|
1890 | 1890 | }, |
1891 | 1891 | "DataProtectionConfig":{ |
1892 | 1892 | "shape":"DataProtectionConfig", |
1893 | | - "documentation":"<p>Specifies data protection to apply to the web request data that WAF stores for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including WAF logging, web ACL request sampling, Amazon Web Services Managed Rules, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
| 1893 | + "documentation":"<p>Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
1894 | 1894 | }, |
1895 | 1895 | "Tags":{ |
1896 | 1896 | "shape":"TagList", |
|
2039 | 2039 | }, |
2040 | 2040 | "ExcludeRuleMatchDetails":{ |
2041 | 2041 | "shape":"Boolean", |
2042 | | - "documentation":"<p>Specifies whether to also protect any rule match details from the web ACL logs when applying data protection this field type and keys. WAF logs these details for non-terminating matching rules and for the terminating matching rule. For additional information, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields for web ACL traffic</a> in the <i>WAF Developer Guide</i>.</p> <p>Default: <code>FALSE</code> </p>" |
| 2042 | + "documentation":"<p>Specifies whether to also exclude any rule match details from the data protection you have enabled for a given field. WAF logs these details for non-terminating matching rules and for the terminating matching rule. For additional information, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields for web ACL traffic</a> in the <i>WAF Developer Guide</i>.</p> <p>Default: <code>FALSE</code> </p>" |
2043 | 2043 | }, |
2044 | 2044 | "ExcludeRateBasedDetails":{ |
2045 | 2045 | "shape":"Boolean", |
2046 | | - "documentation":"<p>Specifies whether to also protect any rate-based rule details from the web ACL logs when applying data protection for this field type and keys. For additional information, see the log field <code>rateBasedRuleList</code> at <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields for web ACL traffic</a> in the <i>WAF Developer Guide</i>.</p> <p>Default: <code>FALSE</code> </p>" |
| 2046 | + "documentation":"<p>Specifies whether to also exclude any rate-based rule details from the data protection you have enabled for a given field. If you specify this exception, RateBasedDetails will show the value of the field. For additional information, see the log field <code>rateBasedRuleList</code> at <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields for web ACL traffic</a> in the <i>WAF Developer Guide</i>.</p> <p>Default: <code>FALSE</code> </p>" |
2047 | 2047 | } |
2048 | 2048 | }, |
2049 | 2049 | "documentation":"<p>Specifies the protection behavior for a field type. This is part of the data protection configuration for a web ACL. </p>" |
|
2064 | 2064 | "documentation":"<p>An array of data protection configurations for specific web request field types. This is defined for each web ACL. WAF applies the specified protection to all web requests that the web ACL inspects. </p>" |
2065 | 2065 | } |
2066 | 2066 | }, |
2067 | | - "documentation":"<p>Specifies data protection to apply to the web request data that WAF stores for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including WAF logging, web ACL request sampling, Amazon Web Services Managed Rules, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p> <p>This is part of the data protection configuration for a web ACL. </p>" |
| 2067 | + "documentation":"<p>Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p> <p>This is part of the data protection configuration for a web ACL. </p>" |
2068 | 2068 | }, |
2069 | 2069 | "DataProtections":{ |
2070 | 2070 | "type":"list", |
|
2552 | 2552 | "JA3Fingerprint":{ |
2553 | 2553 | "shape":"JA3Fingerprint", |
2554 | 2554 | "documentation":"<p>Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.</p> <note> <p>You can use this choice only with a string match <code>ByteMatchStatement</code> with the <code>PositionalConstraint</code> set to <code>EXACTLY</code>. </p> </note> <p>You can obtain the JA3 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields</a> in the <i>WAF Developer Guide</i>. </p> <p>Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.</p>" |
| 2555 | + }, |
| 2556 | + "JA4Fingerprint":{ |
| 2557 | + "shape":"JA4Fingerprint", |
| 2558 | + "documentation":"<p>Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.</p> <note> <p>You can use this choice only with a string match <code>ByteMatchStatement</code> with the <code>PositionalConstraint</code> set to <code>EXACTLY</code>. </p> </note> <p>You can obtain the JA4 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields</a> in the <i>WAF Developer Guide</i>. </p> <p>Provide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.</p>" |
2555 | 2559 | } |
2556 | 2560 | }, |
2557 | 2561 | "documentation":"<p>Specifies a web request component to be used in a rule match statement or in a logging configuration. </p> <ul> <li> <p>In a rule statement, this is the part of the web request that you want WAF to inspect. Include the single <code>FieldToMatch</code> type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in <code>FieldToMatch</code> for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.</p> <p>Example JSON for a <code>QueryString</code> field to match: </p> <p> <code> \"FieldToMatch\": { \"QueryString\": {} }</code> </p> <p>Example JSON for a <code>Method</code> field to match specification:</p> <p> <code> \"FieldToMatch\": { \"Method\": { \"Name\": \"DELETE\" } }</code> </p> </li> <li> <p>In a logging configuration, this is used in the <code>RedactedFields</code> property to specify a field to redact from the logging records. For this use case, note the following: </p> <ul> <li> <p>Even though all <code>FieldToMatch</code> settings are available, the only valid settings for field redaction are <code>UriPath</code>, <code>QueryString</code>, <code>SingleHeader</code>, and <code>Method</code>.</p> </li> <li> <p>In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs. </p> </li> <li> <p>If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. You can only exclude fields from request sampling by disabling sampling in the web ACL visibility configuration or by configuring data protection for the web ACL.</p> </li> </ul> </li> </ul>" |
|
3417 | 3421 | }, |
3418 | 3422 | "documentation":"<p>Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.</p> <note> <p>You can use this choice only with a string match <code>ByteMatchStatement</code> with the <code>PositionalConstraint</code> set to <code>EXACTLY</code>. </p> </note> <p>You can obtain the JA3 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields</a> in the <i>WAF Developer Guide</i>. </p> <p>Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.</p>" |
3419 | 3423 | }, |
| 3424 | + "JA4Fingerprint":{ |
| 3425 | + "type":"structure", |
| 3426 | + "required":["FallbackBehavior"], |
| 3427 | + "members":{ |
| 3428 | + "FallbackBehavior":{ |
| 3429 | + "shape":"FallbackBehavior", |
| 3430 | + "documentation":"<p>The match status to assign to the web request if the request doesn't have a JA4 fingerprint. </p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>" |
| 3431 | + } |
| 3432 | + }, |
| 3433 | + "documentation":"<p>Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.</p> <note> <p>You can use this choice only with a string match <code>ByteMatchStatement</code> with the <code>PositionalConstraint</code> set to <code>EXACTLY</code>. </p> </note> <p>You can obtain the JA4 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see <a href=\"https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html\">Log fields</a> in the <i>WAF Developer Guide</i>. </p> <p>Provide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.</p>" |
| 3434 | + }, |
3420 | 3435 | "JsonBody":{ |
3421 | 3436 | "type":"structure", |
3422 | 3437 | "required":[ |
|
4758 | 4773 | "UriPath":{ |
4759 | 4774 | "shape":"RateLimitUriPath", |
4760 | 4775 | "documentation":"<p>Use the request's URI path as an aggregate key. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance. </p>" |
| 4776 | + }, |
| 4777 | + "JA3Fingerprint":{ |
| 4778 | + "shape":"RateLimitJA3Fingerprint", |
| 4779 | + "documentation":"<p> Use the request's JA3 fingerprint as an aggregate key. If you use a single JA3 fingerprint as your custom key, then each value fully defines an aggregation instance. </p>" |
| 4780 | + }, |
| 4781 | + "JA4Fingerprint":{ |
| 4782 | + "shape":"RateLimitJA4Fingerprint", |
| 4783 | + "documentation":"<p>Use the request's JA4 fingerprint as an aggregate key. If you use a single JA4 fingerprint as your custom key, then each value fully defines an aggregation instance. </p>" |
4761 | 4784 | } |
4762 | 4785 | }, |
4763 | 4786 | "documentation":"<p>Specifies a single custom aggregate key for a rate-base rule. </p> <note> <p>Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling. </p> </note>" |
|
4840 | 4863 | }, |
4841 | 4864 | "documentation":"<p>Specifies the IP address in the web request as an aggregate key for a rate-based rule. Each distinct IP address contributes to the aggregation instance. </p> <p>This setting is used only in the <code>RateBasedStatementCustomKey</code> specification of a rate-based rule statement. To use this in the custom key settings, you must specify at least one other key to use, along with the IP address. To aggregate on only the IP address, in your rate-based statement's <code>AggregateKeyType</code>, specify <code>IP</code>.</p> <p>JSON specification: <code>\"RateLimitIP\": {}</code> </p>" |
4842 | 4865 | }, |
| 4866 | + "RateLimitJA3Fingerprint":{ |
| 4867 | + "type":"structure", |
| 4868 | + "required":["FallbackBehavior"], |
| 4869 | + "members":{ |
| 4870 | + "FallbackBehavior":{ |
| 4871 | + "shape":"FallbackBehavior", |
| 4872 | + "documentation":"<p>The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA3 fingerprint.</p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>" |
| 4873 | + } |
| 4874 | + }, |
| 4875 | + "documentation":"<p> Use the request's JA3 fingerprint derived from the TLS Client Hello of an incoming request as an aggregate key. If you use a single JA3 fingerprint as your custom key, then each value fully defines an aggregation instance. </p>" |
| 4876 | + }, |
| 4877 | + "RateLimitJA4Fingerprint":{ |
| 4878 | + "type":"structure", |
| 4879 | + "required":["FallbackBehavior"], |
| 4880 | + "members":{ |
| 4881 | + "FallbackBehavior":{ |
| 4882 | + "shape":"FallbackBehavior", |
| 4883 | + "documentation":"<p>The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA4 fingerprint.</p> <p>You can specify the following fallback behaviors:</p> <ul> <li> <p> <code>MATCH</code> - Treat the web request as matching the rule statement. WAF applies the rule action to the request.</p> </li> <li> <p> <code>NO_MATCH</code> - Treat the web request as not matching the rule statement.</p> </li> </ul>" |
| 4884 | + } |
| 4885 | + }, |
| 4886 | + "documentation":"<p>Use the request's JA4 fingerprint derived from the TLS Client Hello of an incoming request as an aggregate key. If you use a single JA4 fingerprint as your custom key, then each value fully defines an aggregation instance.</p>" |
| 4887 | + }, |
4843 | 4888 | "RateLimitLabelNamespace":{ |
4844 | 4889 | "type":"structure", |
4845 | 4890 | "required":["Namespace"], |
|
6222 | 6267 | }, |
6223 | 6268 | "DataProtectionConfig":{ |
6224 | 6269 | "shape":"DataProtectionConfig", |
6225 | | - "documentation":"<p>Specifies data protection to apply to the web request data that WAF stores for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including WAF logging, web ACL request sampling, Amazon Web Services Managed Rules, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
| 6270 | + "documentation":"<p>Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
6226 | 6271 | }, |
6227 | 6272 | "LockToken":{ |
6228 | 6273 | "shape":"LockToken", |
|
6540 | 6585 | }, |
6541 | 6586 | "DataProtectionConfig":{ |
6542 | 6587 | "shape":"DataProtectionConfig", |
6543 | | - "documentation":"<p>Specifies data protection to apply to the web request data that WAF stores for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including WAF logging, web ACL request sampling, Amazon Web Services Managed Rules, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
| 6588 | + "documentation":"<p>Specifies data protection to apply to the web request data for the web ACL. This is a web ACL level data protection option. </p> <p>The data protection that you configure for the web ACL alters the data that's available for any other data collection activity, including your WAF logging destinations, web ACL request sampling, and Amazon Security Lake data collection and management. Your other option for data protection is in the logging configuration, which only affects logging. </p>" |
6544 | 6589 | }, |
6545 | 6590 | "Capacity":{ |
6546 | 6591 | "shape":"ConsumedCapacity", |
|
0 commit comments