aws_sdk_wafv2

Module types

Source
Expand description

Data structures used by operation inputs/outputs.

Modules§

  • builders
    Builders
  • error
    Error types that AWS WAFV2 can respond with.

Structs§

  • ActionCondition

    A single action condition for a Condition in a logging filter.

  • AddressField

    The name of a field in the request payload that contains part or all of your customer's primary physical address.

    This data type is used in the RequestInspectionACFP data type.

  • All

    Inspect all of the elements that WAF has parsed and extracted from the web request component that you've identified in your FieldToMatch specifications.

    This is used in the FieldToMatch specification for some web request component types.

    JSON specification: "All": {}

  • AllQueryArguments

    Inspect all query arguments of the web request.

    This is used in the FieldToMatch specification for some web request component types.

    JSON specification: "AllQueryArguments": {}

  • AllowAction

    Specifies that WAF should allow the request and optionally defines additional custom handling for the request.

    This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction.

  • AndStatement

    A logical rule statement used to combine other rule statements with AND logic. You provide more than one Statement within the AndStatement.

  • ApiKeySummary

    Information for a single API key.

    API keys are required for the integration of the CAPTCHA API in your JavaScript client applications. The API lets you customize the placement and characteristics of the CAPTCHA puzzle for your end users. For more information about the CAPTCHA JavaScript integration, see WAF client application integration in the WAF Developer Guide.

  • AssociationConfig

    Specifies custom configurations for the associations between the web ACL and protected resources.

    Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

    You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

    For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

  • AwsManagedRulesAcfpRuleSet

    Details for your use of the account creation fraud prevention managed rule group, AWSManagedRulesACFPRuleSet. This configuration is used in ManagedRuleGroupConfig.

  • AwsManagedRulesAtpRuleSet

    Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig.

  • AwsManagedRulesBotControlRuleSet

    Details for your use of the Bot Control managed rule group, AWSManagedRulesBotControlRuleSet. This configuration is used in ManagedRuleGroupConfig.

  • BlockAction

    Specifies that WAF should block the request and optionally defines additional custom handling for the response to the web request.

    This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction.

  • Body

    Inspect the body of the web request. The body immediately follows the request headers.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

  • ByteMatchStatement

    A rule statement that defines a string match search for WAF to apply to web requests. The byte match statement provides the bytes to search for, the location in requests that you want WAF to search, and other settings. The bytes to search for are typically a string that corresponds with ASCII characters. In the WAF console and the developer guide, this is called a string match statement.

  • CaptchaAction

    Specifies that WAF should run a CAPTCHA check against the request:

    • If the request includes a valid, unexpired CAPTCHA token, WAF applies any custom request handling and labels that you've configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction.

    • If the request doesn't include a valid, unexpired token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination.

      WAF generates a response that it sends back to the client, which includes the following:

      • The header x-amzn-waf-action with a value of captcha.

      • The HTTP status code 405 Method Not Allowed.

      • If the request contains an Accept header with a value of text/html, the response includes a CAPTCHA JavaScript page interstitial.

    You can configure the expiration time in the CaptchaConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting.

    This action option is available for rules. It isn't available for web ACL default actions.

  • CaptchaConfig

    Specifies how WAF should handle CAPTCHA evaluations. This is available at the web ACL level and in each rule.

  • CaptchaResponse

    The result from the inspection of the web request for a valid CAPTCHA token.

  • ChallengeAction

    Specifies that WAF should run a Challenge check against the request to verify that the request is coming from a legitimate client session:

    • If the request includes a valid, unexpired challenge token, WAF applies any custom request handling and labels that you've configured and then allows the web request inspection to proceed to the next rule, similar to a CountAction.

    • If the request doesn't include a valid, unexpired challenge token, WAF discontinues the web ACL evaluation of the request and blocks it from going to its intended destination.

      WAF then generates a challenge response that it sends back to the client, which includes the following:

      • The header x-amzn-waf-action with a value of challenge.

      • The HTTP status code 202 Request Accepted.

      • If the request contains an Accept header with a value of text/html, the response includes a JavaScript page interstitial with a challenge script.

      Challenges run silent browser interrogations in the background, and don't generally affect the end user experience.

      A challenge enforces token acquisition using an interstitial JavaScript challenge that inspects the client session for legitimate behavior. The challenge blocks bots or at least increases the cost of operating sophisticated bots.

      After the client session successfully responds to the challenge, it receives a new token from WAF, which the challenge script uses to resubmit the original request.

    You can configure the expiration time in the ChallengeConfig ImmunityTimeProperty setting at the rule and web ACL level. The rule setting overrides the web ACL setting.

    This action option is available for rules. It isn't available for web ACL default actions.

  • ChallengeConfig

    Specifies how WAF should handle Challenge evaluations. This is available at the web ACL level and in each rule.

  • ChallengeResponse

    The result from the inspection of the web request for a valid challenge token.

  • Condition

    A single match condition for a Filter.

  • CookieMatchPattern

    The filter to use to identify the subset of cookies to inspect in a web request.

    You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

    Example JSON: "MatchPattern": { "IncludedCookies": \[ "session-id-time", "session-id" \] }

  • Cookies

    Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

    Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", "OversizeHandling": "MATCH" }

  • CountAction

    Specifies that WAF should count the request. Optionally defines additional custom handling for the request.

    This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction.

  • CustomHttpHeader

    A custom header for custom request and response handling. This is used in CustomResponse and CustomRequestHandling.

  • CustomRequestHandling

    Custom request handling behavior that inserts custom headers into a web request. You can add custom request handling for WAF to use when the rule action doesn't block the request. For example, CaptchaAction for requests with valid t okens, and AllowAction.

    For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

  • CustomResponse

    A custom response to send to the client. You can define a custom response for rule actions and default web ACL actions that are set to BlockAction.

    For information about customizing web requests and responses, see Customizing web requests and responses in WAF in the WAF Developer Guide.

  • CustomResponseBody

    The response body to use in a custom response to a web request. This is referenced by key from CustomResponse CustomResponseBodyKey.

  • DefaultAction

    In a WebACL, this is the action that you want WAF to perform when a web request doesn't match any of the rules in the WebACL. The default action must be a terminating action.

  • EmailField

    The name of the field in the request payload that contains your customer's email.

    This data type is used in the RequestInspectionACFP data type.

  • ExcludedRule

    Specifies a single rule in a rule group whose action you want to override to Count.

    Instead of this option, use RuleActionOverrides. It accepts any valid action setting, including Count.

  • FieldToMatch

    Specifies a web request component to be used in a rule match statement or in a logging configuration.

    • In a rule statement, this is the part of the web request that you want WAF to inspect. Include the single FieldToMatch type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in FieldToMatch for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.

      Example JSON for a QueryString field to match:

      "FieldToMatch": { "QueryString": {} }

      Example JSON for a Method field to match specification:

      "FieldToMatch": { "Method": { "Name": "DELETE" } }

    • In a logging configuration, this is used in the RedactedFields property to specify a field to redact from the logging records. For this use case, note the following:

      • Even though all FieldToMatch settings are available, the only valid settings for field redaction are UriPath, QueryString, SingleHeader, and Method.

      • In this documentation, the descriptions of the individual fields talk about specifying the web request component to inspect, but for field redaction, you are specifying the component type to redact from the logs.

      • If you have request sampling enabled, the redacted fields configuration for logging has no impact on sampling. The only way to exclude fields from request sampling is by disabling sampling in the web ACL visibility configuration.

  • Filter

    A single logging filter, used in LoggingFilter.

  • FirewallManagerRuleGroup

    A rule group that's defined for an Firewall Manager WAF policy.

  • FirewallManagerStatement

    The processing guidance for an Firewall Manager rule. This is like a regular rule Statement, but it can only contain a single rule group reference.

  • ForwardedIpConfig

    The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.

    If the specified header isn't present in the request, WAF doesn't apply the rule to the web request at all.

    This configuration is used for GeoMatchStatement and RateBasedStatement. For IPSetReferenceStatement, use IPSetForwardedIPConfig instead.

    WAF only evaluates the first IP address found in the specified HTTP header.

  • GeoMatchStatement

    A rule statement that labels web requests by country and region and that matches against web requests based on country code. A geo match rule labels every request that it inspects regardless of whether it finds a match.

    • To manage requests only by country, you can use this statement by itself and specify the countries that you want to match against in the CountryCodes array.

    • Otherwise, configure your geo match rule with Count action so that it only labels requests. Then, add one or more label match rules to run after the geo match rule and configure them to match against the geographic labels and handle the requests as needed.

    WAF labels requests using the alpha-2 country and region codes from the International Organization for Standardization (ISO) 3166 standard. WAF determines the codes using either the IP address in the web request origin or, if you specify it, the address in the geo match ForwardedIPConfig.

    If you use the web request origin, the label formats are awswaf:clientip:geo:region: - and awswaf:clientip:geo:country:.

    If you use a forwarded IP address, the label formats are awswaf:forwardedip:geo:region: - and awswaf:forwardedip:geo:country:.

    For additional details, see Geographic match rule statement in the WAF Developer Guide.

  • HeaderMatchPattern

    The filter to use to identify the subset of headers to inspect in a web request.

    You must specify exactly one setting: either All, IncludedHeaders, or ExcludedHeaders.

    Example JSON: "MatchPattern": { "ExcludedHeaders": \[ "KeyToExclude1", "KeyToExclude2" \] }

  • HeaderOrder

    Inspect a string containing the list of the request's header names, ordered as they appear in the web request that WAF receives for inspection. WAF generates the string and then uses that as the field to match component in its inspection. WAF separates the header names in the string using colons and no added spaces, for example host:user-agent:accept:authorization:referer.

  • Headers

    Inspect all headers in the web request. You can specify the parts of the headers to inspect and you can narrow the set of headers to inspect by including or excluding specific keys.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

    If you want to inspect just the value of a single header, use the SingleHeader FieldToMatch setting instead.

    Example JSON: "Headers": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", "OversizeHandling": "MATCH" }

  • HttpHeader

    Part of the response from GetSampledRequests. This is a complex type that appears as Headers in the response syntax. HTTPHeader contains the names and values of all of the headers that appear in one of the web requests.

  • HttpRequest

    Part of the response from GetSampledRequests. This is a complex type that appears as Request in the response syntax. HTTPRequest contains information about one of the web requests.

  • ImmunityTimeProperty

    Used for CAPTCHA and challenge token settings. Determines how long a CAPTCHA or challenge timestamp remains valid after WAF updates it for a successful CAPTCHA or challenge response.

  • IpSet

    Contains zero or more IP addresses or blocks of IP addresses specified in Classless Inter-Domain Routing (CIDR) notation. WAF supports all IPv4 and IPv6 CIDR ranges except for /0. For information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing.

    WAF assigns an ARN to each IPSet that you create. To use an IP set in a rule, you provide the ARN to the Rule statement IPSetReferenceStatement.

  • IpSetForwardedIpConfig

    The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. Commonly, this is the X-Forwarded-For (XFF) header, but you can specify any header name.

    If the specified header isn't present in the request, WAF doesn't apply the rule to the web request at all.

    This configuration is used only for IPSetReferenceStatement. For GeoMatchStatement and RateBasedStatement, use ForwardedIPConfig instead.

  • IpSetReferenceStatement

    A rule statement used to detect web requests coming from particular IP addresses or address ranges. To use this, create an IPSet that specifies the addresses you want to detect, then use the ARN of that set in this statement. To create an IP set, see CreateIPSet.

    Each IP set rule statement references an IP set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, WAF automatically updates all rules that reference it.

  • IpSetSummary

    High-level information about an IPSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage an IPSet, and the ARN, that you provide to the IPSetReferenceStatement to use the address set in a Rule.

  • Ja3Fingerprint

    Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA3 fingerprint. The JA3 fingerprint is a 32-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.

    You can use this choice only with a string match ByteMatchStatement with the PositionalConstraint set to EXACTLY.

    You can obtain the JA3 fingerprint for client requests from the web ACL logs. If WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see Log fields in the WAF Developer Guide.

    Provide the JA3 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.

  • JsonBody

    Inspect the body of the web request as JSON. The body immediately follows the request headers.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

    Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. WAF inspects only the parts of the JSON that result from the matches that you indicate.

    Example JSON: "JsonBody": { "MatchPattern": { "All": {} }, "MatchScope": "ALL" }

    For additional information about this request component option, see JSON body in the WAF Developer Guide.

  • JsonMatchPattern

    The patterns to look for in the JSON body. WAF inspects the results of these pattern matches against the rule inspection criteria. This is used with the FieldToMatch option JsonBody.

  • Label

    A single label container. This is used as an element of a label array in multiple contexts, for example, in RuleLabels inside a Rule and in Labels inside a SampledHTTPRequest.

  • LabelMatchStatement

    A rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.

    The label match statement provides the label or namespace string to search for. The label string can represent a part or all of the fully qualified label name that had been added to the web request. Fully qualified labels have a prefix, optional namespaces, and label name. The prefix identifies the rule group or web ACL context of the rule that added the label. If you do not provide the fully qualified name in your label match string, WAF performs the search for labels that were added in the same context as the label match statement.

  • LabelNameCondition

    A single label name condition for a Condition in a logging filter.

  • LabelSummary

    List of labels used by one or more of the rules of a RuleGroup. This summary object is used for the following rule group lists:

    • AvailableLabels - Labels that rules add to matching requests. These labels are defined in the RuleLabels for a Rule.

    • ConsumedLabels - Labels that rules match against. These labels are defined in a LabelMatchStatement specification, in the Statement definition of a rule.

  • LoggingConfiguration

    Defines an association between logging destinations and a web ACL resource, for logging from WAF. As part of the association, you can specify parts of the standard logging fields to keep out of the logs and you can specify filters so that you log only a subset of the logging records.

    You can define one logging destination per web ACL.

    You can access information about the traffic that WAF inspects using the following steps:

    1. Create your logging destination. You can use an Amazon CloudWatch Logs log group, an Amazon Simple Storage Service (Amazon S3) bucket, or an Amazon Kinesis Data Firehose.

      The name that you give the destination must start with aws-waf-logs-. Depending on the type of destination, you might need to configure additional settings or permissions.

      For configuration requirements and pricing information for each destination type, see Logging web ACL traffic in the WAF Developer Guide.

    2. Associate your logging destination to your web ACL using a PutLoggingConfiguration request.

    When you successfully enable logging using a PutLoggingConfiguration request, WAF creates an additional role or policy that is required to write logs to the logging destination. For an Amazon CloudWatch Logs log group, WAF creates a resource policy on the log group. For an Amazon S3 bucket, WAF creates a bucket policy. For an Amazon Kinesis Data Firehose, WAF creates a service-linked role.

    For additional information about web ACL logging, see Logging web ACL traffic information in the WAF Developer Guide.

  • LoggingFilter

    Filtering that specifies which web requests are kept in the logs and which are dropped, defined for a web ACL's LoggingConfiguration.

    You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.

  • ManagedProductDescriptor

    The properties of a managed product, such as an Amazon Web Services Managed Rules rule group or an Amazon Web Services Marketplace managed rule group.

  • ManagedRuleGroupConfig

    Additional information that's used by a managed rule group. Many managed rule groups don't require this.

    The rule groups used for intelligent threat mitigation require additional configuration:

    • Use the AWSManagedRulesACFPRuleSet configuration object to configure the account creation fraud prevention managed rule group. The configuration includes the registration and sign-up pages of your application and the locations in the account creation request payload of data, such as the user email and phone number fields.

    • Use the AWSManagedRulesATPRuleSet configuration object to configure the account takeover prevention managed rule group. The configuration includes the sign-in page of your application and the locations in the login request payload of data such as the username and password.

    • Use the AWSManagedRulesBotControlRuleSet configuration object to configure the protection level that you want the Bot Control rule group to use.

    For example specifications, see the examples section of CreateWebACL.

  • ManagedRuleGroupStatement

    A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

    You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. You cannot use a managed rule group inside another rule group. You can only reference a managed rule group as a top-level statement within a rule that you define in a web ACL.

    You are charged additional fees when you use the WAF Bot Control managed rule group AWSManagedRulesBotControlRuleSet, the WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet, or the WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. For more information, see WAF Pricing.

  • ManagedRuleGroupSummary

    High-level information about a managed rule group, returned by ListAvailableManagedRuleGroups. This provides information like the name and vendor name, that you provide when you add a ManagedRuleGroupStatement to a web ACL. Managed rule groups include Amazon Web Services Managed Rules rule groups and Amazon Web Services Marketplace managed rule groups. To use any Amazon Web Services Marketplace managed rule group, first subscribe to the rule group through Amazon Web Services Marketplace.

  • ManagedRuleGroupVersion

    Describes a single version of a managed rule group.

  • ManagedRuleSet

    A set of rules that is managed by Amazon Web Services and Amazon Web Services Marketplace sellers to provide versioned managed rule groups for customers of WAF.

    This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

    Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

  • ManagedRuleSetSummary

    High-level information for a managed rule set.

    This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

    Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

  • ManagedRuleSetVersion

    Information for a single version of a managed rule set.

    This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

    Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

  • Method

    Inspect the HTTP method of the web request. The method indicates the type of operation that the request is asking the origin to perform.

    This is used in the FieldToMatch specification for some web request component types.

    JSON specification: "Method": {}

  • MobileSdkRelease

    Information for a release of the mobile SDK, including release notes and tags.

    The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage WAF tokens for use in HTTP(S) requests from a mobile device to WAF. For more information, see WAF client application integration in the WAF Developer Guide.

  • NoneAction

    Specifies that WAF should do nothing. This is used for the OverrideAction setting on a Rule when the rule uses a rule group reference statement.

    This is used in the context of other settings, for example to specify values for RuleAction and web ACL DefaultAction.

    JSON specification: "None": {}

  • NotStatement

    A logical rule statement used to negate the results of another rule statement. You provide one Statement within the NotStatement.

  • OrStatement

    A logical rule statement used to combine other rule statements with OR logic. You provide more than one Statement within the OrStatement.

  • OverrideAction

    The action to use in the place of the action that results from the rule group evaluation. Set the override action to none to leave the result of the rule group alone. Set it to count to override the result to count only.

    You can only use this for rule statements that reference a rule group, like RuleGroupReferenceStatement and ManagedRuleGroupStatement.

    This option is usually set to none. It does not affect how the rules in the rule group are evaluated. If you want the rules in the rule group to only count matches, do not use this and instead use the rule action override option, with Count action, in your rule group reference statement settings.

  • PasswordField

    The name of the field in the request payload that contains your customer's password.

    This data type is used in the RequestInspection and RequestInspectionACFP data types.

  • PhoneNumberField

    The name of a field in the request payload that contains part or all of your customer's primary phone number.

    This data type is used in the RequestInspectionACFP data type.

  • QueryString

    Inspect the query string of the web request. This is the part of a URL that appears after a ? character, if any.

    This is used in the FieldToMatch specification for some web request component types.

    JSON specification: "QueryString": {}

  • RateBasedStatement

    A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.

    If you change any of these settings in a rule that's currently in use, the change resets the rule's rate limiting counts. This can pause the rule's rate limiting activities for up to a minute.

    You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.

    Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.

    For example, assume the rule evaluates web requests with the following IP address and HTTP method values:

    • IP address 10.1.1.1, HTTP method POST

    • IP address 10.1.1.1, HTTP method GET

    • IP address 127.0.0.0, HTTP method POST

    • IP address 10.1.1.1, HTTP method GET

    The rule would create different aggregation instances according to your aggregation criteria, for example:

    • If the aggregation criteria is just the IP address, then each individual address is an aggregation instance, and WAF counts requests separately for each. The aggregation instances and request counts for our example would be the following:

      • IP address 10.1.1.1: count 3

      • IP address 127.0.0.0: count 1

    • If the aggregation criteria is HTTP method, then each individual HTTP method is an aggregation instance. The aggregation instances and request counts for our example would be the following:

      • HTTP method POST: count 2

      • HTTP method GET: count 2

    • If the aggregation criteria is IP address and HTTP method, then each IP address and each HTTP method would contribute to the combined aggregation instance. The aggregation instances and request counts for our example would be the following:

      • IP address 10.1.1.1, HTTP method POST: count 1

      • IP address 10.1.1.1, HTTP method GET: count 2

      • IP address 127.0.0.0, HTTP method POST: count 1

    For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which WAF counts and rate-limits individually.

    You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.

    You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.

    For additional information about the options, see Rate limiting web requests using rate-based rules in the WAF Developer Guide.

    If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that WAF is currently rate limiting for a rule through the API call GetRateBasedStatementManagedKeys. This option is not available for other aggregation configurations.

    WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.

  • RateBasedStatementCustomKey

    Specifies a single custom aggregate key for a rate-base rule.

    Web requests that are missing any of the components specified in the aggregation keys are omitted from the rate-based rule evaluation and handling.

  • RateBasedStatementManagedKeysIpSet

    The set of IP addresses that are currently blocked for a RateBasedStatement. This is only available for rate-based rules that aggregate on just the IP address, with the AggregateKeyType set to IP or FORWARDED_IP.

    A rate-based rule applies its rule action to requests from IP addresses that are in the rule's managed keys list and that match the rule's scope-down statement. When a rule has no scope-down statement, it applies the action to all requests from the IP addresses that are in the list. The rule applies its rule action to rate limit the matching requests. The action is usually Block but it can be any valid rule action except for Allow.

    The maximum number of IP addresses that can be rate limited by a single rate-based rule instance is 10,000. If more than 10,000 addresses exceed the rate limit, WAF limits those with the highest rates.

  • RateLimitCookie

    Specifies a cookie as an aggregate key for a rate-based rule. Each distinct value in the cookie contributes to the aggregation instance. If you use a single cookie as your custom key, then each value fully defines an aggregation instance.

  • RateLimitForwardedIp

    Specifies the first IP address in an HTTP header as an aggregate key for a rate-based rule. Each distinct forwarded IP address contributes to the aggregation instance.

    This setting is used only in the RateBasedStatementCustomKey specification of a rate-based rule statement. When you specify an IP or forwarded IP in the custom key settings, you must also specify at least one other key to use. You can aggregate on only the forwarded IP address by specifying FORWARDED_IP in your rate-based statement's AggregateKeyType.

    This data type supports using the forwarded IP address in the web request aggregation for a rate-based rule, in RateBasedStatementCustomKey. The JSON specification for using the forwarded IP address doesn't explicitly use this data type.

    JSON specification: "ForwardedIP": {}

    When you use this specification, you must also configure the forwarded IP address in the rate-based statement's ForwardedIPConfig.

  • RateLimitHeader

    Specifies a header as an aggregate key for a rate-based rule. Each distinct value in the header contributes to the aggregation instance. If you use a single header as your custom key, then each value fully defines an aggregation instance.

  • RateLimitHttpMethod

    Specifies the request's HTTP method as an aggregate key for a rate-based rule. Each distinct HTTP method contributes to the aggregation instance. If you use just the HTTP method as your custom key, then each method fully defines an aggregation instance.

    JSON specification: "RateLimitHTTPMethod": {}

  • RateLimitIp

    Specifies the IP address in the web request as an aggregate key for a rate-based rule. Each distinct IP address contributes to the aggregation instance.

    This setting is used only in the RateBasedStatementCustomKey specification of a rate-based rule statement. To use this in the custom key settings, you must specify at least one other key to use, along with the IP address. To aggregate on only the IP address, in your rate-based statement's AggregateKeyType, specify IP.

    JSON specification: "RateLimitIP": {}

  • RateLimitLabelNamespace

    Specifies a label namespace to use as an aggregate key for a rate-based rule. Each distinct fully qualified label name that has the specified label namespace contributes to the aggregation instance. If you use just one label namespace as your custom key, then each label name fully defines an aggregation instance.

    This uses only labels that have been added to the request by rules that are evaluated before this rate-based rule in the web ACL.

    For information about label namespaces and names, see Label syntax and naming requirements in the WAF Developer Guide.

  • RateLimitQueryArgument

    Specifies a query argument in the request as an aggregate key for a rate-based rule. Each distinct value for the named query argument contributes to the aggregation instance. If you use a single query argument as your custom key, then each value fully defines an aggregation instance.

  • RateLimitQueryString

    Specifies the request's query string as an aggregate key for a rate-based rule. Each distinct string contributes to the aggregation instance. If you use just the query string as your custom key, then each string fully defines an aggregation instance.

  • RateLimitUriPath

    Specifies the request's URI path as an aggregate key for a rate-based rule. Each distinct URI path contributes to the aggregation instance. If you use just the URI path as your custom key, then each URI path fully defines an aggregation instance.

  • Regex

    A single regular expression. This is used in a RegexPatternSet.

  • RegexMatchStatement

    A rule statement used to search web request components for a match against a single regular expression.

  • RegexPatternSet

    Contains one or more regular expressions.

    WAF assigns an ARN to each RegexPatternSet that you create. To use a set in a rule, you provide the ARN to the Rule statement RegexPatternSetReferenceStatement.

  • RegexPatternSetReferenceStatement

    A rule statement used to search web request components for matches with regular expressions. To use this, create a RegexPatternSet that specifies the expressions that you want to detect, then use the ARN of that set in this statement. A web request matches the pattern set rule statement if the request component matches any of the patterns in the set. To create a regex pattern set, see CreateRegexPatternSet.

    Each regex pattern set rule statement references a regex pattern set. You create and maintain the set independent of your rules. This allows you to use the single set in multiple rules. When you update the referenced set, WAF automatically updates all rules that reference it.

  • RegexPatternSetSummary

    High-level information about a RegexPatternSet, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RegexPatternSet, and the ARN, that you provide to the RegexPatternSetReferenceStatement to use the pattern set in a Rule.

  • ReleaseSummary

    High level information for an SDK release.

  • RequestBodyAssociatedResourceTypeConfig

    Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.

    You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

    Example JSON: { "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" }

    For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

    This is used in the AssociationConfig of the web ACL.

  • RequestInspection

    The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.

    This is part of the AWSManagedRulesATPRuleSet configuration in ManagedRuleGroupConfig.

    In these settings, you specify how your application accepts login attempts by providing the request payload type and the names of the fields within the request body where the username and password are provided.

  • RequestInspectionAcfp

    The criteria for inspecting account creation requests, used by the ACFP rule group to validate and track account creation attempts.

    This is part of the AWSManagedRulesACFPRuleSet configuration in ManagedRuleGroupConfig.

    In these settings, you specify how your application accepts account creation attempts by providing the request payload type and the names of the fields within the request body where the username, password, email, and primary address and phone number fields are provided.

  • ResponseInspection

    The criteria for inspecting responses to login requests and account creation requests, used by the ATP and ACFP rule groups to track login and account creation success and failure rates.

    Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

    The rule groups evaluates the responses that your protected resources send back to client login and account creation attempts, keeping count of successful and failed attempts from each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses with too much suspicious activity in a short amount of time.

    This is part of the AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet configurations in ManagedRuleGroupConfig.

    Enable response inspection by configuring exactly one component of the response to inspect, for example, Header or StatusCode. You can't configure more than one component for inspection. If you don't configure any of the response inspection options, response inspection is disabled.

  • ResponseInspectionBodyContains

    Configures inspection of the response body. WAF can inspect the first 65,536 bytes (64 KB) of the response body. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

    Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

  • ResponseInspectionHeader

    Configures inspection of the response header. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

    Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

  • ResponseInspectionJson

    Configures inspection of the response JSON. WAF can inspect the first 65,536 bytes (64 KB) of the response JSON. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

    Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

  • ResponseInspectionStatusCode

    Configures inspection of the response status code. This is part of the ResponseInspection configuration for AWSManagedRulesATPRuleSet and AWSManagedRulesACFPRuleSet.

    Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.

  • Rule

    A single rule, which you can use in a WebACL or RuleGroup to identify web requests that you want to manage in some way. Each rule includes one top-level Statement that WAF uses to identify matching web requests, and parameters that govern how WAF handles them.

  • RuleAction

    The action that WAF should take on a web request when it matches a rule's statement. Settings at the web ACL level can override the rule action setting.

  • RuleActionOverride

    Action setting to use in the place of a rule action that is configured inside the rule group. You specify one override for each rule whose action you want to change.

    You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.

  • RuleGroup

    A rule group defines a collection of rules to inspect and control web requests that you can use in a WebACL. When you create a rule group, you define an immutable capacity limit. If you update a rule group, you must stay within the capacity. This allows others to reuse the rule group with confidence in its capacity requirements.

  • RuleGroupReferenceStatement

    A rule statement used to run the rules that are defined in a RuleGroup. To use this, create a rule group with your rules, then provide the ARN of the rule group in this statement.

    You cannot nest a RuleGroupReferenceStatement, for example for use inside a NotStatement or OrStatement. You cannot use a rule group reference statement inside another rule group. You can only reference a rule group as a top-level statement within a rule that you define in a web ACL.

  • RuleGroupSummary

    High-level information about a RuleGroup, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a RuleGroup, and the ARN, that you provide to the RuleGroupReferenceStatement to use the rule group in a Rule.

  • RuleSummary

    High-level information about a Rule, returned by operations like DescribeManagedRuleGroup. This provides information like the ID, that you can use to retrieve and manage a RuleGroup, and the ARN, that you provide to the RuleGroupReferenceStatement to use the rule group in a Rule.

  • SampledHttpRequest

    Represents a single sampled web request. The response from GetSampledRequests includes a SampledHTTPRequests complex type that appears as SampledRequests in the response syntax. SampledHTTPRequests contains an array of SampledHTTPRequest objects.

  • SingleHeader

    Inspect one of the headers in the web request, identified by name, for example, User-Agent or Referer. The name isn't case sensitive.

    You can filter and inspect all headers with the FieldToMatch setting Headers.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

    Example JSON: "SingleHeader": { "Name": "haystack" }

  • SingleQueryArgument

    Inspect one query argument in the web request, identified by name, for example UserName or SalesRegion. The name isn't case sensitive.

    This is used to indicate the web request component to inspect, in the FieldToMatch specification.

    Example JSON: "SingleQueryArgument": { "Name": "myArgument" }

  • SizeConstraintStatement

    A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.

    If you configure WAF to inspect the request body, WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see Body and JsonBody settings for the FieldToMatch data type.

    If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

  • SqliMatchStatement

    A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.

  • Statement

    The processing guidance for a Rule, used by WAF to determine whether a web request matches the rule.

    For example specifications, see the examples section of CreateWebACL.

  • Tag

    A tag associated with an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.

    You can tag the Amazon Web Services resources that you manage through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. You can't manage or view tags through the WAF console.

  • TagInfoForResource

    The collection of tagging definitions for an Amazon Web Services resource. Tags are key:value pairs that you can use to categorize and manage your resources, for purposes like billing or other management. Typically, the tag key represents a category, such as "environment", and the tag value represents a specific value within that category, such as "test," "development," or "production". Or you might set the tag key to "customer" and the value to the customer name or ID. You can specify one or more tags to add to each Amazon Web Services resource, up to 50 tags for a resource.

    You can tag the Amazon Web Services resources that you manage through WAF: web ACLs, rule groups, IP sets, and regex pattern sets. You can't manage or view tags through the WAF console.

  • TextTransformation

    Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.

  • TimeWindow

    In a GetSampledRequests request, the StartTime and EndTime objects specify the time range for which you want WAF to return a sample of web requests.

    You must specify the times in Coordinated Universal Time (UTC) format. UTC format includes the special designator, Z. For example, "2016-09-27T14:50Z". You can specify any time range in the previous three hours.

    In a GetSampledRequests response, the StartTime and EndTime objects specify the time range for which WAF actually returned a sample of web requests. WAF gets the specified number of requests from among the first 5,000 requests that your Amazon Web Services resource receives during the specified time period. If your resource receives more than 5,000 requests during that period, WAF stops sampling after the 5,000th request. In that case, EndTime is the time that WAF received the 5,000th request.

  • UriPath

    Inspect the path component of the URI of the web request. This is the part of the web request that identifies a resource. For example, /images/daily-ad.jpg.

    This is used in the FieldToMatch specification for some web request component types.

    JSON specification: "UriPath": {}

  • UsernameField

    The name of the field in the request payload that contains your customer's username.

    This data type is used in the RequestInspection and RequestInspectionACFP data types.

  • VersionToPublish

    A version of the named managed rule group, that the rule group's vendor publishes for use by customers.

    This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

    Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

  • VisibilityConfig

    Defines and enables Amazon CloudWatch metrics and web request sample collection.

  • WebAcl

    A web ACL defines a collection of rules to use to inspect and control web requests. Each rule has a statement that defines what to look for in web requests and an action that WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that does not match any of the rules. The rules in a web ACL can be a combination of the types Rule, RuleGroup, and managed rule group. You can associate a web ACL with one or more Amazon Web Services resources to protect. The resources can be an Amazon CloudFront distribution, an Amazon API Gateway REST API, an Application Load Balancer, an AppSync GraphQL API, an Amazon Cognito user pool, an App Runner service, or an Amazon Web Services Verified Access instance.

  • WebAclSummary

    High-level information about a WebACL, returned by operations like create and list. This provides information like the ID, that you can use to retrieve and manage a WebACL, and the ARN, that you provide to operations like AssociateWebACL.

  • XssMatchStatement

    A rule statement that inspects for cross-site scripting (XSS) attacks. In XSS attacks, the attacker uses vulnerabilities in a benign website as a vehicle to inject malicious client-site scripts into other legitimate web browsers.

Enums§

  • ActionValue
    When writing a match expression against ActionValue, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • AssociatedResourceType
    When writing a match expression against AssociatedResourceType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • BodyParsingFallbackBehavior
    When writing a match expression against BodyParsingFallbackBehavior, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • ComparisonOperator
    When writing a match expression against ComparisonOperator, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • CountryCode
    When writing a match expression against CountryCode, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • FailureReason
    When writing a match expression against FailureReason, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • FallbackBehavior
    When writing a match expression against FallbackBehavior, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • FilterBehavior
    When writing a match expression against FilterBehavior, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • FilterRequirement
    When writing a match expression against FilterRequirement, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • ForwardedIpPosition
    When writing a match expression against ForwardedIpPosition, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • InspectionLevel
    When writing a match expression against InspectionLevel, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • IpAddressVersion
    When writing a match expression against IpAddressVersion, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • JsonMatchScope
    When writing a match expression against JsonMatchScope, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • LabelMatchScope
    When writing a match expression against LabelMatchScope, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • LogScope
    When writing a match expression against LogScope, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • LogType
    When writing a match expression against LogType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • MapMatchScope
    When writing a match expression against MapMatchScope, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • OversizeHandling
    When writing a match expression against OversizeHandling, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • ParameterExceptionField
    When writing a match expression against ParameterExceptionField, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • PayloadType
    When writing a match expression against PayloadType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • Platform
    When writing a match expression against Platform, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • PositionalConstraint
    When writing a match expression against PositionalConstraint, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • RateBasedStatementAggregateKeyType
    When writing a match expression against RateBasedStatementAggregateKeyType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • ResourceType
    When writing a match expression against ResourceType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • ResponseContentType
    When writing a match expression against ResponseContentType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • Scope
    When writing a match expression against Scope, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • SensitivityLevel
    When writing a match expression against SensitivityLevel, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • SizeInspectionLimit
    When writing a match expression against SizeInspectionLimit, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.
  • TextTransformationType
    When writing a match expression against TextTransformationType, it is important to ensure your code is forward-compatible. That is, if a match arm handles a case for a feature that is supported by the service but has not been represented as an enum variant in a current version of SDK, your code should continue to work when you upgrade SDK to a future version in which the enum does include a variant for that feature.