Skip to main content

AWS-WAF

This Integration is part of the AWS WAF Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.5.0 and later.

Amazon Web Services Web Application Firewall (WAF)

Configure AWS-WAF in Cortex#

ParameterDescriptionRequired
Role ArnFalse
Role Session NameFalse
AWS Default RegionTrue
Role Session DurationFalse
Access KeyFalse
Secret KeyFalse
TimeoutThe time in seconds until a timeout exception is reached. You can specify just the read timeout (for example 60) or also the connect timeout followed after a comma (for example 60,10). If a connect timeout is not specified, a default of 10 second will be used.False
RetriesThe maximum number of retry attempts when connection or throttling errors are encountered. Set to 0 to disable retries. The default value is 5 and the limit is 10. Note: Increasing the number of retries will increase the execution time.False
Trust any certificate (not secure)False
Use system proxy settingsFalse

Commands#

You can execute these commands from the CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

aws-waf-ip-set-create#


Create a new IP set.

Base Command#

aws-waf-ip-set-create

Input#

Argument NameDescriptionRequired
nameThe IP set name.Required
scopeThe IP set scope. Possible values are: Global, Regional. Default is Regional.Optional
addressesA comma-separated list of the IP set addresses in CIDR notation.Optional
descriptionThe IP set description.Optional
ip_versionThe IP set versions. Possible values are: IPV4, IPV6.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
tag_keyA comma-separated list of the keys of the tags to associate with the IP set.Optional
tag_valueA comma-separated list of the values of the tags to associate with the IP set.Optional

Context Output#

PathTypeDescription
AWS.Waf.IpSet.IdStringThe IP set ID.
AWS.Waf.IpSet.NameStringThe IP set name.
AWS.Waf.IpSet.DescriptionStringThe IP set description.
AWS.Waf.IpSet.LockTokenStringThe IP set lock token.
AWS.Waf.IpSet.ARNStringThe IP set Amazon Resource Name.

Command example#

!aws-waf-ip-set-create ip_version=IPV4 name=name addresses="1.1.1.1/32"

Context Example#

{
"AWS": {
"Waf": {
"IpSet": {
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
}
}
}
}

Human Readable Output#

AWS Waf ip set with id id was created successfully

aws-waf-ip-set-get#


Get a specific IP set.

Base Command#

aws-waf-ip-set-get

Input#

Argument NameDescriptionRequired
nameThe IP set name.Required
scopeThe IP set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe IP set ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.IpSet.IdStringThe IP set ID.
AWS.Waf.IpSet.NameStringThe IP set name.
AWS.Waf.IpSet.DescriptionStringThe IP set description.
AWS.Waf.IpSet.IPAddressVersionStringThe IP set IP version.
AWS.Waf.IpSet.AddressesStringThe IP set IP addresses.
AWS.Waf.IpSet.ARNStringThe IP set Amazon Resource Name.

Command example#

!aws-waf-ip-set-get id=id name=name

Context Example#

{
"AWS": {
"Waf": {
"IpSet": {
"ARN": "arn",
"Addresses": [
"1.1.2.2/32"
],
"Description": "",
"IPAddressVersion": "IPV4",
"Id": "id",
"Name": "name"
}
}
}
}

Human Readable Output#

IP Set#

ARNAddressesDescriptionIPAddressVersionIdName
arn1.1.2.2/32IPV4idname

aws-waf-ip-set-update#


Update an IP set.

Base Command#

aws-waf-ip-set-update

Input#

Argument NameDescriptionRequired
nameThe IP set name.Required
scopeThe IP set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe IP set ID.Required
addressesA comma-separated list of the IP set addresses in CIDR notation.Required
descriptionThe IP set description.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
is_overwriteWhether to overwrite the existing addresses. Possible values are: true, false. Default is false.Optional

Context Output#

There is no context output for this command.

aws-waf-ip-set-list#


Lists IP sets.

Base Command#

aws-waf-ip-set-list

Input#

Argument NameDescriptionRequired
scopeThe IP set scope. Possible values are: Global, Regional. Default is Regional.Optional
next_tokenThe token for the next page.Optional
limitThe maximum number of results to return. Default is 50.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.IpSet.IdStringThe IP set ID.
AWS.Waf.IpSet.NameStringThe IP set name.
AWS.Waf.IpSet.DescriptionStringThe IP set description.
AWS.Waf.IpSet.LockTokenStringThe IP set lock token.
AWS.Waf.IpSet.ARNunknownThe IP set Amazon Resource Name.
AWS.Waf.IpSetNextTokenStringThe token for the next page.

Command example#

!aws-waf-ip-set-list

Context Example#

{
"AWS": {
"Waf": {
"IpSet": [
{
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
},
{
"ARN": "arn",
"Description": "",
"Id": "id1",
"LockToken": "lockToken1",
"Name": "name1"
}
],
"IpSetNextToken": "sdf"
}
}
}

Human Readable Output#

List IP Sets#

NameIdARNDescription
nameidarn
name1id1arn

aws-waf-ip-set-delete#


Delete a specific IP set.

Base Command#

aws-waf-ip-set-delete

Input#

Argument NameDescriptionRequired
nameThe IP set name.Required
scopeThe IP set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe IP set ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

There is no context output for this command.

aws-waf-regex-set-create#


Create a new regex set.

Base Command#

aws-waf-regex-set-create

Input#

Argument NameDescriptionRequired
nameThe regex set name.Required
scopeThe regex set scope. Possible values are: Global, Regional. Default is Regional.Optional
regex_patternA comma-separated list of the regex patterns.Required
descriptionThe regex set description.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
tag_keyA comma-separated list of the keys of the tags to associate with the regex set.Optional
tag_valueA comma-separated list of the values of the tags to associate with the regex set.Optional

Context Output#

PathTypeDescription
AWS.Waf.RegexSet.IdStringThe regex set ID.
AWS.Waf.RegexSet.NameStringThe regex set name.
AWS.Waf.RegexSet.DescriptionStringThe regex set description.
AWS.Waf.RegexSet.LockTokenStringThe regex set lock token.
AWS.Waf.RegexSet.ARNStringThe regex set Amazon Resource Name.

Command example#

!aws-waf-regex-set-create name=name regex_pattern="pattern"

Context Example#

{
"AWS": {
"Waf": {
"RegexSet": {
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
}
}
}
}

Human Readable Output#

AWS Waf regex set with id id was created successfully

aws-waf-regex-set-get#


Get a specific regex set.

Base Command#

aws-waf-regex-set-get

Input#

Argument NameDescriptionRequired
nameThe regex set name.Required
scopeThe regex set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe regex set ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.RegexSet.IdStringThe regex set ID.
AWS.Waf.RegexSet.NameStringThe regex set name.
AWS.Waf.RegexSet.DescriptionStringThe regex set description.
AWS.Waf.RegexSet.RegularExpressionListStringThe regex set patterns list.
AWS.Waf.RegexSet.ARNStringThe regex set Amazon Resource Name.

Command example#

!aws-waf-regex-set-get id=id name=name

Context Example#

{
"AWS": {
"Waf": {
"RegexSet": {
"ARN": "arn",
"Description": "",
"Id": "id",
"Name": "name",
"RegularExpressionList": [
{
"RegexString": "^dog"
}
]
}
}
}
}

Human Readable Output#

Regex Set#

ARNDescriptionIdNameRegularExpressionList
arnidname{'RegexString': '^dog'}

aws-waf-regex-set-update#


Update a regex set.

Base Command#

aws-waf-regex-set-update

Input#

Argument NameDescriptionRequired
nameThe regex set name.Required
scopeThe regex set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe regex set ID.Required
regex_patternA comma-separated list of the regex patterns.Required
descriptionThe regex set description.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
is_overwriteWhether to overwrite the existing regex patterns. Possible values are: true, false. Default is false.Optional

Context Output#

There is no context output for this command.

aws-waf-regex-set-list#


Lists regex sets.

Base Command#

aws-waf-regex-set-list

Input#

Argument NameDescriptionRequired
scopeThe regex set scope. Possible values are: Global, Regional. Default is Regional.Optional
next_tokenThe token for the next page.Optional
limitThe maximum number of results to return. Default is 50.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.RegexSet.IdStringThe regex set ID.
AWS.Waf.RegexSet.NameStringThe regex set name.
AWS.Waf.RegexSet.DescriptionStringThe regex set description.
AWS.Waf.RegexSet.LockTokenStringThe regex set lock token.
AWS.Waf.RegexSet.RegexPatternSets.ARNunknownThe regex set Amazon Resource Name.
AWS.Waf.RegexSetNextTokenStringThe token for the next page.

Command example#

!aws-waf-regex-set-list

Context Example#

{
"AWS": {
"Waf": {
"RegexSet": [
{
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
},
{
"ARN": "arn",
"Description": "",
"Id": "id1",
"LockToken": "lockToken1",
"Name": "name1"
}
],
"RegexSetNextToken": "name"
}
}
}

Human Readable Output#

List regex Sets#

NameIdARNDescription
nameidarn
name1id1arn

aws-waf-regex-set-delete#


Delete a specific regex set.

Base Command#

aws-waf-regex-set-delete

Input#

Argument NameDescriptionRequired
nameThe regex set name.Required
scopeThe regex set scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe regex set ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

There is no context output for this command.

aws-waf-rule-group-list#


Lists rule groups.

Base Command#

aws-waf-rule-group-list

Input#

Argument NameDescriptionRequired
scopeThe rule group scope. Possible values are: Global, Regional. Default is Regional.Optional
next_tokenThe token for the next page.Optional
limitThe maximum number of results to return. Default is 50.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.RuleGroup.IdStringThe rule group ID.
AWS.Waf.RuleGroup.NameStringThe rule group name.
AWS.Waf.RuleGroup.DescriptionStringThe rule group description.
AWS.Waf.RuleGroup.LockTokenStringThe rule group lock token.
AWS.Waf.RuleGroup.ARNunknownThe rule group Amazon Resource Name.
AWS.Waf.RuleGroupNextTokenStringThe token for the next page.

Command example#

!aws-waf-rule-group-list

Context Example#

{
"AWS": {
"Waf": {
"RuleGroup": [
{
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
},
{
"ARN": "arn",
"Description": "",
"Id": "id1",
"LockToken": "lockToken1",
"Name": "name1"
}
],
"RuleGroupNextToken": "name"
}
}
}

Human Readable Output#

List rule groups#

NameIdARNDescription
nameidarn
name1id1arn

aws-waf-rule-group-get#


Get a specific rule group.

Base Command#

aws-waf-rule-group-get

Input#

Argument NameDescriptionRequired
nameThe rule group name.Required
scopeThe rule group scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe rule group ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

PathTypeDescription
AWS.Waf.RuleGroup.IdStringThe rule group ID.
AWS.Waf.RuleGroup.NameStringThe rule group name.
AWS.Waf.RuleGroup.DescriptionStringThe rule group description.
AWS.Waf.RuleGroup.RulesStringThe rule group rules.
AWS.Waf.RuleGroup.ARNStringThe rule group Amazon Resource Name.

Command example#

!aws-waf-rule-group-get id=id name=name

Context Example#

{
"AWS": {
"Waf": {
"RuleGroup": {
"ARN": "arn",
"Capacity": 1500,
"Description": "",
"Id": "id",
"LabelNamespace": "LabelNamespace",
"Name": "name",
"Rules": [
{
"Action": {
"Allow": {}
},
"Name": "name",
"Priority": 1,
"Statement": {
"AndStatement": {
"Statements": [
{
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"PositionalConstraint": "CONTAINS_WORD",
"SearchString": "ssss",
"TextTransformations": [
{
"Priority": 0,
"Type": "BASE64_DECODE_EXT"
}
]
}
},
{
"ByteMatchStatement": {
"FieldToMatch": {
"Body": {
"OversizeHandling": "CONTINUE"
}
},
"PositionalConstraint": "CONTAINS_WORD",
"SearchString": "fyfyu",
"TextTransformations": [
{
"Priority": 0,
"Type": "BASE64_DECODE_EXT"
}
]
}
}
]
}
},
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "Hey_Test",
"SampledRequestsEnabled": true
}
},
{
"Action": {
"Allow": {}
},
"Name": "name1",
"Priority": 2,
"Statement": {
"AndStatement": {
"Statements": [
{
"IPSetReferenceStatement": {
"ARN": "arn"
}
},
{
"IPSetReferenceStatement": {
"ARN": "arn"
}
},
{
"IPSetReferenceStatement": {
"ARN": "arn"
}
}
]
}
},
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "name",
"SampledRequestsEnabled": true
}
},
{
"Action": {
"Allow": {}
},
"Name": "Name1",
"Priority": 3,
"Statement": {
"ByteMatchStatement": {
"FieldToMatch": {
"UriPath": {}
},
"PositionalConstraint": "CONTAINS",
"SearchString": "sdf",
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "Name1",
"SampledRequestsEnabled": true
}
},
{
"Action": {
"Allow": {}
},
"Name": "Name11",
"Priority": 4,
"Statement": {
"RegexPatternSetReferenceStatement": {
"ARN": "arn",
"FieldToMatch": {
"UriPath": {}
},
"TextTransformations": [
{
"Priority": 0,
"Type": "NONE"
}
]
}
},
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "name",
"SampledRequestsEnabled": true
}
}
],
"VisibilityConfig": {
"CloudWatchMetricsEnabled": true,
"MetricName": "name",
"SampledRequestsEnabled": true
}
}
}
}
}

Human Readable Output#

Rule group#

IdNameDescription
Idname

aws-waf-rule-group-delete#


Delete a specific rule group.

Base Command#

aws-waf-rule-group-delete

Input#

Argument NameDescriptionRequired
nameThe rule group name.Required
scopeThe rule group scope. Possible values are: Global, Regional. Default is Regional.Optional
idThe rule group ID.Required
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

There is no context output for this command.

aws-waf-rule-group-create#


Create a new rule group.

Base Command#

aws-waf-rule-group-create

Input#

Argument NameDescriptionRequired
nameThe rule group name.Required
scopeThe rule group scope. Possible values are: Global, Regional. Default is Regional.Optional
capacityThe rule group capacity.Required
descriptionThe rule group description.Optional
cloud_watch_metrics_enabledWhether the associated resource sends metrics to Amazon CloudWatch. Possible values are: true, false. Default is true.Optional
metric_nameThe name of the Amazon CloudWatch metric dimension. The name can contain only the alphanumeric characters, hyphen, and underscore. The name can be from one to 128 characters long. It can't contain whitespace or metric names that are reserved for AWS WAF. The default will be the same as the group name provided in the name argument.Optional
sampled_requests_enabledWhether to store a sampling of the web requests that match the rules. Possible values are: true, false. Default is true.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
tag_keyA comma-separated list of the keys of the tags to associate with the rule group.Optional
tag_valueA comma-separated list of the values of the tags to associate with the rule group.Optional

Context Output#

PathTypeDescription
AWS.Waf.RuleGroup.IdStringThe rule group ID.
AWS.Waf.RuleGroup.NameStringThe rule group name.
AWS.Waf.RuleGroup.DescriptionStringThe rule group description.
AWS.Waf.RuleGroup.LockTokenStringThe rule group lock token.
AWS.Waf.RuleGroup.ARNStringThe rule group Amazon Resource Name.

Command example#

!aws-waf-rule-group-create capacity=1500 name=name

Context Example#

{
"AWS": {
"Waf": {
"RuleGroup": {
"ARN": "arn",
"Description": "",
"Id": "id",
"LockToken": "lockToken",
"Name": "name"
}
}
}
}

Human Readable Output#

AWS Waf rule group with id id was created successfully

aws-waf-ip-rule-create#


Create an IP rule.

Base Command#

aws-waf-ip-rule-create

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the rule to.Required
group_nameThe rule group name to associate the rule to.Required
rule_nameThe rule name.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
priorityThe rule priority.Required
actionThe rule action. Possible values are: Allow, Block, Count, Captcha, Challenge.Required
ip_set_arnA comma-separated list of the IP set ARN. You can get those values by running the aws-waf-ip-set-list command.Required
condition_operatorThe rule condition operator. If more than one value to the ip_set_arn argument is provided, a value must be provided. Possible values are: And, Or, Not.Optional

Context Output#

There is no context output for this command.

aws-waf-country-rule-create#


Create a country rule.

Base Command#

aws-waf-country-rule-create

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the rule to.Required
group_nameThe rule group name to associate the rule to.Required
rule_nameThe rule name.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
priorityThe rule priority.Required
actionThe rule action. Possible values are: Allow, Block, Count, Captcha, Challenge.Required
country_codesA comma-separated list of two-character country codes.Required

Context Output#

There is no context output for this command.

aws-waf-string-match-rule-create#


Create a string match rule.

Base Command#

aws-waf-string-match-rule-create

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the rule to.Required
group_nameThe rule group name to associate the rule to.Required
rule_nameThe rule name.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
priorityThe rule priority.Required
actionThe rule action. Possible values are: Allow, Block, Count, Captcha, Challenge.Required
match_typeThe string match type. Possible values are: Exactly Matches String, Starts With String, Ends With String, Contains String, Contains Words, Matches Regex Pattern Set.Required
string_to_matchThe string to match. If the match_type is Contains Words, a value must be provided.Optional
regex_set_arnThe regex set ARN. You can get those values by running the aws-waf-regex-set-list command. If the match_type is Matches Regex Pattern Set, a value must be provided.Optional
web_request_componentThe web component to inspect. Possible values are: Headers, Cookies, Query Parameters, Uri Path, Query String, Body, HTTP Method.Required
oversize_handlingAWS WAF applies oversize handling to web request contents that are larger than AWS WAF can inspect. If the web_request_component is Headers, Cookies or Body, a value must be provided. Possible values are: CONTINUE, MATCH, NO_MATCH.Optional
text_transformationThe text transformation to perform. Possible values are: NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI, UTF8_TO_UNICODE. Default is NONE.Optional

Context Output#

There is no context output for this command.

aws-waf-rule-delete#


Delete a specific rule from a rule group.

Base Command#

aws-waf-rule-delete

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to delete the rule from.Required
group_nameThe rule group name to delete the rule from.Required
rule_nameThe rule name.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional

Context Output#

There is no context output for this command.

aws-waf-ip-statement-add#


Adds an IP statement to an existing rule.

Base Command#

aws-waf-ip-statement-add

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the statement to.Required
group_nameThe rule group name to associate the statement to.Required
rule_nameThe rule name to associate the statement to.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
ip_set_arnThe IP set ARN. You can get this value by running the aws-waf-ip-set-list command.Required
condition_operatorThe rule condition operator. If the rule contains only one statement, a value must be provided. If the rule already contains multiple statements, this argument would be ignored. Possible values are: And, Or.Optional

Context Output#

There is no context output for this command.

aws-waf-country-statement-add#


Adds a country statement to an existing rule.

Base Command#

aws-waf-country-statement-add

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the statement to.Required
group_nameThe rule group name to associate the statement to.Required
rule_nameThe rule name to associate the statement to.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
country_codesA comma-separated list of two-character country codes.Required
condition_operatorThe rule condition operator. If the rule contains only one statement, a value must be provided. If the rule already contains multiple statements, this argument would be ignored. Possible values are: And, Or.Optional

Context Output#

There is no context output for this command.

aws-waf-string-match-statement-add#


Adds a string match statement to an existing rule.

Base Command#

aws-waf-string-match-statement-add

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the statement to.Required
group_nameThe rule group name to associate the statement to.Required
rule_nameThe rule name to associate the statement to.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
match_typeThe string match type. Possible values are: Exactly Matches String, Starts With String, Ends With String, Contains String, Contains Words, Matches Regex Pattern Set.Required
string_to_matchThe string to match. If the match_type is Contains Words, a value must be provided.Optional
regex_set_arnThe regex set ARN. You can get those values by running the aws-waf-regex-set-list command. If the match_type is Matches Regex Pattern Set, a value must be provided.Optional
web_request_componentThe web component to inspect. Possible values are: Headers, Cookies, Query Parameters, Uri Path, Query String, Body, HTTP Method.Required
oversize_handlingAWS WAF applies oversize handling to web request contents that are larger than AWS WAF can inspect. If the web_request_component is Headers, Cookies or Body, a value must be provided. Possible values are: CONTINUE, MATCH, NO_MATCH.Optional
text_transformationThe text transformation to perform. Possible values are: NONE, COMPRESS_WHITE_SPACE, HTML_ENTITY_DECODE, LOWERCASE, CMD_LINE, URL_DECODE, BASE64_DECODE, HEX_DECODE, MD5, REPLACE_COMMENTS, ESCAPE_SEQ_DECODE, SQL_HEX_DECODE, CSS_DECODE, JS_DECODE, NORMALIZE_PATH, NORMALIZE_PATH_WIN, REMOVE_NULLS, REPLACE_NULLS, BASE64_DECODE_EXT, URL_DECODE_UNI, UTF8_TO_UNICODE. Default is NONE.Optional
condition_operatorThe rule condition operator. If the rule contains only one statement, a value must be provided. If the rule already contains multiple statements, this argument would be ignored. Possible values are: And, Or.Optional

Context Output#

There is no context output for this command.

aws-waf-statement-json-add#


Adds a generic statement to an existing rule.

Base Command#

aws-waf-statement-json-add

Input#

Argument NameDescriptionRequired
group_idThe rule group ID to associate the statement to.Required
group_nameThe rule group name to associate the statement to.Required
rule_nameThe rule name to associate the statement to.Required
scopeThe rule scope. Possible values are: Global, Regional. Default is Regional.Optional
regionThe AWS Region. If not specified, the default region will be used. Possible values are: us-east-1, us-east-2, us-west-1, us-west-2, ca-central-1, eu-west-1, eu-central-1, eu-west-2, ap-northeast-1, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-south-1, sa-east-1, eu-north-1, eu-west-3, us-gov-east-1, us-gov-west-1.Optional
statement_jsonA generic JSON statement to add to the rule. You can get the templates by running the aws-waf-statement-json-template-get command.Required
condition_operatorThe rule condition operator. If the rule contains only one statement, a value must be provided. If the rule already contains multiple statements, this argument would be ignored. Possible values are: And, Or.Optional

Context Output#

There is no context output for this command.

aws-waf-statement-json-template-get#


Gets the statement template.

Base Command#

aws-waf-statement-json-template-get

Input#

Argument NameDescriptionRequired
statement_typeThe statement type. Possible values are: Ip Set, Country, String Match, Regex Pattern.Required
web_request_componentThe web component to inspect. Possible values are: Headers, Cookies, Query Parameters, Uri Path, Query String, Body, HTTP Method.Optional

Context Output#

There is no context output for this command.