This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Amazon WAF Classic Regional examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon WAF Classic Regional.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-web-acl
.
- Amazon CLI
-
To associate a web ACL with a resource
The following
associate-web-acl
command associates a web ACL, specified by the web-acl-id, with a resource, specified by the resource-arn. The resource ARN can refer to either a application load balancer or an API Gateway:aws waf-regional associate-web-acl \ --web-acl-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --resource-arn12cs345-67cd-890b-1cd2-c3a4567d89f1
For more information, see Working with Web ACLs
in the Amazon WAF Developer Guide. -
For API details, see AssociateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use put-logging-configuration
.
- Amazon CLI
-
To create a logging configuration for the web ACL ARN with the specified Kinesis Firehose stream ARN
The following
put-logging-configuration
example displays logging configuration for WAF with ALB/APIGateway in Regionus-east-1
.aws waf-regional put-logging-configuration \ --logging-configuration
ResourceArn=arn:aws:waf-regional:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3,LogDestinationConfigs=arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-firehose-stream,RedactedFields=[]
\ --regionus-east-1
Output:
{ "LoggingConfiguration": { "ResourceArn": "arn:aws:waf-regional:us-east-1:123456789012:webacl/3bffd3ed-fa2e-445e-869f-a6a7cf153fd3", "LogDestinationConfigs": [ "arn:aws:firehose:us-east-1:123456789012:deliverystream/aws-waf-logs-firehose-stream" ] } }
-
For API details, see PutLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use update-byte-match-set
.
- Amazon CLI
-
To update a byte match set
The following
update-byte-match-set
command deletes aByteMatchTuple
object (filter) in aByteMatchSet
. Because theupdates
value has embedded double quotes, you must surround the value with single quotes.aws waf-regional update-byte-match-set \ --byte-match-set-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates 'Action="DELETE",ByteMatchTuple={FieldToMatch={Type="HEADER",Data="referer"},TargetString="badrefer1",TextTransformation="NONE",PositionalConstraint="CONTAINS"}
'For more information, see Working with String Match Conditions
in the Amazon WAF Developer Guide. -
For API details, see UpdateByteMatchSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-ip-set
.
- Amazon CLI
-
To update an IP set
The following
update-ip-set
command updates an IPSet with an IPv4 address and deletes an IPv6 address. Get the value forchange-token
by running theget-change-token
command. Because the value for updates includes embedded double-quotes, you must surround the value with single quotes.aws waf update-ip-set \ --ip-set-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates 'Action="INSERT",IPSetDescriptor={Type="IPV4",Value="12.34.56.78/16"},Action="DELETE",IPSetDescriptor={Type="IPV6",Value="1111:0000:0000:0000:0000:0000:0000:0111/128"}
'Alternatively you can use a JSON file to specify the input. For example:
aws waf-regional update-ip-set \ --ip-set-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updatesfile://change.json
Content of the
change.json
[ { "Action": "INSERT", "IPSetDescriptor": { "Type": "IPV4", "Value": "12.34.56.78/16" } }, { "Action": "DELETE", "IPSetDescriptor": { "Type": "IPV6", "Value": "1111:0000:0000:0000:0000:0000:0000:0111/128" } } ]
For more information, see Working with IP Match Conditions
in the Amazon WAF Developer Guide. -
For API details, see UpdateIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-rule
.
- Amazon CLI
-
To update a rule
The following
update-rule
command deletes aPredicate
object in a rule. Because theupdates
value has embedded double quotes, you must surround the entire value with single quotes.aws waf-regional update-rule \ --rule-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates 'Action="DELETE",Predicate={Negated=false,Type="ByteMatch",DataId="MyByteMatchSetID"}
'For more information, see Working with Rules
in the Amazon WAF Developer Guide . -
For API details, see UpdateRule
in Amazon CLI Command Reference.
-
The following code example shows how to use update-size-constraint-set
.
- Amazon CLI
-
To update a size constraint set
The following
update-size-constraint-set
command deletes a SizeConstraint` object (filters) in a size constraint set. Because theupdates
value contains embedded double quotes, you must surround the entire value with single quotes.aws waf-regional update-size-constraint-set \ --size-constraint-set-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates 'Action="DELETE",SizeConstraint={FieldToMatch={Type="QUERY_STRING"},TextTransformation="NONE",ComparisonOperator="GT",Size=0}
'For more information, see Working with Size Constraint Conditions
in the Amazon WAF Developer Guide. -
For API details, see UpdateSizeConstraintSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-sql-injection-match-set
.
- Amazon CLI
-
To update a SQL Injection Match Set
The following
update-sql-injection-match-set
command deletes aSqlInjectionMatchTuple
object (filters) in a SQL injection match set. Because theupdates
value contains embedded double quotes, you must surround the entire value in single quotes. :aws waf-regional update-sql-injection-match-set --sql-injection-match-set-id a123fae4-b567-8e90-1234-5ab67ac8ca90 --change-token 12cs345-67cd-890b-1cd2-c3a4567d89f1 --updates 'Action="DELETE",SqlInjectionMatchTuple={FieldToMatch={Type="QUERY_STRING"},TextTransformation="URL_DECODE"}'
For more information, see Working with SQL Injection Match Conditions
in the Amazon WAF Developer Guide. -
For API details, see UpdateSqlInjectionMatchSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-web-acl
.
- Amazon CLI
-
To update a web ACL
The following
update-web-acl
command deletes anActivatedRule
object in a WebACL. Because theupdates
value contains embedded double quotes, you must surround the entire value in single quotes.aws waf-regional update-web-acl \ --web-acl-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates Action="DELETE",ActivatedRule='{Priority=1,RuleId="WAFRule-1-Example",Action={Type="ALLOW"},Type="ALLOW"}'For more information, see Working with Web ACLs
in the Amazon WAF Developer Guide. -
For API details, see UpdateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use update-xss-match-set
.
- Amazon CLI
-
To update an XSSMatchSet
The following
update-xss-match-set
command deletes anXssMatchTuple
object (filters) in anXssMatchSet
. Because theupdates
value contains embedded double quotes, you must surround the entire value with single quotes.aws waf-regional update-xss-match-set \ --xss-match-set-id
a123fae4-b567-8e90-1234-5ab67ac8ca90
\ --change-token12cs345-67cd-890b-1cd2-c3a4567d89f1
\ --updates 'Action="DELETE",XssMatchTuple={FieldToMatch={Type="QUERY_STRING"},TextTransformation="URL_DECODE"}
'For more information, see Working with Cross-site Scripting Match Conditions
in the Amazon WAF Developer Guide . -
For API details, see UpdateXssMatchSet
in Amazon CLI Command Reference.
-