web_acls
Creates, updates, deletes or gets a web_acl resource or lists web_acls in a region
Overview
| Name | web_acls |
| Type | Resource |
| Description | Contains the Rules that identify the requests that you want to allow, block, or count. In a WebACL, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted. |
| Id | aws.wafv2.web_acls |
Fields
| Name | Datatype | Description |
|---|---|---|
arn | string | |
capacity | integer | |
default_action | object | Default Action WebACL will take against ingress traffic when there is no matching Rule. |
description | string | Description of the entity. |
name | string | Name of the WebACL. |
id | string | Id of the WebACL |
scope | string | Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway. |
rules | array | Collection of Rules. |
visibility_config | object | Visibility Metric of the WebACL. |
tags | array | |
label_namespace | string | Name of the Label. |
custom_response_bodies | object | Custom response key and body map. |
captcha_config | object | |
challenge_config | object | |
token_domains | array | List of domains to accept in web request tokens, in addition to the domain of the protected resource. |
association_config | object | AssociationConfig for body inspection |
region | string | AWS region. |
Methods
| Name | Accessible by | Required Params |
|---|---|---|
create_resource | INSERT | DefaultAction, Scope, VisibilityConfig, region |
delete_resource | DELETE | data__Identifier, region |
update_resource | UPDATE | data__Identifier, data__PatchDocument, region |
list_resources | SELECT | region |
get_resource | SELECT | data__Identifier, region |
SELECT examples
Gets all web_acls in a region.
SELECT
region,
arn,
capacity,
default_action,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
captcha_config,
challenge_config,
token_domains,
association_config
FROM aws.wafv2.web_acls
;
Gets all properties from an individual web_acl.
SELECT
region,
arn,
capacity,
default_action,
description,
name,
id,
scope,
rules,
visibility_config,
tags,
label_namespace,
custom_response_bodies,
captcha_config,
challenge_config,
token_domains,
association_config
FROM aws.wafv2.web_acls
WHERE data__Identifier = '<Name>|<Id>|<Scope>';
INSERT example
Use the following StackQL query and manifest file to create a new web_acl resource, using stack-deploy.
- Required Properties
- All Properties
- Manifest
/*+ create */
INSERT INTO aws.wafv2.web_acls (
DefaultAction,
Scope,
VisibilityConfig,
region
)
SELECT
'{{ DefaultAction }}',
'{{ Scope }}',
'{{ VisibilityConfig }}',
'{{ region }}';
/*+ create */
INSERT INTO aws.wafv2.web_acls (
DefaultAction,
Description,
Name,
Scope,
Rules,
VisibilityConfig,
Tags,
CustomResponseBodies,
CaptchaConfig,
ChallengeConfig,
TokenDomains,
AssociationConfig,
region
)
SELECT
'{{ DefaultAction }}',
'{{ Description }}',
'{{ Name }}',
'{{ Scope }}',
'{{ Rules }}',
'{{ VisibilityConfig }}',
'{{ Tags }}',
'{{ CustomResponseBodies }}',
'{{ CaptchaConfig }}',
'{{ ChallengeConfig }}',
'{{ TokenDomains }}',
'{{ AssociationConfig }}',
'{{ region }}';
version: 1
name: stack name
description: stack description
providers:
- aws
globals:
- name: region
value: '{{ vars.AWS_REGION }}'
resources:
- name: web_acl
props:
- name: DefaultAction
value:
Allow:
CustomRequestHandling:
InsertHeaders:
- Name: '{{ Name }}'
Value: '{{ Value }}'
Block:
CustomResponse:
ResponseCode: '{{ ResponseCode }}'
CustomResponseBodyKey: '{{ CustomResponseBodyKey }}'
ResponseHeaders:
- null
- name: Description
value: '{{ Description }}'
- name: Name
value: '{{ Name }}'
- name: Scope
value: '{{ Scope }}'
- name: Rules
value:
- Name: null
Priority: '{{ Priority }}'
Statement:
ByteMatchStatement:
SearchString: '{{ SearchString }}'
SearchStringBase64: '{{ SearchStringBase64 }}'
FieldToMatch:
SingleHeader:
Name: '{{ Name }}'
SingleQueryArgument:
Name: '{{ Name }}'
AllQueryArguments: {}
UriPath: {}
QueryString: {}
Body:
OversizeHandling: '{{ OversizeHandling }}'
Method: {}
JsonBody:
MatchPattern:
All: {}
IncludedPaths:
- '{{ IncludedPaths[0] }}'
MatchScope: '{{ MatchScope }}'
InvalidFallbackBehavior: '{{ InvalidFallbackBehavior }}'
OversizeHandling: null
Headers:
MatchPattern:
All: {}
IncludedHeaders:
- '{{ IncludedHeaders[0] }}'
ExcludedHeaders:
- '{{ ExcludedHeaders[0] }}'
MatchScope: '{{ MatchScope }}'
OversizeHandling: null
Cookies:
MatchPattern:
All: {}
IncludedCookies:
- '{{ IncludedCookies[0] }}'
ExcludedCookies:
- '{{ ExcludedCookies[0] }}'
MatchScope: null
OversizeHandling: null
JA3Fingerprint:
FallbackBehavior: '{{ FallbackBehavior }}'
TextTransformations:
- Priority: '{{ Priority }}'
Type: '{{ Type }}'
PositionalConstraint: '{{ PositionalConstraint }}'
SqliMatchStatement:
FieldToMatch: null
TextTransformations:
- null
SensitivityLevel: '{{ SensitivityLevel }}'
XssMatchStatement:
FieldToMatch: null
TextTransformations:
- null
SizeConstraintStatement:
FieldToMatch: null
ComparisonOperator: '{{ ComparisonOperator }}'
Size: null
TextTransformations:
- null
GeoMatchStatement:
CountryCodes:
- '{{ CountryCodes[0] }}'
ForwardedIPConfig:
HeaderName: '{{ HeaderName }}'
FallbackBehavior: '{{ FallbackBehavior }}'
RuleGroupReferenceStatement:
Arn: '{{ Arn }}'
ExcludedRules:
- Name: null
RuleActionOverrides:
- Name: null
ActionToUse:
Allow: null
Block: null
Count:
CustomRequestHandling: null
Captcha:
CustomRequestHandling: null
Challenge:
CustomRequestHandling: null
IPSetReferenceStatement:
Arn: null
IPSetForwardedIPConfig:
HeaderName: '{{ HeaderName }}'
FallbackBehavior: '{{ FallbackBehavior }}'
Position: '{{ Position }}'
RegexPatternSetReferenceStatement:
Arn: null
FieldToMatch: null
TextTransformations:
- null
ManagedRuleGroupStatement:
Name: null
VendorName: '{{ VendorName }}'
Version: '{{ Version }}'
ExcludedRules:
- null
ScopeDownStatement: null
ManagedRuleGroupConfigs:
- LoginPath: '{{ LoginPath }}'
PayloadType: '{{ PayloadType }}'
UsernameField:
Identifier: '{{ Identifier }}'
PasswordField: null
AWSManagedRulesBotControlRuleSet:
InspectionLevel: '{{ InspectionLevel }}'
EnableMachineLearning: '{{ EnableMachineLearning }}'
AWSManagedRulesATPRuleSet:
LoginPath: '{{ LoginPath }}'
EnableRegexInPath: '{{ EnableRegexInPath }}'
RequestInspection:
PayloadType: '{{ PayloadType }}'
UsernameField: null
PasswordField: null
ResponseInspection:
StatusCode:
SuccessCodes:
- '{{ SuccessCodes[0] }}'
FailureCodes:
- '{{ FailureCodes[0] }}'
Header:
Name: '{{ Name }}'
SuccessValues:
- '{{ SuccessValues[0] }}'
FailureValues:
- '{{ FailureValues[0] }}'
BodyContains:
SuccessStrings:
- '{{ SuccessStrings[0] }}'
FailureStrings:
- '{{ FailureStrings[0] }}'
Json:
Identifier: '{{ Identifier }}'
SuccessValues:
- '{{ SuccessValues[0] }}'
FailureValues:
- '{{ FailureValues[0] }}'
AWSManagedRulesACFPRuleSet:
CreationPath: '{{ CreationPath }}'
RegistrationPagePath: '{{ RegistrationPagePath }}'
RequestInspection:
PayloadType: '{{ PayloadType }}'
UsernameField: null
PasswordField: null
EmailField: null
PhoneNumberFields:
- null
AddressFields:
- null
ResponseInspection: null
EnableRegexInPath: '{{ EnableRegexInPath }}'
RuleActionOverrides:
- null
RateBasedStatement:
Limit: '{{ Limit }}'
EvaluationWindowSec: '{{ EvaluationWindowSec }}'
AggregateKeyType: '{{ AggregateKeyType }}'
CustomKeys:
- Cookie:
Name: '{{ Name }}'
TextTransformations:
- null
ForwardedIP: {}
Header:
Name: '{{ Name }}'
TextTransformations:
- null
HTTPMethod: {}
IP: {}
LabelNamespace:
Namespace: '{{ Namespace }}'
QueryArgument:
Name: '{{ Name }}'
TextTransformations:
- null
QueryString:
TextTransformations:
- null
UriPath:
TextTransformations:
- null
ScopeDownStatement: null
ForwardedIPConfig: null
AndStatement:
Statements:
- null
OrStatement:
Statements:
- null
NotStatement:
Statement: null
LabelMatchStatement:
Scope: '{{ Scope }}'
Key: '{{ Key }}'
RegexMatchStatement:
RegexString: '{{ RegexString }}'
FieldToMatch: null
TextTransformations:
- null
Action: null
OverrideAction:
Count: {}
None: {}
RuleLabels:
- Name: '{{ Name }}'
VisibilityConfig:
SampledRequestsEnabled: '{{ SampledRequestsEnabled }}'
CloudWatchMetricsEnabled: '{{ CloudWatchMetricsEnabled }}'
MetricName: '{{ MetricName }}'
CaptchaConfig:
ImmunityTimeProperty:
ImmunityTime: '{{ ImmunityTime }}'
ChallengeConfig:
ImmunityTimeProperty: null
- name: VisibilityConfig
value: null
- name: Tags
value:
- Key: '{{ Key }}'
Value: '{{ Value }}'
- name: CustomResponseBodies
value: {}
- name: CaptchaConfig
value: null
- name: ChallengeConfig
value: null
- name: TokenDomains
value:
- '{{ TokenDomains[0] }}'
- name: AssociationConfig
value:
RequestBody: {}
DELETE example
/*+ delete */
DELETE FROM aws.wafv2.web_acls
WHERE data__Identifier = '<Name|Id|Scope>'
AND region = 'us-east-1';
Permissions
To operate on the web_acls resource, the following permissions are required:
Create
wafv2:CreateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource
Delete
wafv2:DeleteWebACL,
wafv2:GetWebACL
Read
wafv2:GetWebACL,
wafv2:ListTagsForResource
Update
wafv2:UpdateWebACL,
wafv2:GetWebACL,
wafv2:ListTagsForResource
List
wafv2:listWebACLs