Interface CfnWebACL.IManagedRuleGroupStatementProperty
A rule statement used to run the rules that are defined in a managed rule group.
Namespace: Amazon.CDK.AWS.WAFv2
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public interface CfnWebACL.IManagedRuleGroupStatementPropertySyntax (vb)
Public Interface CfnWebACL.IManagedRuleGroupStatementPropertyRemarks
To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names through the API call ListAvailableManagedRuleGroups .
You cannot nest a ManagedRuleGroupStatement , for example for use inside a NotStatement or OrStatement . You cannot use a managed rule group statement inside another rule group. You can only use a managed rule group statement as a top-level statement in a rule that you define in a web ACL.
You are charged additional fees when you use the AWS WAF Bot Control managed rule group <code>AWSManagedRulesBotControlRuleSet</code> , the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group <code>AWSManagedRulesATPRuleSet</code> , or the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group <code>AWSManagedRulesACFPRuleSet</code> . For more information, see <a href="https://docs.aws.amazon.com/waf/pricing/">AWS WAF Pricing</a> .
ExampleMetadata: fixture=_generated
Synopsis
Properties
| ExcludedRules | Rules in the referenced rule group whose actions are set to |
| ManagedRuleGroupConfigs | Additional information that's used by a managed rule group. Many managed rule groups don't require this. |
| Name | The name of the managed rule group. |
| RuleActionOverrides | Action settings to use in the place of the rule actions that are configured inside the rule group. |
| ScopeDownStatement | An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. |
| VendorName | The name of the managed rule group vendor. |
| Version | The version of the managed rule group to use. |
Properties
ExcludedRules
Rules in the referenced rule group whose actions are set to Count .
object? ExcludedRules { get; }Property Value
Remarks
Instead of this option, use <code>RuleActionOverrides</code> . It accepts any valid action setting, including <code>Count</code> .
Type union: either IResolvable or (either IResolvable or CfnWebACL.IExcludedRuleProperty)[]
ManagedRuleGroupConfigs
Additional information that's used by a managed rule group. Many managed rule groups don't require this.
object? ManagedRuleGroupConfigs { get; }Property Value
Remarks
The rule groups used for intelligent threat mitigation require additional configuration:
Type union: either IResolvable or (either IResolvable or CfnWebACL.IManagedRuleGroupConfigProperty)[]
Name
The name of the managed rule group.
string Name { get; }Property Value
Remarks
You use this, along with the vendor name, to identify the rule group.
RuleActionOverrides
Action settings to use in the place of the rule actions that are configured inside the rule group.
object? RuleActionOverrides { get; }Property Value
Remarks
You specify one override for each rule whose action you want to change.
Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.
You can use overrides for testing, for example you can override all of rule actions to Count and then monitor the resulting count metrics to understand how the rule group would handle your web traffic. You can also permanently override some or all actions, to modify how the rule group manages your web traffic.
Type union: either IResolvable or (either IResolvable or CfnWebACL.IRuleActionOverrideProperty)[]
ScopeDownStatement
An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group.
object? ScopeDownStatement { get; }Property Value
Remarks
Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable Statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.
Type union: either IResolvable or CfnWebACL.IStatementProperty
VendorName
The name of the managed rule group vendor.
string VendorName { get; }Property Value
Remarks
You use this, along with the rule group name, to identify a rule group.
Version
The version of the managed rule group to use.
string? Version { get; }Property Value
Remarks
If you specify this, the version setting is fixed until you change it. If you don't specify this, AWS WAF uses the vendor's default version, and then keeps the version at the vendor's default when the vendor updates the managed rule group settings.