Class CfnRuleGroup
java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.wafv2.CfnRuleGroup
- All Implemented Interfaces:
IInspectable,ITaggable,IRuleGroupRef,software.amazon.jsii.JsiiSerializable,software.constructs.IConstruct,software.constructs.IDependable
@Generated(value="jsii-pacmak/1.116.0 (build 0eddcff)",
date="2025-10-29T11:15:50.366Z")
@Stability(Stable)
public class CfnRuleGroup
extends CfnResource
implements IInspectable, IRuleGroupRef, ITaggable
This is the latest version of AWS WAF , named AWS WAF V2, released in November, 2019.
For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF developer guide .
Use an RuleGroup to define a collection of rules for inspecting and controlling web requests. You use a rule group in an WebACL by providing its Amazon Resource Name (ARN) to the rule statement RuleGroupReferenceStatement , when you add rules to the web ACL.
When you create a rule group, you define an immutable capacity limit. If you update a rule group, you must stay within the capacity. This allows others to reuse the rule group with confidence in its capacity requirements.
Example:
- See Also:
-
Nested Class Summary
Nested ClassesModifier and TypeClassDescriptionstatic interfaceAllow traffic towards application.static interfaceA logical rule statement used to combine other rule statements with AND logic.static interfaceA rule statement that inspects web traffic based on the Autonomous System Number (ASN) associated with the request's IP address.static interfaceBlock traffic towards application.static interfaceInspect the body of the web request.static final classA fluent builder forCfnRuleGroup.static interfaceA rule statement that defines a string match search for AWS WAF to apply to web requests.static interfaceSpecifies how AWS WAF should handleCAPTCHAevaluations.static interfaceChecks valid token exists with request.static interfaceSpecifies how AWS WAF should handleChallengeevaluations.static interfaceChecks that the request has a valid token with an unexpired challenge timestamp and, if not, returns a browser challenge to the client.static interfaceThe filter to use to identify the subset of cookies to inspect in a web request.static interfaceInspect the cookies in the web request.static interfaceCount traffic towards application.static interfaceA custom header for custom request and response handling.static interfaceCustom request handling behavior that inserts custom headers into a web request.static interfaceThe response body to use in a custom response to a web request.static interfaceA custom response to send to the client.static interfaceSpecifies a web request component to be used in a rule match statement or in a logging configuration.static interfaceThe configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.static interfaceA rule statement that labels web requests by country and region and that matches against web requests based on country code.static interfaceThe filter to use to identify the subset of headers to inspect in a web request.static interfaceInspect all headers in the web request.static interfaceUsed for CAPTCHA and challenge token settings.static interfaceThe configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin.static interfaceA rule statement used to detect web requests coming from particular IP addresses or address ranges.static interfaceAvailable for use with Amazon CloudFront distributions and Application Load Balancers.static interfaceAvailable for use with Amazon CloudFront distributions and Application Load Balancers.static interfaceInspect the body of the web request as JSON.static interfaceThe patterns to look for in the JSON body.static interfaceA rule statement to match against labels that have been added to the web request by rules that have already run in the web ACL.static interfaceA single label container.static interfaceList of labels used by one or more of the rules of aRuleGroup.static interfaceA logical rule statement used to negate the results of another rule statement.static interfaceA logical rule statement used to combine other rule statements with OR logic.static interfaceSpecifies a single custom aggregate key for a rate-base rule.static interfaceA rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate.static interfaceSpecifies a cookie as an aggregate key for a rate-based rule.static interfaceSpecifies a header as an aggregate key for a rate-based rule.static interfaceUse the request's JA3 fingerprint derived from the TLS Client Hello of an incoming request as an aggregate key.static interfaceUse the request's JA4 fingerprint derived from the TLS Client Hello of an incoming request as an aggregate key.static interfaceSpecifies a label namespace to use as an aggregate key for a rate-based rule.static interfaceSpecifies a query argument in the request as an aggregate key for a rate-based rule.static interfaceSpecifies the request's query string as an aggregate key for a rate-based rule.static interfaceSpecifies the request's URI path as an aggregate key for a rate-based rule.static interfaceA rule statement used to search web request components for a match against a single regular expression.static interfaceA rule statement used to search web request components for matches with regular expressions.static interfaceThe action that AWS WAF should take on a web request when it matches a rule's statement.static interfaceA single rule, which you can use in aWebACLorRuleGroupto identify web requests that you want to manage in some way.static interfaceInspect one of the headers in the web request, identified by name, for example,User-AgentorReferer.static interfaceInspect one query argument in the web request, identified by name, for example UserName or SalesRegion .static interfaceA rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<).static interfaceA rule statement that inspects for malicious SQL code.static interfaceThe processing guidance for a rule, used by AWS WAF to determine whether a web request matches the rule.static interfaceText transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.static interfaceInspect fragments of the request URI.static interfaceDefines and enables Amazon CloudWatch metrics and web request sample collection.static interfaceA rule statement that inspects for cross-site scripting (XSS) attacks.Nested classes/interfaces inherited from class software.amazon.jsii.JsiiObject
software.amazon.jsii.JsiiObject.InitializationModeNested classes/interfaces inherited from interface software.constructs.IConstruct
software.constructs.IConstruct.Jsii$DefaultNested classes/interfaces inherited from interface software.amazon.awscdk.IInspectable
IInspectable.Jsii$Default, IInspectable.Jsii$ProxyNested classes/interfaces inherited from interface software.amazon.awscdk.services.wafv2.IRuleGroupRef
IRuleGroupRef.Jsii$Default, IRuleGroupRef.Jsii$ProxyNested classes/interfaces inherited from interface software.amazon.awscdk.ITaggable
ITaggable.Jsii$Default, ITaggable.Jsii$Proxy -
Field Summary
FieldsModifier and TypeFieldDescriptionstatic final StringThe CloudFormation resource type name for this resource class. -
Constructor Summary
ConstructorsModifierConstructorDescriptionprotectedCfnRuleGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) protectedCfnRuleGroup(software.amazon.jsii.JsiiObjectRef objRef) CfnRuleGroup(software.constructs.Construct scope, String id, CfnRuleGroupProps props) -
Method Summary
Modifier and TypeMethodDescriptionThe Amazon Resource Name (ARN) of the rule group.The ID of the rule group.The label namespace prefix for this rule group.The labels that one or more rules in this rule group add to matching web requests.The web ACL capacity units (WCUs) required for this rule group.The labels that one or more rules in this rule group match against in label match statements.A map of custom response keys and content bodies.A description of the rule group that helps with identification.getName()The name of the rule group.A reference to a RuleGroup resource.getRules()The rule statements used to identify the web requests that you want to allow, block, or count.getScope()Specifies whether this is for an Amazon CloudFront distribution or for a regional application.getTags()Tag Manager which manages the tags for this resource.Key:value pairs associated with an AWS resource.Defines and enables Amazon CloudWatch metrics and web request sample collection.voidinspect(TreeInspector inspector) Examines the CloudFormation resource and discloses attributes.renderProperties(Map<String, Object> props) voidsetAvailableLabels(List<Object> value) The labels that one or more rules in this rule group add to matching web requests.voidsetAvailableLabels(IResolvable value) The labels that one or more rules in this rule group add to matching web requests.voidsetCapacity(Number value) The web ACL capacity units (WCUs) required for this rule group.voidsetConsumedLabels(List<Object> value) The labels that one or more rules in this rule group match against in label match statements.voidsetConsumedLabels(IResolvable value) The labels that one or more rules in this rule group match against in label match statements.voidsetCustomResponseBodies(Map<String, Object> value) A map of custom response keys and content bodies.voidA map of custom response keys and content bodies.voidsetDescription(String value) A description of the rule group that helps with identification.voidThe name of the rule group.voidThe rule statements used to identify the web requests that you want to allow, block, or count.voidsetRules(IResolvable value) The rule statements used to identify the web requests that you want to allow, block, or count.voidSpecifies whether this is for an Amazon CloudFront distribution or for a regional application.voidsetTagsRaw(List<CfnTag> value) Key:value pairs associated with an AWS resource.voidsetVisibilityConfig(IResolvable value) Defines and enables Amazon CloudWatch metrics and web request sample collection.voidDefines and enables Amazon CloudWatch metrics and web request sample collection.Methods inherited from class software.amazon.awscdk.CfnResource
addDeletionOverride, addDependency, addDependsOn, addMetadata, addOverride, addPropertyDeletionOverride, addPropertyOverride, applyRemovalPolicy, applyRemovalPolicy, applyRemovalPolicy, getAtt, getAtt, getCfnOptions, getCfnResourceType, getMetadata, getUpdatedProperites, getUpdatedProperties, isCfnResource, obtainDependencies, obtainResourceDependencies, removeDependency, replaceDependency, shouldSynthesize, toString, validatePropertiesMethods inherited from class software.amazon.awscdk.CfnRefElement
getRefMethods inherited from class software.amazon.awscdk.CfnElement
getCreationStack, getLogicalId, getStack, isCfnElement, overrideLogicalIdMethods inherited from class software.constructs.Construct
getNode, isConstructMethods inherited from class software.amazon.jsii.JsiiObject
jsiiAsyncCall, jsiiAsyncCall, jsiiCall, jsiiCall, jsiiGet, jsiiGet, jsiiSet, jsiiStaticCall, jsiiStaticCall, jsiiStaticGet, jsiiStaticGet, jsiiStaticSet, jsiiStaticSetMethods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, wait, wait, waitMethods inherited from interface software.constructs.IConstruct
getNodeMethods inherited from interface software.amazon.jsii.JsiiSerializable
$jsii$toJson
-
Field Details
-
CFN_RESOURCE_TYPE_NAME
The CloudFormation resource type name for this resource class.
-
-
Constructor Details
-
CfnRuleGroup
protected CfnRuleGroup(software.amazon.jsii.JsiiObjectRef objRef) -
CfnRuleGroup
protected CfnRuleGroup(software.amazon.jsii.JsiiObject.InitializationMode initializationMode) -
CfnRuleGroup
@Stability(Stable) public CfnRuleGroup(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnRuleGroupProps props) - Parameters:
scope- Scope in which this resource is defined. This parameter is required.id- Construct identifier for this resource (unique in its scope). This parameter is required.props- Resource properties. This parameter is required.
-
-
Method Details
-
inspect
Examines the CloudFormation resource and discloses attributes.- Specified by:
inspectin interfaceIInspectable- Parameters:
inspector- tree inspector to collect and process attributes. This parameter is required.
-
renderProperties
@Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String, Object> props) - Overrides:
renderPropertiesin classCfnResource- Parameters:
props- This parameter is required.
-
getAttrArn
The Amazon Resource Name (ARN) of the rule group. -
getAttrId
The ID of the rule group. -
getAttrLabelNamespace
The label namespace prefix for this rule group.All labels added by rules in this rule group have this prefix.
The syntax for the label namespace prefix for a rule group is the following:
awswaf:<account ID>:rule group:<rule group name>:When a rule with a label matches a web request, AWS WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon.
-
getCfnProperties
- Overrides:
getCfnPropertiesin classCfnResource
-
getRuleGroupRef
A reference to a RuleGroup resource.- Specified by:
getRuleGroupRefin interfaceIRuleGroupRef
-
getTags
Tag Manager which manages the tags for this resource. -
getCapacity
The web ACL capacity units (WCUs) required for this rule group. -
setCapacity
The web ACL capacity units (WCUs) required for this rule group. -
getScope
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. -
setScope
Specifies whether this is for an Amazon CloudFront distribution or for a regional application. -
getVisibilityConfig
Defines and enables Amazon CloudWatch metrics and web request sample collection.Returns union: either
IResolvableorCfnRuleGroup.VisibilityConfigProperty -
setVisibilityConfig
Defines and enables Amazon CloudWatch metrics and web request sample collection. -
setVisibilityConfig
@Stability(Stable) public void setVisibilityConfig(@NotNull CfnRuleGroup.VisibilityConfigProperty value) Defines and enables Amazon CloudWatch metrics and web request sample collection. -
getAvailableLabels
The labels that one or more rules in this rule group add to matching web requests.Returns union: either
IResolvableor Listinvalid input: '<'eitherIResolvableorCfnRuleGroup.LabelSummaryProperty> -
setAvailableLabels
The labels that one or more rules in this rule group add to matching web requests. -
setAvailableLabels
The labels that one or more rules in this rule group add to matching web requests. -
getConsumedLabels
The labels that one or more rules in this rule group match against in label match statements.Returns union: either
IResolvableor Listinvalid input: '<'eitherIResolvableorCfnRuleGroup.LabelSummaryProperty> -
setConsumedLabels
The labels that one or more rules in this rule group match against in label match statements. -
setConsumedLabels
The labels that one or more rules in this rule group match against in label match statements. -
getCustomResponseBodies
A map of custom response keys and content bodies.Returns union: either
IResolvableor Mapinvalid input: '<'String, eitherIResolvableorCfnRuleGroup.CustomResponseBodyProperty> -
setCustomResponseBodies
A map of custom response keys and content bodies. -
setCustomResponseBodies
A map of custom response keys and content bodies. -
getDescription
A description of the rule group that helps with identification. -
setDescription
A description of the rule group that helps with identification. -
getName
The name of the rule group. -
setName
The name of the rule group. -
getRules
The rule statements used to identify the web requests that you want to allow, block, or count.Returns union: either
IResolvableor Listinvalid input: '<'eitherIResolvableorCfnRuleGroup.RuleProperty> -
setRules
The rule statements used to identify the web requests that you want to allow, block, or count. -
setRules
The rule statements used to identify the web requests that you want to allow, block, or count. -
getTagsRaw
Key:value pairs associated with an AWS resource. -
setTagsRaw
Key:value pairs associated with an AWS resource.
-