Amazon WAFV2 examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon WAFV2.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios and cross-service examples.
Scenarios are code examples that show you how to accomplish a specific task by calling multiple functions within the same service.
Each example includes a link to GitHub, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-web-acl.
- Amazon CLI
-
To associate a web ACL with a regional Amazon resource
The following
associate-web-aclexample associates the specified web ACL with an Application Load Balancer.aws wafv2 associate-web-acl \ --web-acl-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --resource-arnarn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a\ --regionus-west-2This command produces no output.
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see AssociateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use check-capacity.
- Amazon CLI
-
To obtain the capacity used by a set of rules
The following
check-capacityretrieves the capacity requirements for a rule set that contains a rate-based rule statement, and an AND rule statement that contains nested rules.aws wafv2 check-capacity \ --scopeREGIONAL\ --rulesfile://waf-rule-list.json\ --regionus-west-2Contents of file://waf-rule-list.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } }, { "Name":"rate-rule", "Priority":1, "Statement":{ "RateBasedStatement":{ "Limit":1000, "AggregateKeyType":"IP" } }, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"rate-rule" } } ]Output:
{ "Capacity":15 }For more information, see Amazon WAF Web ACL Capacity Units (WCU)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CheckCapacity
in Amazon CLI Command Reference.
-
The following code example shows how to use create-ip-set.
- Amazon CLI
-
To create an IP set for use in your web ACLs and rule groups
The following
create-ip-setcommand creates an IP set with a single address range specification.aws wafv2 create-ip-set \ --nametestip\ --scopeREGIONAL\ --ip-address-versionIPV4\ --addresses198.51.100.0/16Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"testip", "LockToken":"447e55ac-0000-0000-0000-86b67c17f8b5", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use create-regex-pattern-set.
- Amazon CLI
-
To create a regex pattern set for use in your web ACLs and rule groups
The following
create-regex-pattern-setcommand creates a regex pattern set with two regex patterns specified.aws wafv2 create-regex-pattern-set \ --nameregexPatterSet01\ --scopeREGIONAL\ --description 'Test web-acl' \ --regular-expression-list '[{"RegexString": "/[0-9]*/"},{"RegexString": "/[a-z]*/"}]'Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"Test web-acl", "Name":"regexPatterSet01", "LockToken":"0bc01e21-03c9-4b98-9433-6229cbf1ef1c", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use create-rule-group.
- Amazon CLI
-
To create a custom rule group for use in your web ACLs
The following
create-rule-groupcommand creates a custom rule group for regional use. The rule statements for the group are provided in a JSON-formatted file.aws wafv2 create-rule-group \ --name"TestRuleGroup"\ --scopeREGIONAL\ --capacity250\ --rulesfile://waf-rule.json\ --visibility-configSampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestRuleGroupMetrics\ --regionus-west-2Contents of file://waf-rule.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } } ]Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/TestRuleGroup/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestRuleGroup", "LockToken":"7b3bcec2-374e-4c5a-b2b9-563bf47249f0", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use create-web-acl.
- Amazon CLI
-
To create a web ACL
The following
create-web-aclcommand creates a web ACL for regional use. The rule statements for the web ACL are provided in a JSON-formatted file.aws wafv2 create-web-acl \ --nameTestWebAcl\ --scopeREGIONAL\ --default-actionAllow={}\ --visibility-configSampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAclMetrics\ --rulesfile://waf-rule.json\ --regionus-west-2Contents of file://waf-rule.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } } ]Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/TestWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestWebAcl", "LockToken":"2294b3a1-eb60-4aa0-a86f-a3ae04329de9", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-ip-set.
- Amazon CLI
-
To delete an IP set
The following
delete-ip-setdeletes the specified IP set. This call requires an ID, which you can obtain from the call,list-ip-sets, and a lock token, which you can obtain from the calls,list-ip-setsandget-ip-set.aws wafv2 delete-ip-set \ --nametest1\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-token46851772-db6f-459d-9385-49428812e357This command produces no output.
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-logging-configuration.
- Amazon CLI
-
To disable logging for a web ACL
The following
delete-logging-configurationremoves any logging configuration from the specified web ACL.aws wafv2 delete-logging-configuration \ --resource-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222This command produces no output.
For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-regex-pattern-set.
- Amazon CLI
-
To delete a regex pattern set
The following
delete-regex-pattern-setupdates the settings for the specified regex pattern set. This call requires an ID, which you can obtain from the call,list-regex-pattern-sets, and a lock token, which you can obtain from the calllist-regex-pattern-setsor the callget-regex-pattern-set.aws wafv2 delete-regex-pattern-set \ --nameregexPatterSet01\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-token0bc01e21-03c9-4b98-9433-6229cbf1ef1cThis command produces no output.
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-rule-group.
- Amazon CLI
-
To delete a custom rule group
The following
delete-rule-groupdeletes the specified custom rule group. This call requires an ID, which you can obtain from the call,list-rule-groups, and a lock token, which you can obtain from the calllist-rule-groupsor the callget-rule-group.aws wafv2 delete-rule-group \ --nameTestRuleGroup\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-token7b3bcec2-0000-0000-0000-563bf47249f0This command produces no output.
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-web-acl.
- Amazon CLI
-
To delete a web ACL
The following
delete-web-acldeletes the specified web ACL from your account. A web ACL can only be deleted when it's not associated with any resources. This call requires an ID, which you can obtain from the call,list-web-acls, and a lock token, which you can obtain from the calllist-web-aclsor the callget-web-acl.aws wafv2 delete-web-acl \ --nametest\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-tokenebab4ed2-155e-4c9a-9efb-e4c45665b1f5This command produces no output.
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-managed-rule-group.
- Amazon CLI
-
To retrieve the description for a managed rule group
The following
describe-managed-rule-groupretrieves the description for an Amazon managed rule group.aws wafv2 describe-managed-rule-group \ --vendor-nameAWS\ --nameAWSManagedRulesCommonRuleSet\ --scopeREGIONALOutput:
{ "Capacity": 700, "Rules": [ { "Name": "NoUserAgent_HEADER", "Action": { "Block": {} } }, { "Name": "UserAgent_BadBots_HEADER", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_QUERYSTRING", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_Cookie_HEADER", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_BODY", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_URIPATH", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_BODY", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_COOKIE", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_URIPATH", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericLFI_QUERYARGUMENTS", "Action": { "Block": {} } }, { } "Name": "GenericLFI_URIPATH", "Action": { "Block": {} } }, { "Name": "GenericLFI_BODY", "Action": { "Block": {} } }, { "Name": "RestrictedExtensions_URIPATH", "Action": { "Block": {} } }, { "Name": "RestrictedExtensions_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericRFI_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericRFI_BODY", "Action": { "Block": {} } }, { "Name": "GenericRFI_URIPATH", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_COOKIE", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_BODY", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_URIPATH", "Action": { "Block": {} } } ] }For more information, see Managed Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DescribeManagedRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-web-acl.
- Amazon CLI
-
To disassociate a web ACL from a regional Amazon resource
The following
disassociate-web-aclexample removes any existing web ACL association from the specified Application Load Balancer.aws wafv2 disassociate-web-acl \ --resource-arnarn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a\ --regionus-west-2This command produces no output.
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use get-ip-set.
- Amazon CLI
-
To retrieve a specific IP set
The following
get-ip-setretrieves the IP set with the specified name, scope, and ID. You can get the ID for an IP set from the commandscreate-ip-setandlist-ip-sets.aws wafv2 get-ip-set \ --nametestip\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111Output:
{ "IPSet":{ "Description":"", "Name":"testip", "IPAddressVersion":"IPV4", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE1111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE1111", "Addresses":[ "192.0.2.0/16" ] }, "LockToken":"447e55ac-2396-4c6d-b9f9-86b67c17f8b5" }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use get-logging-configuration.
- Amazon CLI
-
To retrieve the logging configurations for a web ACL
The following
get-logging-configurationretrieves the logging configuration for the specified web ACL.aws wafv2 get-logging-configuration \ --resource-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222\ --regionus-west-2Output:
{ "LoggingConfiguration":{ "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RedactedFields":[ { "Method":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } }For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use get-rate-based-statement-managed-keys.
- Amazon CLI
-
To retrieve a list of IP addresses that are blocked by a rate-based rule
The following
get-rate-based-statement-managed-keysretrieves the IP addresses currently blocked by a rate-based rule that's being used for a regional application.aws wafv2 get-rate-based-statement-managed-keys \ --scopeREGIONAL\ --web-acl-nametestwebacl2\ --web-acl-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --rule-nameratebasedtestOutput:
{ "ManagedKeysIPV4":{ "IPAddressVersion":"IPV4", "Addresses":[ "198.51.100.0/32" ] }, "ManagedKeysIPV6":{ "IPAddressVersion":"IPV6", "Addresses":[ ] } }For more information, see Rate-Based Rule Statement
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRateBasedStatementManagedKeys
in Amazon CLI Command Reference.
-
The following code example shows how to use get-regex-pattern-set.
- Amazon CLI
-
To retrieve a specific regex pattern set
The following
get-regex-pattern-setretrieves the regex pattern set with the specified name, scope, region, and ID. You can get the ID for a regex pattern set from the commandscreate-regex-pattern-setandlist-regex-pattern-sets.aws wafv2 get-regex-pattern-set \ --nameregexPatterSet01\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --regionus-west-2Output:
{ "RegexPatternSet":{ "Description":"Test web-acl", "RegularExpressionList":[ { "RegexString":"/[0-9]*/" }, { "RegexString":"/[a-z]*/" } ], "Name":"regexPatterSet01", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "LockToken":"c8abf33f-b6fc-46ae-846e-42f994d57b29" }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use get-rule-group.
- Amazon CLI
-
To retrieve a specific custom rule group
The following
get-rule-groupretrieves the custom rule group with the specified name, scope, and ID. You can get the ID for a rule group from the commandscreate-rule-groupandlist-rule-groups.aws wafv2 get-rule-group \ --nameff\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111Output:
{ "RuleGroup":{ "Capacity":1, "Description":"", "Rules":[ { "Priority":0, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"jj" }, "Name":"jj", "Statement":{ "SizeConstraintStatement":{ "ComparisonOperator":"LE", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "UriPath":{ } }, "Size":7 } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"ff" }, "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/ff/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name":"ff" }, "LockToken":"485458c9-1830-4234-af31-ec4d52ced1b3" }For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use get-sampled-requests.
- Amazon CLI
-
To retrieve a sample of web requests for a web ACL
The following
get-sampled-requestsretrieves the sampled web requests for the specified web ACL, rule metric, and time frame.aws wafv2 get-sampled-requests \ --web-acl-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --rule-metric-nameAWS-AWSManagedRulesSQLiRuleSet\ --scope=REGIONAL \ --time-windowStartTime=2020-02-12T20:00Z,EndTime=2020-02-12T21:10Z\ --max-items100Output:
{ "TimeWindow": { "EndTime": 1581541800.0, "StartTime": 1581537600.0 }, "SampledRequests": [ { "Action": "BLOCK", "Timestamp": 1581541799.564, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 }, { "Action": "BLOCK", "Timestamp": 1581541799.988, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 3 }, { "Action": "BLOCK", "Timestamp": 1581541799.846, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 }, { "Action": "BLOCK", "Timestamp": 1581541799.4, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 } ], "PopulationSize": 4 }For more information, see Viewing a Sample of Web Requests
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetSampledRequests
in Amazon CLI Command Reference.
-
The following code example shows how to use get-web-acl-for-resource.
- Amazon CLI
-
To retrieve the web ACL that's associated with an Amazon resource
The following
get-web-acl-for-resourceretrieves the JSON for the web ACL that's associated with the specified resource.aws wafv2 get-web-acl-for-resource \ --resource-arnarn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2aOutput:
{ "WebACL":{ "Capacity":3, "Description":"", "Rules":[ { "Priority":1, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"testrule01" }, "Name":"testrule01", "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "PositionalConstraint":"EXACTLY", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "SearchString":"dGVzdHN0cmluZw==", "FieldToMatch":{ "UriPath":{ } } } }, { "SizeConstraintStatement":{ "ComparisonOperator":"EQ", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "QueryString":{ } }, "Size":0 } } ] } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"test01" }, "DefaultAction":{ "Allow":{ } }, "Id":"9a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ", "Name":"test01" } }For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetWebAclForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use get-web-acl.
- Amazon CLI
-
To retrieve a web ACL
The following
get-web-aclretrieves the web ACL with the specified name, scope, and ID. You can get the ID for a web ACL from the commandscreate-web-aclandlist-web-acls.aws wafv2 get-web-acl \ --nametest01\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111Output:
{ "WebACL":{ "Capacity":3, "Description":"", "Rules":[ { "Priority":1, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"testrule01" }, "Name":"testrule01", "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "PositionalConstraint":"EXACTLY", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "SearchString":"dGVzdHN0cmluZw==", "FieldToMatch":{ "UriPath":{ } } } }, { "SizeConstraintStatement":{ "ComparisonOperator":"EQ", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "QueryString":{ } }, "Size":0 } } ] } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"test01" }, "DefaultAction":{ "Allow":{ } }, "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name":"test01" }, "LockToken":"e3db7e2c-d58b-4ee6-8346-6aec5511c6fb" }For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use list-available-managed-rule-groups.
- Amazon CLI
-
To retrieve the managed rule groups
The following
list-available-managed-rule-groupsreturns the list of all managed rule groups that are currently available for use in your web ACLs.aws wafv2 list-available-managed-rule-groups \ --scopeREGIONALOutput:
{ "ManagedRuleGroups": [ { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet", "Description": "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications and common Common Vulnerabilities and Exposures (CVE)." }, { "VendorName": "AWS", "Name": "AWSManagedRulesAdminProtectionRuleSet", "Description": "Contains rules that allow you to block external access to exposed admin pages. This may be useful if you are running third-party software or would like to reduce the risk of a malicious actor gaining administrative access to your application." }, { "VendorName": "AWS", "Name": "AWSManagedRulesKnownBadInputsRuleSet", "Description": "Contains rules that allow you to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application." }, { "VendorName": "AWS", "Name": "AWSManagedRulesSQLiRuleSet", "Description": "Contains rules that allow you to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries." }, { "VendorName": "AWS", "Name": "AWSManagedRulesLinuxRuleSet", "Description": "Contains rules that block request patterns associated with exploitation of vulnerabilities specific to Linux, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which the attacker should not have had access." }, { "VendorName": "AWS", "Name": "AWSManagedRulesUnixRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to POSIX/POSIX-like OS, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which access should not been allowed." }, { "VendorName": "AWS", "Name": "AWSManagedRulesWindowsRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to Windows, (e.g., PowerShell commands). This can help prevent exploits that allow attacker to run unauthorized commands or execute malicious code." }, { "VendorName": "AWS", "Name": "AWSManagedRulesPHPRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to the use of the PHP, including injection of unsafe PHP functions. This can help prevent exploits that allow an attacker to remotely execute code or commands." }, { "VendorName": "AWS", "Name": "AWSManagedRulesWordPressRuleSet", "Description": "The WordPress Applications group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites." }, { "VendorName": "AWS", "Name": "AWSManagedRulesAmazonIpReputationList", "Description": "This group contains rules that are based on Amazon threat intelligence. This is useful if you would like to block sources associated with bots or other threats." } ] }For more information, see Managed Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListAvailableManagedRuleGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use list-ip-sets.
- Amazon CLI
-
To retrieve a list of IP sets
The following
list-ip-setsretrieves all IP sets for the account that have regional scope.aws wafv2 list-ip-sets \ --scopeREGIONALOutput:
{ "IPSets":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"testip", "LockToken":"0674c84b-0304-47fe-8728-c6bff46af8fc", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 " } ], "NextMarker":"testip" }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListIpSets
in Amazon CLI Command Reference.
-
The following code example shows how to use list-logging-configurations.
- Amazon CLI
-
To retrieve a list of all logging configurations for a region
The following
list-logging-configurationsretrieves the all logging configurations for web ACLs that are scoped for regional use in theus-west-2region.aws wafv2 list-logging-configurations \ --scopeREGIONAL\ --regionus-west-2Output:
{ "LoggingConfigurations":[ { "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RedactedFields":[ { "QueryString":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-test" ] }, { "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RedactedFields":[ { "Method":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } ] }For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListLoggingConfigurations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-regex-pattern-sets.
- Amazon CLI
-
To retrieve a list of regex pattern sets
The following
list-regex-pattern-setsretrieves all regex pattern sets for the account that are defined in the regionus-west-2.aws wafv2 list-regex-pattern-sets \ --scopeREGIONAL\ --regionus-west-2Output:
{ "NextMarker":"regexPatterSet01", "RegexPatternSets":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"Test web-acl", "Name":"regexPatterSet01", "LockToken":"f17743f7-0000-0000-0000-19a8b93bfb01", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ] }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListRegexPatternSets
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resources-for-web-acl.
- Amazon CLI
-
To retrieve the resources associated with a web ACL
The following
list-resources-for-web-aclretrieves the API Gateway REST API resources that are currently associated with the specified web ACL in the regionus-west-2.aws wafv2 list-resources-for-web-acl \ --web-acl-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/TestWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --resource-typeAPI_GATEWAY\ --regionus-west-2Output:
{ "ResourceArns": [ "arn:aws:apigateway:us-west-2::/restapis/EXAMPLE111/stages/testing" ] }For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListResourcesForWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use list-rule-groups.
- Amazon CLI
-
To retrieve a list of custom rule groups
The following
list-rule-groupsretrieves all custom rule groups that are defined for the account for the specified scope and region location.aws wafv2 list-rule-groups \ --scopeREGIONAL\ --regionus-west-2Output:
{ "RuleGroups":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/TestRuleGroup/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestRuleGroup", "LockToken":"1eb5ec48-0000-0000-0000-ee9b906c541e", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Description":"", "Name":"test", "LockToken":"b0f4583e-998b-4880-9069-3fbe45738b43", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE22222" } ], "NextMarker":"test" }For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListRuleGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource.
- Amazon CLI
-
To retrieve all tags for an Amazon WAF resource
The following
list-tags-for-resourceretrieves the list of all tag key, value pairs for the specified web ACL.aws wafv2 list-tags-for-resource \ --resource-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/testwebacl2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111Output:
{ "NextMarker":"", "TagInfoForResource":{ "ResourceARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/testwebacl2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TagList":[ ] } }For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use list-web-acls.
- Amazon CLI
-
To retrieve the web ACLs for a scope
The following
list-web-aclsretrieves all web ACLs that are defined for the account for the specified scope.aws wafv2 list-web-acls \ --scopeREGIONALOutput:
{ "NextMarker":"Testt", "WebACLs":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/Testt/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"sssss", "Name":"Testt", "LockToken":"7f36cb30-74ef-4cff-8cd4-a77e1aba1746", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ] }For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListWebAcls
in Amazon CLI Command Reference.
-
The following code example shows how to use put-logging-configuration.
- Amazon CLI
-
To add a logging configuration to a web ACL
The following
put-logging-configurationadds the Amazon Kinesis Data Firehose logging configurationaws-waf-logs-custom-transformationto the specified web ACL, with no fields redacted from the logs.aws wafv2 put-logging-configuration \ --logging-configurationResourceArn=arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111,LogDestinationConfigs=arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation\ --regionus-west-2Output:
{ "LoggingConfiguration":{ "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } }For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see PutLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use tag-resource.
- Amazon CLI
-
To add tags to an Amazon WAF resource
The following
tag-resourceexample adds a tag with a key ofNameand value set toAWSWAFto the specified web ACL.aws wafv2 tag-resource \ --resource-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/apiGatewayWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --tagsKey=Name,Value=AWSWAFThis command produces no output.
For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see TagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use untag-resource.
- Amazon CLI
-
To remove tags from an Amazon WAF resource
The following
untag-resourceexample removes the tag with the keyKeyNamefrom the specified web ACL.aws wafv2 untag-resource \ --resource-arnarn:aws:wafv2:us-west-2:123456789012:regional/webacl/apiGatewayWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --tag-keys"KeyName"This command produces no output.
For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UntagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use update-ip-set.
- Amazon CLI
-
To modify the settings for an existing IP set
The following
update-ip-setupdates the settings for the specified IP set. This call requires an ID, which you can obtain from the call,list-ip-sets, and a lock token which you can obtain from the calls,list-ip-setsandget-ip-set. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-ip-set \ --nametestip\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --addresses198.51.100.0/16\ --lock-token447e55ac-2396-4c6d-b9f9-86b67c17f8b5Output:
{ "NextLockToken": "0674c84b-0304-47fe-8728-c6bff46af8fc" }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-regex-pattern-set.
- Amazon CLI
-
To modify the settings for an existing regex pattern set
The following
update-regex-pattern-setupdates the settings for the specified regex pattern set. This call requires an ID, which you can obtain from the call,list-regex-pattern-sets, and a lock token which you can obtain from the calls,list-regex-pattern-setsandget-regex-pattern-set. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-regex-pattern-set \ --nameExampleRegex\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --regular-expression-list RegexString="^.+$" \ --lock-tokened207e9c-82e9-4a77-aadd-81e6173ab7ebOutput:
{ "NextLockToken": "12ebc73e-fa68-417d-a9b8-2bdd761a4fa5" }For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-rule-group.
- Amazon CLI
-
To update a custom rule group
The following
update-rule-groupchanges the visibility configuration for an existing custom rule group. This call requires an ID, which you can obtain from the call,list-rule-groups, and a lock token which you can obtain from the calls,list-rule-groupsandget-rule-group. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-rule-group \ --nameTestRuleGroup\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-token7b3bcec2-0000-0000-0000-563bf47249f0\ --visibility-configSampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=TestMetricsForRuleGroup\ --regionus-west-2Output:
{ "NextLockToken": "1eb5ec48-0000-0000-0000-ee9b906c541e" }For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use update-web-acl.
- Amazon CLI
-
To update a web ACL
The following
update-web-aclchanges settings for an existing web ACL. This call requires an ID, which you can obtain from the call,list-web-acls, and a lock token and other settings, which you can obtain from the callget-web-acl. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-web-acl \ --nameTestWebAcl\ --scopeREGIONAL\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111\ --lock-token2294b3a1-0000-0000-0000-a3ae04329de9\ --default-actionBlock={}\ --visibility-configSampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=NewMetricTestWebAcl\ --rulesfile://waf-rule.json\ --regionus-west-2Output:
{ "NextLockToken": "714a0cfb-0000-0000-0000-2959c8b9a684" }For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateWebAcl
in Amazon CLI Command Reference.
-