API version '2015-08-24' of the Amazon WAF SDK configuration.

The operation failed because you tried to create, update, or delete an object by using an invalid account identifier.

The operation failed because you tried to delete an object that is still in use. For example:

• You tried to delete a ByteMatchSet that is still referenced by a Rule.
• You tried to delete a Rule that is still referenced by a WebACL.

The operation failed because there was nothing to do. For example:

• You tried to remove a Rule from a WebACL, but the Rule isn't in the specified WebACL.
• You tried to remove an IP address from an IPSet, but the IP address isn't in the specified IPSet.
• You tried to remove a ByteMatchTuple from a ByteMatchSet, but the ByteMatchTuple isn't in the specified WebACL.
• You tried to add a Rule to a WebACL, but the Rule already exists in the specified WebACL.
• You tried to add an IP address to an IPSet, but the IP address already exists in the specified IPSet.
• You tried to add a ByteMatchTuple to a ByteMatchSet, but the ByteMatchTuple already exists in the specified WebACL.

The operation failed because the referenced object doesn't exist.

The operation failed because AWS WAF didn't recognize a parameter in the request. For example:

• You specified an invalid parameter name.
• You specified an invalid value.
• You tried to update an object (ByteMatchSet, IPSet, Rule, or WebACL) using an action other than INSERT or DELETE.
• You tried to create a WebACL with a DefaultAction Type other than ALLOW, BLOCK, or COUNT.
• You tried to update a WebACL with a WafAction Type other than ALLOW, BLOCK, or COUNT.
• You tried to update a ByteMatchSet with a FieldToMatch Type other than HEADER, QUERY_STRING, or URI.
• You tried to update a ByteMatchSet with a Field of HEADER but no value for Data.

The operation exceeds a resource limit, for example, the maximum number of WebACL objects that you can create for an AWS account. For more information, see Limits in the AWS WAF Developer Guide.

The operation failed because you tried to create, update, or delete an object by using a change token that has already been used.

The operation failed because of a system problem, even though the request was valid. Retry your request.

The operation failed because you tried to add an object to or delete an object from another object that doesn't exist. For example:

• You tried to add a Rule to or delete a Rule from a WebACL that doesn't exist.
• You tried to add a ByteMatchSet to or delete a ByteMatchSet from a Rule that doesn't exist.
• You tried to add an IP address to or delete an IP address from an IPSet that doesn't exist.
• You tried to add a ByteMatchTuple to or delete a ByteMatchTuple from a ByteMatchSet that doesn't exist.

The name specified is invalid.

The operation failed because you tried to delete an object that isn't empty. For example:

• You tried to delete a WebACL that still contains one or more Rule objects.
• You tried to delete a Rule that still contains one or more ByteMatchSet objects or other predicates.
• You tried to delete a ByteMatchSet that contains one or more ByteMatchTuple objects.
• You tried to delete an IPSet that references one or more IP addresses.

The ActivatedRule object in an UpdateWebACL request specifies a Rule that you want to insert or delete, the priority of the Rule in the WebACL, and the action that you want AWS WAF to take when a web request matches the Rule (ALLOW, BLOCK, or COUNT).

To specify whether to insert or delete a Rule, use the Action parameter in the WebACLUpdate data type.

See: activatedRule smart constructor.

Creates a value of ActivatedRule with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• arPriority
• arRuleId
• arAction

Specifies the order in which the Rules in a WebACL are evaluated. Rules with a lower value for Priority are evaluated before Rules with a higher value. The value must be a unique integer. If you add multiple Rules to a WebACL, the values don't need to be consecutive.

The RuleId for a Rule. You use RuleId to get more information about a Rule (see GetRule), update a Rule (see UpdateRule), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL), or delete a Rule from AWS WAF (see DeleteRule).

RuleId is returned by CreateRule and by ListRules.

Specifies the action that CloudFront or AWS WAF takes when a web request matches the conditions in the Rule. Valid values for Action include the following:

• ALLOW: CloudFront responds with the requested object.
• BLOCK: CloudFront responds with an HTTP 403 (Forbidden) status code.
• COUNT: AWS WAF increments a counter of requests that match the conditions in the rule and then continues to inspect the web request based on the remaining rules in the web ACL.

In a GetByteMatchSet request, ByteMatchSet is a complex type that contains the ByteMatchSetId and Name of a ByteMatchSet, and the values that you specified when you updated the ByteMatchSet.

A complex type that contains ByteMatchTuple objects, which specify the parts of web requests that you want AWS WAF to inspect and the values that you want AWS WAF to search for. If a ByteMatchSet contains more than one ByteMatchTuple object, a request needs to match the settings in only one ByteMatchTuple to be considered a match.

See: byteMatchSet smart constructor.

Creates a value of ByteMatchSet with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• bmsName
• bmsByteMatchSetId
• bmsByteMatchTuples

A friendly name or description of the ByteMatchSet. You can't change Name after you create a ByteMatchSet.

The ByteMatchSetId for a ByteMatchSet. You use ByteMatchSetId to get information about a ByteMatchSet (see GetByteMatchSet), update a ByteMatchSet (see UpdateByteMatchSet, insert a ByteMatchSet into a Rule or delete one from a Rule (see UpdateRule), and delete a ByteMatchSet from AWS WAF (see DeleteByteMatchSet).

ByteMatchSetId is returned by CreateByteMatchSet and by ListByteMatchSets.

Specifies the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings.

Returned by ListByteMatchSets. Each ByteMatchSetSummary object includes the Name and ByteMatchSetId for one ByteMatchSet.

See: byteMatchSetSummary smart constructor.

Creates a value of ByteMatchSetSummary with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• bmssByteMatchSetId
• bmssName

The ByteMatchSetId for a ByteMatchSet. You use ByteMatchSetId to get information about a ByteMatchSet, update a ByteMatchSet, remove a ByteMatchSet from a Rule, and delete a ByteMatchSet from AWS WAF.

ByteMatchSetId is returned by CreateByteMatchSet and by ListByteMatchSets.

A friendly name or description of the ByteMatchSet. You can't change Name after you create a ByteMatchSet.

In an UpdateByteMatchSet request, ByteMatchSetUpdate specifies whether to insert or delete a ByteMatchTuple and includes the settings for the ByteMatchTuple.

See: byteMatchSetUpdate smart constructor.

Creates a value of ByteMatchSetUpdate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• bmsuAction
• bmsuByteMatchTuple

Specifies whether to insert or delete a ByteMatchTuple.

Information about the part of a web request that you want AWS WAF to inspect and the value that you want AWS WAF to search for. If you specify DELETE for the value of Action, the ByteMatchTuple values must exactly match the values in the ByteMatchTuple that you want to delete from the ByteMatchSet.

The bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings.

See: byteMatchTuple smart constructor.

Creates a value of ByteMatchTuple with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• bmtFieldToMatch
• bmtTargetString
• bmtTextTransformation
• bmtPositionalConstraint

The part of a web request that you want AWS WAF to search, such as a specified header or a query string. For more information, see FieldToMatch.

The value that you want AWS WAF to search for. AWS WAF searches for the specified string in the part of web requests that you specified in FieldToMatch. The maximum length of the value is 50 bytes.

Valid values depend on the values that you specified for FieldToMatch:

• HEADER: The value that you want AWS WAF to search for in the request header that you specified in FieldToMatch, for example, the value of the 'User-Agent' or Referer header.
• METHOD: The HTTP method, which indicates the type of operation specified in the request. CloudFront supports the following methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.
• QUERY_STRING: The value that you want AWS WAF to search for in the query string, which is the part of a URL that appears after a ? character.
• URI: The value that you want AWS WAF to search for in the part of a URL that identifies a resource, for example, '\/images\/daily-ad.jpg'.

If TargetString includes alphabetic characters A-Z and a-z, note that the value is case sensitive.

If you're using the AWS WAF API

Specify a base64-encoded version of the value. The maximum length of the value before you base64-encode it is 50 bytes.

For example, suppose the value of Type is HEADER and the value of Data is 'User-Agent'. If you want to search the 'User-Agent' header for the value BadBot, you base64-encode BadBot using MIME base64 encoding and include the resulting value, QmFkQm90, in the value of TargetString.

If you're using the AWS CLI or one of the AWS SDKs

The value that you want AWS WAF to search for. The SDK automatically base64 encodes the value.

Note: This Lens automatically encodes and decodes Base64 data, despite what the AWS documentation might say. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This Lens accepts and returns only raw unencoded data.

Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on TargetString before inspecting a request for a match.

CMD_LINE

When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

• Delete the following characters: \ " ' ^
• Delete spaces before the following characters: / (
• Replace the following characters with a space: , ;
• Replace multiple spaces with one space
• Convert uppercase letters (A-Z) to lowercase (a-z)

COMPRESS_WHITE_SPACE

Use this option to replace the following characters with a space character (decimal 32):

• \f, formfeed, decimal 12
• \t, tab, decimal 9
• \n, newline, decimal 10
• \r, carriage return, decimal 13
• \v, vertical tab, decimal 11
• non-breaking space, decimal 160

COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

HTML_ENTITY_DECODE

Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

• Replaces '(ampersand)quot;' with '"'
• Replaces '(ampersand)nbsp;' with a non-breaking space, decimal 160
• Replaces '(ampersand)lt;' with a "less than" symbol
• Replaces '(ampersand)gt;' with >
• Replaces characters that are represented in hexadecimal format, '(ampersand)#xhhhh;', with the corresponding characters
• Replaces characters that are represented in decimal format, '(ampersand)#nnnn;', with the corresponding characters

LOWERCASE

Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

URL_DECODE

Use this option to decode a URL-encoded value.

NONE

Specify NONE if you don't want to perform any text transformations.

Within the portion of a web request that you want to search (for example, in the query string, if any), specify where you want AWS WAF to search. Valid values include the following:

CONTAINS

The specified part of the web request must include the value of TargetString, but the location doesn't matter.

CONTAINS_WORD

The specified part of the web request must include the value of TargetString, and TargetString must contain only alphanumeric characters or underscore (A-Z, a-z, 0-9, or _). In addition, TargetString must be a word, which means one of the following:

• TargetString exactly matches the value of the specified part of the web request, such as the value of a header.
• TargetString is at the beginning of the specified part of the web request and is followed by a character other than an alphanumeric character or underscore (_), for example, 'BadBot;'.
• TargetString is at the end of the specified part of the web request and is preceded by a character other than an alphanumeric character or underscore (_), for example, ';BadBot'.
• TargetString is in the middle of the specified part of the web request and is preceded and followed by characters other than alphanumeric characters or underscore (_), for example, '-BadBot;'.

EXACTLY

The value of the specified part of the web request must exactly match the value of TargetString.

STARTS_WITH

The value of TargetString must appear at the beginning of the specified part of the web request.

ENDS_WITH

The value of TargetString must appear at the end of the specified part of the web request.

Specifies where in a web request to look for TargetString.

See: fieldToMatch smart constructor.

Creates a value of FieldToMatch with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• ftmData
• ftmType

When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, 'User-Agent' or Referer. If the value of Type is any other value, omit Data.

The name of the header is not case sensitive.

The part of the web request that you want AWS WAF to search for a specified string. Parts of a request that you can search include the following:

• HEADER: A specified request header, for example, the value of the 'User-Agent' or Referer header. If you choose HEADER for the type, specify the name of the header in Data.
• METHOD: The HTTP method, which indicated the type of operation that the request is asking the origin to perform. Amazon CloudFront supports the following methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.
• QUERY_STRING: A query string, which is the part of a URL that appears after a ? character, if any.
• URI: The part of a web request that identifies a resource, for example, '\/images\/daily-ad.jpg'.

The response from a GetSampledRequests request includes an HTTPHeader complex type that appears as Headers in the response syntax. HTTPHeader contains the names and values of all of the headers that appear in one of the web requests that were returned by GetSampledRequests.

See: hTTPHeader smart constructor.

Creates a value of HTTPHeader with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• httphValue
• httphName

The value of one of the headers in the sampled web request.

The name of one of the headers in the sampled web request.

The response from a GetSampledRequests request includes an HTTPRequest complex type that appears as Request in the response syntax. HTTPRequest contains information about one of the web requests that were returned by GetSampledRequests.

See: hTTPRequest smart constructor.

Creates a value of HTTPRequest with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• httprHTTPVersion
• httprCountry
• httprURI
• httprHeaders
• httprMethod
• httprClientIP

The HTTP version specified in the sampled web request, for example, 'HTTP\/1.1'.

The two-letter country code for the country that the request originated from. For a current list of country codes, see the Wikipedia entry ISO 3166-1 alpha-2.

The part of a web request that identifies the resource, for example, '\/images\/daily-ad.jpg'.

A complex type that contains two values for each header in the sampled web request: the name of the header and the value of the header.

The HTTP method specified in the sampled web request. CloudFront supports the following methods: DELETE, GET, HEAD, OPTIONS, PATCH, POST, and PUT.

The IP address that the request originated from. If the WebACL is associated with a CloudFront distribution, this is the value of one of the following fields in CloudFront access logs:

• 'c-ip', if the viewer did not use an HTTP proxy or a load balancer to send the request
• 'x-forwarded-for', if the viewer did use an HTTP proxy or a load balancer to send the request

Contains one or more IP addresses or blocks of IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. To specify an individual IP address, you specify the four-part IP address followed by a '\/32', for example, 192.0.2.0/31. To block a range of IP addresses, you can specify a '\/24', a '\/16', or a '\/8' CIDR. For more information about CIDR notation, perform an Internet search on 'cidr notation'.

See: ipSet smart constructor.

Creates a value of IPSet with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• isName
• isIPSetId
• isIPSetDescriptors

A friendly name or description of the IPSet. You can't change the name of an IPSet after you create it.

The IPSetId for an IPSet. You use IPSetId to get information about an IPSet (see GetIPSet), update an IPSet (see UpdateIPSet), insert an IPSet into a Rule or delete one from a Rule (see UpdateRule), and delete an IPSet from AWS WAF (see DeleteIPSet).

IPSetId is returned by CreateIPSet and by ListIPSets.

The IP address type (IPV4) and the IP address range (in CIDR notation) that web requests originate from. If the WebACL is associated with a CloudFront distribution, this is the value of one of the following fields in CloudFront access logs:

• 'c-ip', if the viewer did not use an HTTP proxy or a load balancer to send the request
• 'x-forwarded-for', if the viewer did use an HTTP proxy or a load balancer to send the request

Specifies the IP address type (IPV4) and the IP address range (in CIDR format) that web requests originate from.

See: ipSetDescriptor smart constructor.

Creates a value of IPSetDescriptor with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• isdType
• isdValue

Specify IPV4.

Specify an IPv4 address by using CIDR notation. For example:

• To configure AWS WAF to allow, block, or count requests that originated from the IP address 192.0.2.44, specify '192.0.2.44\/32'.
• To configure AWS WAF to allow, block, or count requests that originated from IP addresses from 192.0.2.0 to 192.0.2.255, specify '192.0.2.0\/24'.

AWS WAF supports only /8, /16, /24, and /32 IP addresses.

For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

Contains the identifier and the name of the IPSet.

See: ipSetSummary smart constructor.

Creates a value of IPSetSummary with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• issIPSetId
• issName

The IPSetId for an IPSet. You can use IPSetId in a GetIPSet request to get detailed information about an IPSet.

A friendly name or description of the IPSet. You can't change the name of an IPSet after you create it.

Specifies the type of update to perform to an IPSet with UpdateIPSet.

See: ipSetUpdate smart constructor.

Creates a value of IPSetUpdate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• isuAction
• isuIPSetDescriptor

Specifies whether to insert or delete an IP address with UpdateIPSet.

The IP address type (IPV4) and the IP address range (in CIDR notation) that web requests originate from.

Specifies the ByteMatchSet, IPSet, and SqlInjectionMatchSet objects that you want to add to a Rule and, for each object, indicates whether you want to negate the settings, for example, requests that do NOT originate from the IP address 192.0.2.44.

See: predicate smart constructor.

Creates a value of Predicate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• pNegated
• pType
• pDataId

Set Negated to False if you want AWS WAF to allow, block, or count requests based on the settings in the specified ByteMatchSet, IPSet, or SqlInjectionMatchSet. For example, if an IPSet includes the IP address '192.0.2.44', AWS WAF will allow or block requests based on that IP address.

Set Negated to True if you want AWS WAF to allow or block a request based on the negation of the settings in the ByteMatchSet, IPSet, or SqlInjectionMatchSet. For example, if an IPSet includes the IP address '192.0.2.44', AWS WAF will allow, block, or count requests based on all IP addresses except '192.0.2.44'.

The type of predicate in a Rule, such as ByteMatchSet or IPSet.

A unique identifier for a predicate in a Rule, such as ByteMatchSetId or IPSetId. The ID is returned by the corresponding Create or List command.

A combination of ByteMatchSet, IPSet, and/or SqlInjectionMatchSet objects that identify the web requests that you want to allow, block, or count. For example, you might create a Rule that includes the following predicates:

• An IPSet that causes AWS WAF to search for web requests that originate from the IP address '192.0.2.44'
• A ByteMatchSet that causes AWS WAF to search for web requests for which the value of the 'User-Agent' header is BadBot.

To match the settings in this Rule, a request must originate from '192.0.2.44' AND include a 'User-Agent' header for which the value is BadBot.

See: rule smart constructor.

Creates a value of Rule with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• rMetricName
• rName
• rRuleId
• rPredicates

Undocumented member.

The friendly name or description for the Rule. You can't change the name of a Rule after you create it.

A unique identifier for a Rule. You use RuleId to get more information about a Rule (see GetRule), update a Rule (see UpdateRule), insert a Rule into a WebACL or delete a one from a WebACL (see UpdateWebACL), or delete a Rule from AWS WAF (see DeleteRule).

RuleId is returned by CreateRule and by ListRules.

The Predicates object contains one Predicate element for each ByteMatchSet, IPSet, or SqlInjectionMatchSet object that you want to include in a Rule.

Contains the identifier and the friendly name or description of the Rule.

See: ruleSummary smart constructor.

Creates a value of RuleSummary with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• rsRuleId
• rsName

A unique identifier for a Rule. You use RuleId to get more information about a Rule (see GetRule), update a Rule (see UpdateRule), insert a Rule into a WebACL or delete one from a WebACL (see UpdateWebACL), or delete a Rule from AWS WAF (see DeleteRule).

RuleId is returned by CreateRule and by ListRules.

A friendly name or description of the Rule. You can't change the name of a Rule after you create it.

Specifies a Predicate (such as an IPSet) and indicates whether you want to add it to a Rule or delete it from a Rule.

See: ruleUpdate smart constructor.

Creates a value of RuleUpdate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• ruAction
• ruPredicate

Specify INSERT to add a Predicate to a Rule. Use DELETE to remove a Predicate from a Rule.

The ID of the Predicate (such as an IPSet) that you want to add to a Rule.

The response from a GetSampledRequests request includes a SampledHTTPRequests complex type that appears as SampledRequests in the response syntax. SampledHTTPRequests contains one SampledHTTPRequest object for each web request that is returned by GetSampledRequests.

See: sampledHTTPRequest smart constructor.

Creates a value of SampledHTTPRequest with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• shttprAction
• shttprTimestamp
• shttprRequest
• shttprWeight

The action for the Rule that the request matched: ALLOW, BLOCK, or COUNT.

The time at which AWS WAF received the request from your AWS resource, in Unix time format (in seconds).

A complex type that contains detailed information about the request.

A value that indicates how one result in the response relates proportionally to other results in the response. A result that has a weight of '2' represents roughly twice as many CloudFront web requests as a result that has a weight of '1'.

A complex type that contains SqlInjectionMatchTuple objects, which specify the parts of web requests that you want AWS WAF to inspect for snippets of malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header. If a SqlInjectionMatchSet contains more than one SqlInjectionMatchTuple object, a request needs to include snippets of SQL code in only one of the specified parts of the request to be considered a match.

See: sqlInjectionMatchSet smart constructor.

Creates a value of SqlInjectionMatchSet with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• simsName
• simsSqlInjectionMatchSetId
• simsSqlInjectionMatchTuples

The name, if any, of the SqlInjectionMatchSet.

A unique identifier for a SqlInjectionMatchSet. You use SqlInjectionMatchSetId to get information about a SqlInjectionMatchSet (see GetSqlInjectionMatchSet), update a SqlInjectionMatchSet (see UpdateSqlInjectionMatchSet, insert a SqlInjectionMatchSet into a Rule or delete one from a Rule (see UpdateRule), and delete a SqlInjectionMatchSet from AWS WAF (see DeleteByteMatchSet).

SqlInjectionMatchSetId is returned by CreateSqlInjectionMatchSet and by ListSqlInjectionMatchSets.

Specifies the parts of web requests that you want to inspect for snippets of malicious SQL code.

The Id and Name of a SqlInjectionMatchSet.

See: sqlInjectionMatchSetSummary smart constructor.

Creates a value of SqlInjectionMatchSetSummary with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• simssSqlInjectionMatchSetId
• simssName

A unique identifier for a SqlInjectionMatchSet. You use SqlInjectionMatchSetId to get information about a SqlInjectionMatchSet (see GetSqlInjectionMatchSet), update a SqlInjectionMatchSet (see UpdateSqlInjectionMatchSet, insert a SqlInjectionMatchSet into a Rule or delete one from a Rule (see UpdateRule), and delete a SqlInjectionMatchSet from AWS WAF (see DeleteByteMatchSet).

SqlInjectionMatchSetId is returned by CreateSqlInjectionMatchSet and by ListSqlInjectionMatchSets.

The name of the SqlInjectionMatchSet, if any, specified by Id.

Specifies the part of a web request that you want to inspect for snippets of malicious SQL code and indicates whether you want to add the specification to a SqlInjectionMatchSet or delete it from a SqlInjectionMatchSet.

See: sqlInjectionMatchSetUpdate smart constructor.

Creates a value of SqlInjectionMatchSetUpdate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• simsuAction
• simsuSqlInjectionMatchTuple

Specify INSERT to add a SqlInjectionMatchSetUpdate to a SqlInjectionMatchSet. Use DELETE to remove a SqlInjectionMatchSetUpdate from a SqlInjectionMatchSet.

Specifies the part of a web request that you want AWS WAF to inspect for snippets of malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.

Specifies the part of a web request that you want AWS WAF to inspect for snippets of malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.

See: sqlInjectionMatchTuple smart constructor.

Creates a value of SqlInjectionMatchTuple with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• simtFieldToMatch
• simtTextTransformation

Undocumented member.

Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. If you specify a transformation, AWS WAF performs the transformation on TargetString before inspecting a request for a match.

CMD_LINE

When you're concerned that attackers are injecting an operating system commandline command and using unusual formatting to disguise some or all of the command, use this option to perform the following transformations:

• Delete the following characters: \ " ' ^
• Delete spaces before the following characters: / (
• Replace the following characters with a space: , ;
• Replace multiple spaces with one space
• Convert uppercase letters (A-Z) to lowercase (a-z)

COMPRESS_WHITE_SPACE

Use this option to replace the following characters with a space character (decimal 32):

• \f, formfeed, decimal 12
• \t, tab, decimal 9
• \n, newline, decimal 10
• \r, carriage return, decimal 13
• \v, vertical tab, decimal 11
• non-breaking space, decimal 160

COMPRESS_WHITE_SPACE also replaces multiple spaces with one space.

HTML_ENTITY_DECODE

Use this option to replace HTML-encoded characters with unencoded characters. HTML_ENTITY_DECODE performs the following operations:

• Replaces '(ampersand)quot;' with '"'
• Replaces '(ampersand)nbsp;' with a non-breaking space, decimal 160
• Replaces '(ampersand)lt;' with a "less than" symbol
• Replaces '(ampersand)gt;' with >
• Replaces characters that are represented in hexadecimal format, '(ampersand)#xhhhh;', with the corresponding characters
• Replaces characters that are represented in decimal format, '(ampersand)#nnnn;', with the corresponding characters

LOWERCASE

Use this option to convert uppercase letters (A-Z) to lowercase (a-z).

URL_DECODE

Use this option to decode a URL-encoded value.

NONE

Specify NONE if you don't want to perform any text transformations.

In a GetSampledRequests request, the StartTime and EndTime objects specify the time range for which you want AWS WAF to return a sample of web requests.

In a GetSampledRequests response, the StartTime and EndTime objects specify the time range for which AWS WAF actually returned a sample of web requests. AWS WAF gets the specified number of requests from among the first 5,000 requests that your AWS resource receives during the specified time period. If your resource receives more than 5,000 requests during that period, AWS WAF stops sampling after the 5,000th request. In that case, EndTime is the time that AWS WAF received the 5,000th request.

See: timeWindow smart constructor.

Creates a value of TimeWindow with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• twStartTime
• twEndTime

The beginning of the time range from which you want GetSampledRequests to return a sample of the requests that your AWS resource received. You can specify any time range in the previous three hours.

The end of the time range from which you want GetSampledRequests to return a sample of the requests that your AWS resource received. You can specify any time range in the previous three hours.

For the action that is associated with a rule in a WebACL, specifies the action that you want AWS WAF to perform when a web request matches all of the conditions in a rule. For the default action in a WebACL, specifies the action that you want AWS WAF to take when a web request doesn't match all of the conditions in any of the rules in a WebACL.

See: wafAction smart constructor.

Creates a value of WafAction with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• waType

Specifies how you want AWS WAF to respond to requests that match the settings in a Rule. Valid settings include the following:

• ALLOW: AWS WAF allows requests
• BLOCK: AWS WAF blocks requests
• COUNT: AWS WAF increments a counter of the requests that match all of the conditions in the rule. AWS WAF then continues to inspect the web request based on the remaining rules in the web ACL. You can't specify COUNT for the default action for a WebACL.

Contains the Rules that identify the requests that you want to allow, block, or count. In a WebACL, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted. For more information, see UpdateWebACL.

See: webACL smart constructor.

Creates a value of WebACL with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• waMetricName
• waName
• waWebACLId
• waDefaultAction
• waRules

Undocumented member.

A friendly name or description of the WebACL. You can't change the name of a WebACL after you create it.

A unique identifier for a WebACL. You use WebACLId to get information about a WebACL (see GetWebACL), update a WebACL (see UpdateWebACL, and delete a WebACL from AWS WAF (see DeleteWebACL).

WebACLId is returned by CreateWebACL and by ListWebACLs.

The action to perform if none of the Rules contained in the WebACL match. The action is specified by the WafAction object.

An array that contains the action for each Rule in a WebACL, the priority of the Rule, and the ID of the Rule.

Contains the identifier and the name or description of the WebACL.

See: webACLSummary smart constructor.

Creates a value of WebACLSummary with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• wasWebACLId
• wasName

A unique identifier for a WebACL. You use WebACLId to get information about a WebACL (see GetWebACL), update a WebACL (see UpdateWebACL, and delete a WebACL from AWS WAF (see DeleteWebACL).

WebACLId is returned by CreateWebACL and by ListWebACLs.

A friendly name or description of the WebACL. You can't change the name of a WebACL after you create it.

Specifies whether to insert a Rule into or delete a Rule from a WebACL.

See: webACLUpdate smart constructor.

Creates a value of WebACLUpdate with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• wauAction
• wauActivatedRule

Specifies whether to insert a Rule into or delete a Rule from a WebACL.

Undocumented member.