonaws.wafv2#RequestInspection": { + "type": "structure", + "members": { + "PayloadType": { + "target": "com.amazonaws.wafv2#PayloadType", + "traits": { + "smithy.api#documentation": "The payload type for your login endpoint, either JSON or form encoded.
", + "smithy.api#required": {} + } + }, + "UsernameField": { + "target": "com.amazonaws.wafv2#UsernameField", + "traits": { + "smithy.api#documentation": "Details about your login page username field.
\nHow you specify this depends on the payload type.
\nFor JSON payloads, specify the field name in JSON\n pointer syntax. For information about the JSON Pointer\n syntax, see the Internet Engineering Task Force (IETF)\n documentation JavaScript\n \tObject Notation (JSON) Pointer.
\nFor example, for the JSON payload { \"login\": { \"username\": \"THE_USERNAME\", \"password\": \"THE_PASSWORD\" } }, \n the username field specification is\n /login/username and the password field\n specification is /login/password.
For form encoded payload types, use the HTML form names.
\nFor example, for an HTML form with input elements\n named username1 and password1,\n the username field specification is\n username1 and the password field\n specification is password1.
Details about your login page password field.
\nHow you specify this depends on the payload type.
\nFor JSON payloads, specify the field name in JSON\n pointer syntax. For information about the JSON Pointer\n syntax, see the Internet Engineering Task Force (IETF)\n documentation JavaScript\n \tObject Notation (JSON) Pointer.
\nFor example, for the JSON payload { \"login\": { \"username\": \"THE_USERNAME\", \"password\": \"THE_PASSWORD\" } }, \n the username field specification is\n /login/username and the password field\n specification is /login/password.
For form encoded payload types, use the HTML form names.
\nFor example, for an HTML form with input elements\n named username1 and password1,\n the username field specification is\n username1 and the password field\n specification is password1.
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
\nThis is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.
In these settings, you specify how your application accepts login attempts\n by providing the request payload type and the names of the fields \n within the request body where the username and password are provided.
" + } + }, "com.amazonaws.wafv2#ResourceArn": { "type": "string", "traits": { @@ -9458,6 +9752,246 @@ } } }, + "com.amazonaws.wafv2#ResponseInspection": { + "type": "structure", + "members": { + "StatusCode": { + "target": "com.amazonaws.wafv2#ResponseInspectionStatusCode", + "traits": { + "smithy.api#documentation": "Configures inspection of the response status code.
" + } + }, + "Header": { + "target": "com.amazonaws.wafv2#ResponseInspectionHeader", + "traits": { + "smithy.api#documentation": "Configures inspection of the response header.
" + } + }, + "BodyContains": { + "target": "com.amazonaws.wafv2#ResponseInspectionBodyContains", + "traits": { + "smithy.api#documentation": "Configures inspection of the response body.
" + } + }, + "Json": { + "target": "com.amazonaws.wafv2#ResponseInspectionJson", + "traits": { + "smithy.api#documentation": "Configures inspection of the response JSON.
" + } + } + }, + "traits": { + "smithy.api#documentation": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
\nThe ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels \n and mitigates requests from client sessions and IP addresses that submit too many failed login attempts in a short amount of time.
\nResponse inspection is available only in web ACLs that protect Amazon CloudFront distributions.
\nThis is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.
Enable login response inspection by configuring exactly one component of the response to inspect. You can't configure more than one. If you don't configure any of the response inspection options, response inspection is disabled.
" + } + }, + "com.amazonaws.wafv2#ResponseInspectionBodyContains": { + "type": "structure", + "members": { + "SuccessStrings": { + "target": "com.amazonaws.wafv2#ResponseInspectionBodyContainsSuccessStrings", + "traits": { + "smithy.api#documentation": "Strings in the body of the response that indicate a successful login attempt. To be counted as a successful login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
\nJSON example: \"SuccessStrings\": [ \"Login successful\", \"Welcome to our site!\" ]\n
Strings in the body of the response that indicate a failed login attempt. To be counted as a failed login, the string can be anywhere in the body and must be an exact match, including case. Each string must be unique among the success and failure strings.
\nJSON example: \"FailureStrings\": [ \"Login failed\" ]\n
Configures inspection of the response body. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
The name of the header to match against. The name must be an exact match, including case.
\nJSON example: \"Name\": [ \"LoginResult\" ]\n
Values in the response header with the specified name that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
\nJSON example: \"SuccessValues\": [ \"LoginPassed\", \"Successful login\" ]\n
Values in the response header with the specified name that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
\nJSON example: \"FailureValues\": [ \"LoginFailed\", \"Failed login\" ]\n
Configures inspection of the response header. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
The identifier for the value to match against in the JSON. The identifier must be an exact match, including case.
\nJSON example: \"Identifier\": [ \"/login/success\" ]\n
Values for the specified identifier in the response JSON that indicate a successful login attempt. To be counted as a successful login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
\nJSON example: \"SuccessValues\": [ \"True\", \"Succeeded\" ]\n
Values for the specified identifier in the response JSON that indicate a failed login attempt. To be counted as a failed login, the value must be an exact match, including case. Each value must be unique among the success and failure values.
\nJSON example: \"FailureValues\": [ \"False\", \"Failed\" ]\n
Configures inspection of the response JSON. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
Status codes in the response that indicate a successful login attempt. To be counted as a successful login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
\nJSON example: \"SuccessCodes\": [ 200, 201 ]\n
Status codes in the response that indicate a failed login attempt. To be counted as a failed login, the response status code must match one of these. Each code must be unique among the success and failure status codes.
\nJSON example: \"FailureCodes\": [ 400, 404 ]\n
Configures inspection of the response status code. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet.
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.
\nWAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.
\nWhen the rule action triggers, WAF blocks additional requests from the IP address until the request rate falls below the limit.
\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
\nAn IP match statement with an IP set that specified the address 192.0.2.44.
\nA string match statement that searches in the User-Agent header for the string BadBot.
\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.
\nYou cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.
A rate-based rule tracks the rate of requests for each originating IP address, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any 5-minute time span. You can use this to put a temporary block on requests from an IP address that is sending excessive requests.
\nWAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.
\nWhen the rule action triggers, WAF blocks additional requests from the IP address until the request rate falls below the limit.
\nYou can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts requests that match the nested statement. For example, based on recent requests that you have seen from an attacker, you might create a rate-based rule with a nested AND rule statement that contains the following nested statements:
\nAn IP match statement with an IP set that specifies the address 192.0.2.44.
\nA string match statement that searches in the User-Agent header for the string BadBot.
\nIn this rate-based rule, you also define a rate limit. For this example, the rate limit is 1,000. Requests that meet the criteria of both of the nested statements are counted. If the count exceeds 1,000 requests per five minutes, the rule action triggers. Requests that do not meet the criteria of both of the nested statements are not counted towards the rate limit and are not affected by this rule.
\nYou cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
A map of custom response keys and content bodies. When you create a rule with a block action, you can send a custom response to the web request. You define these for the rule group, and then use them in the rules that you define in the rule group.
\nFor information about customizing web requests and responses, see Customizing web requests and responses in WAF in the \n WAF Developer Guide.
\nFor information about the limits on count and size for custom request and response settings, see WAF quotas in the \n WAF Developer Guide.
" } } + }, + "traits": { + "smithy.api#input": {} } }, "com.amazonaws.wafv2#UpdateRuleGroupResponse": { @@ -10980,6 +11565,9 @@ "smithy.api#documentation": "A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
Specifies the domains that WAF should accept in a web request token. This enables the use of tokens across multiple protected websites. When WAF provides a token, it uses the domain of the Amazon Web Services resource that the web ACL is protecting. If you don't specify a list of token domains, WAF accepts tokens only for the domain of the protected resource. With a token domain list, WAF accepts the resource's host domain plus all domains in the token domain list, including their prefixed subdomains.
\nExample JSON: \"TokenDomains\": { \"mywebsite.com\", \"myotherwebsite.com\" }\n
Public suffixes aren't allowed. For example, you can't use usa.gov or co.uk as token domains.
A token used for optimistic locking. WAF returns this token to your update requests. You use NextLockToken in the same manner as you use LockToken.
Details about your login page username field, used in a\n ManagedRuleGroupConfig.
Details about your login page username field for request inspection, used in the \n AWSManagedRulesATPRuleSet\n RequestInspection configuration.