Inserts or deletes ActivatedRule objects in a WebACL
. Each Rule
identifies web requests that you want to allow, block, or count. When
you update a WebACL
, you specify the following values:
waf_update_web_acl(WebACLId, ChangeToken, Updates, DefaultAction)
[required] The WebACLId
of the WebACL that you want to update. WebACLId
is
returned by CreateWebACL and by ListWebACLs.
[required] The value returned by the most recent call to GetChangeToken.
An array of updates to make to the WebACL.
An array of WebACLUpdate
objects that you want to insert into or
delete from a WebACL. For more information, see the applicable data
types:
WebACLUpdate: Contains Action
and ActivatedRule
ActivatedRule: Contains Action
, OverrideAction
, Priority
,
RuleId
, and Type
. ActivatedRule|OverrideAction
applies only
when updating or adding a RuleGroup
to a WebACL
. In this case,
you do not use ActivatedRule|Action
. For all other update
requests, ActivatedRule|Action
is used instead of
ActivatedRule|OverrideAction
.
WafAction: Contains Type
A default action for the web ACL, either ALLOW or BLOCK. AWS WAF performs the default action if a request doesn't match the criteria in any of the rules in a web ACL.
svc$update_web_acl( WebACLId = "string", ChangeToken = "string", Updates = list( list( Action = "INSERT"|"DELETE", ActivatedRule = list( Priority = 123, RuleId = "string", Action = list( Type = "BLOCK"|"ALLOW"|"COUNT" ), OverrideAction = list( Type = "NONE"|"COUNT" ), Type = "REGULAR"|"RATE_BASED"|"GROUP", ExcludedRules = list( list( RuleId = "string" ) ) ) ) ), DefaultAction = list( Type = "BLOCK"|"ALLOW"|"COUNT" ) )
A default action for the WebACL
, either ALLOW
or BLOCK
. AWS
WAF performs the default action if a request doesn't match the
criteria in any of the Rules
in a WebACL
.
The Rules
that you want to add or delete. If you want to replace
one Rule
with another, you delete the existing Rule
and add the
new one.
For each Rule
, whether you want AWS WAF to allow requests, block
requests, or count requests that match the conditions in the Rule
.
The order in which you want AWS WAF to evaluate the Rules
in a
WebACL
. If you add more than one Rule
to a WebACL
, AWS WAF
evaluates each request against the Rules
in order based on the
value of Priority
. (The Rule
that has the lowest value for
Priority
is evaluated first.) When a web request matches all the
predicates (such as ByteMatchSets
and IPSets
) in a Rule
, AWS
WAF immediately takes the corresponding action, allow or block, and
doesn't evaluate the request against the remaining Rules
in the
WebACL
, if any.
To create and configure a WebACL
, perform the following steps:
Create and update the predicates that you want to include in
Rules
. For more information, see CreateByteMatchSet,
UpdateByteMatchSet, CreateIPSet, UpdateIPSet,
CreateSqlInjectionMatchSet, and UpdateSqlInjectionMatchSet.
Create and update the Rules
that you want to include in the
WebACL
. For more information, see CreateRule and UpdateRule.
Create a WebACL
. See CreateWebACL.
Use GetChangeToken
to get the change token that you provide in the
ChangeToken
parameter of an UpdateWebACL request.
Submit an UpdateWebACL
request to specify the Rules
that you
want to include in the WebACL
, to specify the default action, and
to associate the WebACL
with a CloudFront distribution.
The ActivatedRule
can be a rule group. If you specify a rule group
as your ActivatedRule
, you can exclude specific rules from that
rule group.
If you already have a rule group associated with a web ACL and want
to submit an UpdateWebACL
request to exclude certain rules from
that rule group, you must first remove the rule group from the web
ACL, the re-insert it again, specifying the excluded rules. For
details, see ActivatedRule\$ExcludedRules.
Be aware that if you try to add a RATE\_BASED rule to a web ACL without setting the rule type when first creating the rule, the UpdateWebACL request will fail because the request tries to add a REGULAR rule (the default rule type) with the specified ID, which does not exist.
For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide.
# NOT RUN {
# The following example deletes an ActivatedRule object in a WebACL with
# the ID webacl-1472061481310.
# }
# NOT RUN {
svc$update_web_acl(
ChangeToken = "abcd12f2-46da-4fdb-b8d5-fbd4c466928f",
DefaultAction = list(
Type = "ALLOW"
),
Updates = list(
list(
Action = "DELETE",
ActivatedRule = list(
Action = list(
Type = "ALLOW"
),
Priority = 1L,
RuleId = "WAFRule-1-Example"
)
)
),
WebACLId = "webacl-1472061481310"
)
# }
# NOT RUN {
# }
Run the code above in your browser using DataLab