Inserts or deletes
ActivatedRule objects in a
WebACL
. Each
Rule
identifies web requests that you want to allow, block, or count. When you update a
WebACL
, you specify the following values:
-
A default action for the WebACL
, either ALLOW
or BLOCK
. AWS WAF performs the default action if a request doesn't match the criteria in any of the Rules
in a WebACL
.
-
The Rules
that you want to add and/or delete. If you want to replace one Rule
with another, you delete the existing Rule
and add the new one.
-
For each Rule
, whether you want AWS WAF to allow requests, block requests, or count requests that match the conditions in the Rule
.
-
The order in which you want AWS WAF to evaluate the Rules
in a WebACL
. If you add more than one Rule
to a WebACL
, AWS WAF evaluates each request against the Rules
in order based on the value of Priority
. (The Rule
that has the lowest value for Priority
is evaluated first.) When a web request matches all of the predicates (such as ByteMatchSets
and IPSets
) in a Rule
, AWS WAF immediately takes the corresponding action, allow or block, and doesn't evaluate the request against the remaining Rules
in the WebACL
, if any.
-
The CloudFront distribution that you want to associate with the WebACL
.
To create and configure a WebACL
, perform the following steps:
-
Create and update the predicates that you want to include in Rules
. For more information, see CreateByteMatchSet, UpdateByteMatchSet, CreateIPSet, UpdateIPSet, CreateSqlInjectionMatchSet, and UpdateSqlInjectionMatchSet.
-
Create and update the Rules
that you want to include in the WebACL
. For more information, see CreateRule and UpdateRule.
-
Create a WebACL
. See CreateWebACL.
-
Use GetChangeToken
to get the change token that you provide in the ChangeToken
parameter of an UpdateWebACL request.
-
Submit an UpdateWebACL
request to specify the Rules
that you want to include in the WebACL
, to specify the default action, and to associate the WebACL
with a CloudFront distribution.
For more information about how to use the AWS WAF API to allow or block HTTP requests, see the AWS WAF Developer Guide.
/// The operation failed because of a system problem, even though the request was valid.
/// Retry your request.
///
/// The operation failed because you tried to create, update, or delete an object by using
/// an invalid account identifier.
///
/// The operation failed because there was nothing to do. For example:
///
///
-
///
/// You tried to remove a
Rule
from a WebACL
, but the Rule
/// isn't in the specified WebACL
.
///
/// -
///
/// You tried to remove an IP address from an
IPSet
, but the IP address isn't
/// in the specified IPSet
.
///
/// -
///
/// You tried to remove a
ByteMatchTuple
from a ByteMatchSet
,
/// but the ByteMatchTuple
isn't in the specified WebACL
.
///
/// -
///
/// You tried to add a
Rule
to a WebACL
, but the Rule
/// already exists in the specified WebACL
.
///
/// -
///
/// You tried to add an IP address to an
IPSet
, but the IP address already
/// exists in the specified IPSet
.
///
/// -
///
/// You tried to add a
ByteMatchTuple
to a ByteMatchSet
, but
/// the ByteMatchTuple
already exists in the specified WebACL
.
///
///
///
/// The operation failed because AWS WAF didn't recognize a parameter in the request.
/// For example:
///
///
-
///
/// You specified an invalid parameter name.
///
///
-
///
/// You specified an invalid value.
///
///
-
///
/// You tried to update an object (
ByteMatchSet
, IPSet
, Rule
,
/// or WebACL
) using an action other than INSERT
or DELETE
.
///
/// -
///
/// You tried to create a
WebACL
with a DefaultAction
Type
/// other than ALLOW
, BLOCK
, or COUNT
.
///
/// -
///
/// You tried to update a
WebACL
with a WafAction
Type
/// other than ALLOW
, BLOCK
, or COUNT
.
///
/// -
///
/// You tried to update a
ByteMatchSet
with a FieldToMatch
Type
/// other than HEADER, QUERY_STRING, or URI.
///
/// -
///
/// You tried to update a
ByteMatchSet
with a Field
of HEADER
/// but no value for Data
.
///
/// -
///
/// Your request references an ARN that is malformed, or corresponds to a resource with
/// which a web ACL cannot be associated.
///
///
///
/// The operation exceeds a resource limit, for example, the maximum number of
WebACL
/// objects that you can create for an AWS account. For more information, see
Limits
/// in the
AWS WAF Developer Guide.
///
/// The operation failed because you tried to add an object to or delete an object from
/// another object that doesn't exist. For example:
///
///
-
///
/// You tried to add a
Rule
to or delete a Rule
from a WebACL
/// that doesn't exist.
///
/// -
///
/// You tried to add a
ByteMatchSet
to or delete a ByteMatchSet
/// from a Rule
that doesn't exist.
///
/// -
///
/// You tried to add an IP address to or delete an IP address from an
IPSet
/// that doesn't exist.
///
/// -
///
/// You tried to add a
ByteMatchTuple
to or delete a ByteMatchTuple
/// from a ByteMatchSet
that doesn't exist.
///
///
///
/// The operation failed because the referenced object doesn't exist.
///
/// The operation failed because you tried to delete an object that is still in use. For
/// example:
///
///
-
///
/// You tried to delete a
ByteMatchSet
that is still referenced by a Rule
.
///
/// -
///
/// You tried to delete a
Rule
that is still referenced by a WebACL
.
///
///
///
/// The operation failed because you tried to create, update, or delete an object by using
/// a change token that has already been used.
///