This documentation is for Version 1 of the Amazon CLI only. For documentation related to Version 2 of the Amazon CLI, see the Version 2 User Guide.
Amazon WAFV2 examples using Amazon CLI
The following code examples show you how to perform actions and implement common scenarios by using the Amazon Command Line Interface with Amazon WAFV2.
Actions are code excerpts from larger programs and must be run in context. While actions show you how to call individual service functions, you can see actions in context in their related scenarios.
Each example includes a link to the complete source code, where you can find instructions on how to set up and run the code in context.
Topics
Actions
The following code example shows how to use associate-web-acl
.
- Amazon CLI
-
To associate a web ACL with a regional Amazon resource
The following
associate-web-acl
example associates the specified web ACL with an Application Load Balancer.aws wafv2 associate-web-acl \ --web-acl-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --resource-arnarn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a
\ --regionus-west-2
This command produces no output.
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see AssociateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use check-capacity
.
- Amazon CLI
-
To obtain the capacity used by a set of rules
The following
check-capacity
retrieves the capacity requirements for a rule set that contains a rate-based rule statement, and an AND rule statement that contains nested rules.aws wafv2 check-capacity \ --scope
REGIONAL
\ --rulesfile://waf-rule-list.json
\ --regionus-west-2
Contents of file://waf-rule-list.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } }, { "Name":"rate-rule", "Priority":1, "Statement":{ "RateBasedStatement":{ "Limit":1000, "AggregateKeyType":"IP" } }, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"rate-rule" } } ]
Output:
{ "Capacity":15 }
For more information, see Amazon WAF Web ACL Capacity Units (WCU)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CheckCapacity
in Amazon CLI Command Reference.
-
The following code example shows how to use create-ip-set
.
- Amazon CLI
-
To create an IP set for use in your web ACLs and rule groups
The following
create-ip-set
command creates an IP set with a single address range specification.aws wafv2 create-ip-set \ --name
testip
\ --scopeREGIONAL
\ --ip-address-versionIPV4
\ --addresses198.51.100.0/16
Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"testip", "LockToken":"447e55ac-0000-0000-0000-86b67c17f8b5", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use create-regex-pattern-set
.
- Amazon CLI
-
To create a regex pattern set for use in your web ACLs and rule groups
The following
create-regex-pattern-set
command creates a regex pattern set with two regex patterns specified.aws wafv2 create-regex-pattern-set \ --name
regexPatterSet01
\ --scopeREGIONAL
\ --description 'Test web-acl
' \ --regular-expression-list '[{"RegexString": "/[0-9]*/"},{"RegexString": "/[a-z]*/"}]
'Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"Test web-acl", "Name":"regexPatterSet01", "LockToken":"0bc01e21-03c9-4b98-9433-6229cbf1ef1c", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use create-rule-group
.
- Amazon CLI
-
To create a custom rule group for use in your web ACLs
The following
create-rule-group
command creates a custom rule group for regional use. The rule statements for the group are provided in a JSON-formatted file.aws wafv2 create-rule-group \ --name
"TestRuleGroup"
\ --scopeREGIONAL
\ --capacity250
\ --rulesfile://waf-rule.json
\ --visibility-configSampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestRuleGroupMetrics
\ --regionus-west-2
Contents of file://waf-rule.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } } ]
Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/TestRuleGroup/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestRuleGroup", "LockToken":"7b3bcec2-374e-4c5a-b2b9-563bf47249f0", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use create-web-acl
.
- Amazon CLI
-
To create a web ACL
The following
create-web-acl
command creates a web ACL for regional use. The rule statements for the web ACL are provided in a JSON-formatted file.aws wafv2 create-web-acl \ --name
TestWebAcl
\ --scopeREGIONAL
\ --default-actionAllow={}
\ --visibility-configSampledRequestsEnabled=true,CloudWatchMetricsEnabled=true,MetricName=TestWebAclMetrics
\ --rulesfile://waf-rule.json
\ --regionus-west-2
Contents of file://waf-rule.json:
[ { "Name":"basic-rule", "Priority":0, "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "SearchString":"example.com", "FieldToMatch":{ "SingleHeader":{ "Name":"host" } }, "TextTransformations":[ { "Priority":0, "Type":"LOWERCASE" } ], "PositionalConstraint":"EXACTLY" } }, { "GeoMatchStatement":{ "CountryCodes":[ "US", "IN" ] } } ] } }, "Action":{ "Allow":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"basic-rule" } } ]
Output:
{ "Summary":{ "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/TestWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestWebAcl", "LockToken":"2294b3a1-eb60-4aa0-a86f-a3ae04329de9", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } }
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see CreateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-ip-set
.
- Amazon CLI
-
To delete an IP set
The following
delete-ip-set
deletes the specified IP set. This call requires an ID, which you can obtain from the call,list-ip-sets
, and a lock token, which you can obtain from the calls,list-ip-sets
andget-ip-set
.aws wafv2 delete-ip-set \ --name
test1
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-token46851772-db6f-459d-9385-49428812e357
This command produces no output.
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-logging-configuration
.
- Amazon CLI
-
To disable logging for a web ACL
The following
delete-logging-configuration
removes any logging configuration from the specified web ACL.aws wafv2 delete-logging-configuration \ --resource-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
This command produces no output.
For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-regex-pattern-set
.
- Amazon CLI
-
To delete a regex pattern set
The following
delete-regex-pattern-set
updates the settings for the specified regex pattern set. This call requires an ID, which you can obtain from the call,list-regex-pattern-sets
, and a lock token, which you can obtain from the calllist-regex-pattern-sets
or the callget-regex-pattern-set
.aws wafv2 delete-regex-pattern-set \ --name
regexPatterSet01
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-token0bc01e21-03c9-4b98-9433-6229cbf1ef1c
This command produces no output.
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-rule-group
.
- Amazon CLI
-
To delete a custom rule group
The following
delete-rule-group
deletes the specified custom rule group. This call requires an ID, which you can obtain from the call,list-rule-groups
, and a lock token, which you can obtain from the calllist-rule-groups
or the callget-rule-group
.aws wafv2 delete-rule-group \ --name
TestRuleGroup
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-token7b3bcec2-0000-0000-0000-563bf47249f0
This command produces no output.
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use delete-web-acl
.
- Amazon CLI
-
To delete a web ACL
The following
delete-web-acl
deletes the specified web ACL from your account. A web ACL can only be deleted when it's not associated with any resources. This call requires an ID, which you can obtain from the call,list-web-acls
, and a lock token, which you can obtain from the calllist-web-acls
or the callget-web-acl
.aws wafv2 delete-web-acl \ --name
test
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-tokenebab4ed2-155e-4c9a-9efb-e4c45665b1f5
This command produces no output.
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DeleteWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use describe-managed-rule-group
.
- Amazon CLI
-
To retrieve the description for a managed rule group
The following
describe-managed-rule-group
retrieves the description for an Amazon managed rule group.aws wafv2 describe-managed-rule-group \ --vendor-name
AWS
\ --nameAWSManagedRulesCommonRuleSet
\ --scopeREGIONAL
Output:
{ "Capacity": 700, "Rules": [ { "Name": "NoUserAgent_HEADER", "Action": { "Block": {} } }, { "Name": "UserAgent_BadBots_HEADER", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_QUERYSTRING", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_Cookie_HEADER", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_BODY", "Action": { "Block": {} } }, { "Name": "SizeRestrictions_URIPATH", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_BODY", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_COOKIE", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_URIPATH", "Action": { "Block": {} } }, { "Name": "EC2MetaDataSSRF_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericLFI_QUERYARGUMENTS", "Action": { "Block": {} } }, { } "Name": "GenericLFI_URIPATH", "Action": { "Block": {} } }, { "Name": "GenericLFI_BODY", "Action": { "Block": {} } }, { "Name": "RestrictedExtensions_URIPATH", "Action": { "Block": {} } }, { "Name": "RestrictedExtensions_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericRFI_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "GenericRFI_BODY", "Action": { "Block": {} } }, { "Name": "GenericRFI_URIPATH", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_COOKIE", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_QUERYARGUMENTS", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_BODY", "Action": { "Block": {} } }, { "Name": "CrossSiteScripting_URIPATH", "Action": { "Block": {} } } ] }
For more information, see Managed Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DescribeManagedRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use disassociate-web-acl
.
- Amazon CLI
-
To disassociate a web ACL from a regional Amazon resource
The following
disassociate-web-acl
example removes any existing web ACL association from the specified Application Load Balancer.aws wafv2 disassociate-web-acl \ --resource-arn
arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a
\ --regionus-west-2
This command produces no output.
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see DisassociateWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use get-ip-set
.
- Amazon CLI
-
To retrieve a specific IP set
The following
get-ip-set
retrieves the IP set with the specified name, scope, and ID. You can get the ID for an IP set from the commandscreate-ip-set
andlist-ip-sets
.aws wafv2 get-ip-set \ --name
testip
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "IPSet":{ "Description":"", "Name":"testip", "IPAddressVersion":"IPV4", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE1111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE1111", "Addresses":[ "192.0.2.0/16" ] }, "LockToken":"447e55ac-2396-4c6d-b9f9-86b67c17f8b5" }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use get-logging-configuration
.
- Amazon CLI
-
To retrieve the logging configurations for a web ACL
The following
get-logging-configuration
retrieves the logging configuration for the specified web ACL.aws wafv2 get-logging-configuration \ --resource-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222
\ --regionus-west-2
Output:
{ "LoggingConfiguration":{ "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RedactedFields":[ { "Method":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } }
For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use get-rate-based-statement-managed-keys
.
- Amazon CLI
-
To retrieve a list of IP addresses that are blocked by a rate-based rule
The following
get-rate-based-statement-managed-keys
retrieves the IP addresses currently blocked by a rate-based rule that's being used for a regional application.aws wafv2 get-rate-based-statement-managed-keys \ --scope
REGIONAL
\ --web-acl-nametestwebacl2
\ --web-acl-ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --rule-nameratebasedtest
Output:
{ "ManagedKeysIPV4":{ "IPAddressVersion":"IPV4", "Addresses":[ "198.51.100.0/32" ] }, "ManagedKeysIPV6":{ "IPAddressVersion":"IPV6", "Addresses":[ ] } }
For more information, see Rate-Based Rule Statement
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRateBasedStatementManagedKeys
in Amazon CLI Command Reference.
-
The following code example shows how to use get-regex-pattern-set
.
- Amazon CLI
-
To retrieve a specific regex pattern set
The following
get-regex-pattern-set
retrieves the regex pattern set with the specified name, scope, region, and ID. You can get the ID for a regex pattern set from the commandscreate-regex-pattern-set
andlist-regex-pattern-sets
.aws wafv2 get-regex-pattern-set \ --name
regexPatterSet01
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --regionus-west-2
Output:
{ "RegexPatternSet":{ "Description":"Test web-acl", "RegularExpressionList":[ { "RegexString":"/[0-9]*/" }, { "RegexString":"/[a-z]*/" } ], "Name":"regexPatterSet01", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, "LockToken":"c8abf33f-b6fc-46ae-846e-42f994d57b29" }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use get-rule-group
.
- Amazon CLI
-
To retrieve a specific custom rule group
The following
get-rule-group
retrieves the custom rule group with the specified name, scope, and ID. You can get the ID for a rule group from the commandscreate-rule-group
andlist-rule-groups
.aws wafv2 get-rule-group \ --name
ff
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "RuleGroup":{ "Capacity":1, "Description":"", "Rules":[ { "Priority":0, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"jj" }, "Name":"jj", "Statement":{ "SizeConstraintStatement":{ "ComparisonOperator":"LE", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "UriPath":{ } }, "Size":7 } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"ff" }, "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/ff/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name":"ff" }, "LockToken":"485458c9-1830-4234-af31-ec4d52ced1b3" }
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use get-sampled-requests
.
- Amazon CLI
-
To retrieve a sample of web requests for a web ACL
The following
get-sampled-requests
retrieves the sampled web requests for the specified web ACL, rule metric, and time frame.aws wafv2 get-sampled-requests \ --web-acl-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --rule-metric-nameAWS-AWSManagedRulesSQLiRuleSet
\ --scope=REGIONAL \ --time-windowStartTime=2020-02-12T20:00Z,EndTime=2020-02-12T21:10Z
\ --max-items100
Output:
{ "TimeWindow": { "EndTime": 1581541800.0, "StartTime": 1581537600.0 }, "SampledRequests": [ { "Action": "BLOCK", "Timestamp": 1581541799.564, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 }, { "Action": "BLOCK", "Timestamp": 1581541799.988, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 3 }, { "Action": "BLOCK", "Timestamp": 1581541799.846, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 }, { "Action": "BLOCK", "Timestamp": 1581541799.4, "RuleNameWithinRuleGroup": "AWS#AWSManagedRulesSQLiRuleSet#SQLi_BODY", "Request": { "Country": "US", "URI": "/", "Headers": [ { "Name": "Host", "Value": "alb-test-1EXAMPLE1.us-east-1.elb.amazonaws.com" }, { "Name": "Content-Length", "Value": "7456" }, { "Name": "User-Agent", "Value": "curl/7.53.1" }, { "Name": "Accept", "Value": "/" }, { "Name": "Content-Type", "Value": "application/x-www-form-urlencoded" } ], "ClientIP": "198.51.100.08", "Method": "POST", "HTTPVersion": "HTTP/1.1" }, "Weight": 1 } ], "PopulationSize": 4 }
For more information, see Viewing a Sample of Web Requests
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetSampledRequests
in Amazon CLI Command Reference.
-
The following code example shows how to use get-web-acl-for-resource
.
- Amazon CLI
-
To retrieve the web ACL that's associated with an Amazon resource
The following
get-web-acl-for-resource
retrieves the JSON for the web ACL that's associated with the specified resource.aws wafv2 get-web-acl-for-resource \ --resource-arn
arn:aws:elasticloadbalancing:us-west-2:123456789012:loadbalancer/app/waf-cli-alb/1ea17125f8b25a2a
Output:
{ "WebACL":{ "Capacity":3, "Description":"", "Rules":[ { "Priority":1, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"testrule01" }, "Name":"testrule01", "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "PositionalConstraint":"EXACTLY", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "SearchString":"dGVzdHN0cmluZw==", "FieldToMatch":{ "UriPath":{ } } } }, { "SizeConstraintStatement":{ "ComparisonOperator":"EQ", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "QueryString":{ } }, "Size":0 } } ] } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"test01" }, "DefaultAction":{ "Allow":{ } }, "Id":"9a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 ", "Name":"test01" } }
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetWebAclForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use get-web-acl
.
- Amazon CLI
-
To retrieve a web ACL
The following
get-web-acl
retrieves the web ACL with the specified name, scope, and ID. You can get the ID for a web ACL from the commandscreate-web-acl
andlist-web-acls
.aws wafv2 get-web-acl \ --name
test01
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "WebACL":{ "Capacity":3, "Description":"", "Rules":[ { "Priority":1, "Action":{ "Block":{ } }, "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"testrule01" }, "Name":"testrule01", "Statement":{ "AndStatement":{ "Statements":[ { "ByteMatchStatement":{ "PositionalConstraint":"EXACTLY", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "SearchString":"dGVzdHN0cmluZw==", "FieldToMatch":{ "UriPath":{ } } } }, { "SizeConstraintStatement":{ "ComparisonOperator":"EQ", "TextTransformations":[ { "Priority":0, "Type":"NONE" } ], "FieldToMatch":{ "QueryString":{ } }, "Size":0 } } ] } } } ], "VisibilityConfig":{ "SampledRequestsEnabled":true, "CloudWatchMetricsEnabled":true, "MetricName":"test01" }, "DefaultAction":{ "Allow":{ } }, "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Name":"test01" }, "LockToken":"e3db7e2c-d58b-4ee6-8346-6aec5511c6fb" }
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see GetWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use list-available-managed-rule-groups
.
- Amazon CLI
-
To retrieve the managed rule groups
The following
list-available-managed-rule-groups
returns the list of all managed rule groups that are currently available for use in your web ACLs.aws wafv2 list-available-managed-rule-groups \ --scope
REGIONAL
Output:
{ "ManagedRuleGroups": [ { "VendorName": "AWS", "Name": "AWSManagedRulesCommonRuleSet", "Description": "Contains rules that are generally applicable to web applications. This provides protection against exploitation of a wide range of vulnerabilities, including those described in OWASP publications and common Common Vulnerabilities and Exposures (CVE)." }, { "VendorName": "AWS", "Name": "AWSManagedRulesAdminProtectionRuleSet", "Description": "Contains rules that allow you to block external access to exposed admin pages. This may be useful if you are running third-party software or would like to reduce the risk of a malicious actor gaining administrative access to your application." }, { "VendorName": "AWS", "Name": "AWSManagedRulesKnownBadInputsRuleSet", "Description": "Contains rules that allow you to block request patterns that are known to be invalid and are associated with exploitation or discovery of vulnerabilities. This can help reduce the risk of a malicious actor discovering a vulnerable application." }, { "VendorName": "AWS", "Name": "AWSManagedRulesSQLiRuleSet", "Description": "Contains rules that allow you to block request patterns associated with exploitation of SQL databases, like SQL injection attacks. This can help prevent remote injection of unauthorized queries." }, { "VendorName": "AWS", "Name": "AWSManagedRulesLinuxRuleSet", "Description": "Contains rules that block request patterns associated with exploitation of vulnerabilities specific to Linux, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which the attacker should not have had access." }, { "VendorName": "AWS", "Name": "AWSManagedRulesUnixRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to POSIX/POSIX-like OS, including LFI attacks. This can help prevent attacks that expose file contents or execute code for which access should not been allowed." }, { "VendorName": "AWS", "Name": "AWSManagedRulesWindowsRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to Windows, (e.g., PowerShell commands). This can help prevent exploits that allow attacker to run unauthorized commands or execute malicious code." }, { "VendorName": "AWS", "Name": "AWSManagedRulesPHPRuleSet", "Description": "Contains rules that block request patterns associated with exploiting vulnerabilities specific to the use of the PHP, including injection of unsafe PHP functions. This can help prevent exploits that allow an attacker to remotely execute code or commands." }, { "VendorName": "AWS", "Name": "AWSManagedRulesWordPressRuleSet", "Description": "The WordPress Applications group contains rules that block request patterns associated with the exploitation of vulnerabilities specific to WordPress sites." }, { "VendorName": "AWS", "Name": "AWSManagedRulesAmazonIpReputationList", "Description": "This group contains rules that are based on Amazon threat intelligence. This is useful if you would like to block sources associated with bots or other threats." } ] }
For more information, see Managed Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListAvailableManagedRuleGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use list-ip-sets
.
- Amazon CLI
-
To retrieve a list of IP sets
The following
list-ip-sets
retrieves all IP sets for the account that have regional scope.aws wafv2 list-ip-sets \ --scope
REGIONAL
Output:
{ "IPSets":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/ipset/testip/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"testip", "LockToken":"0674c84b-0304-47fe-8728-c6bff46af8fc", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 " } ], "NextMarker":"testip" }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListIpSets
in Amazon CLI Command Reference.
-
The following code example shows how to use list-logging-configurations
.
- Amazon CLI
-
To retrieve a list of all logging configurations for a region
The following
list-logging-configurations
retrieves the all logging configurations for web ACLs that are scoped for regional use in theus-west-2
region.aws wafv2 list-logging-configurations \ --scope
REGIONAL
\ --regionus-west-2
Output:
{ "LoggingConfigurations":[ { "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "RedactedFields":[ { "QueryString":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-test" ] }, { "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "RedactedFields":[ { "Method":{ } } ], "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } ] }
For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListLoggingConfigurations
in Amazon CLI Command Reference.
-
The following code example shows how to use list-regex-pattern-sets
.
- Amazon CLI
-
To retrieve a list of regex pattern sets
The following
list-regex-pattern-sets
retrieves all regex pattern sets for the account that are defined in the regionus-west-2
.aws wafv2 list-regex-pattern-sets \ --scope
REGIONAL
\ --regionus-west-2
Output:
{ "NextMarker":"regexPatterSet01", "RegexPatternSets":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/regexpatternset/regexPatterSet01/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"Test web-acl", "Name":"regexPatterSet01", "LockToken":"f17743f7-0000-0000-0000-19a8b93bfb01", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ] }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListRegexPatternSets
in Amazon CLI Command Reference.
-
The following code example shows how to use list-resources-for-web-acl
.
- Amazon CLI
-
To retrieve the resources associated with a web ACL
The following
list-resources-for-web-acl
retrieves the API Gateway REST API resources that are currently associated with the specified web ACL in the regionus-west-2
.aws wafv2 list-resources-for-web-acl \ --web-acl-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/TestWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --resource-typeAPI_GATEWAY
\ --regionus-west-2
Output:
{ "ResourceArns": [ "arn:aws:apigateway:us-west-2::/restapis/EXAMPLE111/stages/testing" ] }
For more information, see Associating or Disassociating a Web ACL with an Amazon Resource
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListResourcesForWebAcl
in Amazon CLI Command Reference.
-
The following code example shows how to use list-rule-groups
.
- Amazon CLI
-
To retrieve a list of custom rule groups
The following
list-rule-groups
retrieves all custom rule groups that are defined for the account for the specified scope and region location.aws wafv2 list-rule-groups \ --scope
REGIONAL
\ --regionus-west-2
Output:
{ "RuleGroups":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/TestRuleGroup/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"", "Name":"TestRuleGroup", "LockToken":"1eb5ec48-0000-0000-0000-ee9b906c541e", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" }, { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/rulegroup/test/a1b2c3d4-5678-90ab-cdef-EXAMPLE22222", "Description":"", "Name":"test", "LockToken":"b0f4583e-998b-4880-9069-3fbe45738b43", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE22222" } ], "NextMarker":"test" }
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListRuleGroups
in Amazon CLI Command Reference.
-
The following code example shows how to use list-tags-for-resource
.
- Amazon CLI
-
To retrieve all tags for an Amazon WAF resource
The following
list-tags-for-resource
retrieves the list of all tag key, value pairs for the specified web ACL.aws wafv2 list-tags-for-resource \ --resource-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/testwebacl2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
Output:
{ "NextMarker":"", "TagInfoForResource":{ "ResourceARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/testwebacl2/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "TagList":[ ] } }
For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListTagsForResource
in Amazon CLI Command Reference.
-
The following code example shows how to use list-web-acls
.
- Amazon CLI
-
To retrieve the web ACLs for a scope
The following
list-web-acls
retrieves all web ACLs that are defined for the account for the specified scope.aws wafv2 list-web-acls \ --scope
REGIONAL
Output:
{ "NextMarker":"Testt", "WebACLs":[ { "ARN":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/Testt/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "Description":"sssss", "Name":"Testt", "LockToken":"7f36cb30-74ef-4cff-8cd4-a77e1aba1746", "Id":"a1b2c3d4-5678-90ab-cdef-EXAMPLE11111" } ] }
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see ListWebAcls
in Amazon CLI Command Reference.
-
The following code example shows how to use put-logging-configuration
.
- Amazon CLI
-
To add a logging configuration to a web ACL
The following
put-logging-configuration
adds the Amazon Kinesis Data Firehose logging configurationaws-waf-logs-custom-transformation
to the specified web ACL, with no fields redacted from the logs.aws wafv2 put-logging-configuration \ --logging-configuration
ResourceArn=arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111,LogDestinationConfigs=arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation
\ --regionus-west-2
Output:
{ "LoggingConfiguration":{ "ResourceArn":"arn:aws:wafv2:us-west-2:123456789012:regional/webacl/test-cli/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111", "LogDestinationConfigs":[ "arn:aws:firehose:us-west-2:123456789012:deliverystream/aws-waf-logs-custom-transformation" ] } }
For more information, see Logging Web ACL Traffic Information
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see PutLoggingConfiguration
in Amazon CLI Command Reference.
-
The following code example shows how to use tag-resource
.
- Amazon CLI
-
To add tags to an Amazon WAF resource
The following
tag-resource
example adds a tag with a key ofName
and value set toAWSWAF
to the specified web ACL.aws wafv2 tag-resource \ --resource-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/apiGatewayWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --tagsKey=Name,Value=AWSWAF
This command produces no output.
For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see TagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use untag-resource
.
- Amazon CLI
-
To remove tags from an Amazon WAF resource
The following
untag-resource
example removes the tag with the keyKeyName
from the specified web ACL.aws wafv2 untag-resource \ --resource-arn
arn:aws:wafv2:us-west-2:123456789012:regional/webacl/apiGatewayWebAcl/a1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --tag-keys"KeyName"
This command produces no output.
For more information, see Getting Started with Amazon WAF
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UntagResource
in Amazon CLI Command Reference.
-
The following code example shows how to use update-ip-set
.
- Amazon CLI
-
To modify the settings for an existing IP set
The following
update-ip-set
updates the settings for the specified IP set. This call requires an ID, which you can obtain from the call,list-ip-sets
, and a lock token which you can obtain from the calls,list-ip-sets
andget-ip-set
. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-ip-set \ --name
testip
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --addresses198.51.100.0/16
\ --lock-token447e55ac-2396-4c6d-b9f9-86b67c17f8b5
Output:
{ "NextLockToken": "0674c84b-0304-47fe-8728-c6bff46af8fc" }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateIpSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-regex-pattern-set
.
- Amazon CLI
-
To modify the settings for an existing regex pattern set
The following
update-regex-pattern-set
updates the settings for the specified regex pattern set. This call requires an ID, which you can obtain from the call,list-regex-pattern-sets
, and a lock token which you can obtain from the calls,list-regex-pattern-sets
andget-regex-pattern-set
. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-regex-pattern-set \ --name
ExampleRegex
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --regular-expression-list RegexString="^.+$" \ --lock-tokened207e9c-82e9-4a77-aadd-81e6173ab7eb
Output:
{ "NextLockToken": "12ebc73e-fa68-417d-a9b8-2bdd761a4fa5" }
For more information, see IP Sets and Regex Pattern Sets
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateRegexPatternSet
in Amazon CLI Command Reference.
-
The following code example shows how to use update-rule-group
.
- Amazon CLI
-
To update a custom rule group
The following
update-rule-group
changes the visibility configuration for an existing custom rule group. This call requires an ID, which you can obtain from the call,list-rule-groups
, and a lock token which you can obtain from the calls,list-rule-groups
andget-rule-group
. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-rule-group \ --name
TestRuleGroup
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-token7b3bcec2-0000-0000-0000-563bf47249f0
\ --visibility-configSampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=TestMetricsForRuleGroup
\ --regionus-west-2
Output:
{ "NextLockToken": "1eb5ec48-0000-0000-0000-ee9b906c541e" }
For more information, see Managing Your Own Rule Groups
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateRuleGroup
in Amazon CLI Command Reference.
-
The following code example shows how to use update-web-acl
.
- Amazon CLI
-
To update a web ACL
The following
update-web-acl
changes settings for an existing web ACL. This call requires an ID, which you can obtain from the call,list-web-acls
, and a lock token and other settings, which you can obtain from the callget-web-acl
. This call also returns a lock token that you can use for a subsequent update.aws wafv2 update-web-acl \ --name
TestWebAcl
\ --scopeREGIONAL
\ --ida1b2c3d4-5678-90ab-cdef-EXAMPLE11111
\ --lock-token2294b3a1-0000-0000-0000-a3ae04329de9
\ --default-actionBlock={}
\ --visibility-configSampledRequestsEnabled=false,CloudWatchMetricsEnabled=false,MetricName=NewMetricTestWebAcl
\ --rulesfile://waf-rule.json
\ --regionus-west-2
Output:
{ "NextLockToken": "714a0cfb-0000-0000-0000-2959c8b9a684" }
For more information, see Managing and Using a Web Access Control List (Web ACL)
in the Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced Developer Guide. -
For API details, see UpdateWebAcl
in Amazon CLI Command Reference.
-