Package software.amazon.awscdk.services.wafv2

Class CfnWebACL

java.lang.Object
software.amazon.jsii.JsiiObject
software.constructs.Construct
software.amazon.awscdk.CfnElement
software.amazon.awscdk.CfnRefElement
software.amazon.awscdk.CfnResource
software.amazon.awscdk.services.wafv2.CfnWebACL
All Implemented Interfaces:
IInspectable, IEnvironmentAware, IWebACLRef, ITaggable, software.amazon.jsii.JsiiSerializable, software.constructs.IConstruct, software.constructs.IDependable
@Generated(value="jsii-pacmak/1.120.0 (build 192dc88)", date="2025-12-05T22:26:47.335Z") @Stability(Stable) public class CfnWebACL extends CfnResource implements IInspectable, IWebACLRef, ITaggable

This is the latest version of AWS WAF , named AWS WAF V2, released in November, 2019.

For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF developer guide .

Use an WebACL to define a collection of rules to use to inspect and control web requests. Each rule in a web ACL has a statement that defines what to look for in web requests and an action that AWS WAF applies to requests that match the statement. In the web ACL, you assign a default action to take (allow, block) for any request that doesn't match any of the rules.

The rules in a web ACL can be a combination of explicitly defined rules and rule groups that you reference from the web ACL. The rule groups can be rule groups that you manage or rule groups that are managed by others.

You can associate a web ACL with one or more AWS resources to protect. The resources can be an Amazon CloudFront distribution, an REST API, an Application Load Balancer , an AWS AppSync GraphQL API , an Amazon Cognito user pool, an AWS App Runner service, an AWS Amplify application, or an AWS Verified Access instance.

For more information, see Web access control lists (web ACLs) in the AWS WAF developer guide .

Web ACLs used in AWS Shield Advanced automatic application layer DDoS mitigation

If you use Shield Advanced automatic application layer DDoS mitigation, the web ACLs that you use with automatic mitigation have a rule group rule whose name starts with ShieldMitigationRuleGroup . This rule is used for automatic mitigations and it's managed for you in the web ACL by Shield Advanced and AWS WAF . You'll see the rule listed among the web ACL rules when you view the web ACL through the AWS WAF interfaces.

When you manage the web ACL through CloudFormation interfaces, you won't see the Shield Advanced rule. CloudFormation doesn't include this type of rule in the stack drift status between the actual configuration of the web ACL and your web ACL template.

Don't add the Shield Advanced rule group rule to your web ACL template. The rule shouldn't be in your template. When you update the web ACL template in a stack, the Shield Advanced rule is maintained for you by AWS WAF in the resulting web ACL.

For more information, see Shield Advanced automatic application layer DDoS mitigation in the AWS Shield Advanced developer guide .

Example:

See Also:

  • Field Details

    • CFN_RESOURCE_TYPE_NAME

      @Stability(Stable) public static final String CFN_RESOURCE_TYPE_NAME
      The CloudFormation resource type name for this resource class.

  • Constructor Details

    • CfnWebACL

      protected CfnWebACL(software.amazon.jsii.JsiiObjectRef objRef)

    • CfnWebACL

      protected CfnWebACL(software.amazon.jsii.JsiiObject.InitializationMode initializationMode)

    • CfnWebACL

      @Stability(Stable) public CfnWebACL(@NotNull software.constructs.Construct scope, @NotNull String id, @NotNull CfnWebACLProps props)
      Create a new AWS::WAFv2::WebACL.

      Parameters:
      scope - Scope in which this resource is defined. This parameter is required.
      id - Construct identifier for this resource (unique in its scope). This parameter is required.
      props - Resource properties. This parameter is required.

  • Method Details

    • arnForWebACL

      @Stability(Stable) @NotNull public static String arnForWebACL(@NotNull IWebACLRef resource)
      Parameters:
      resource - This parameter is required.

    • isCfnWebACL

      @Stability(Stable) @NotNull public static Boolean isCfnWebACL(@NotNull Object x)
      Checks whether the given object is a CfnWebACL.

      Parameters:
      x - This parameter is required.

    • inspect

      @Stability(Stable) public void inspect(@NotNull TreeInspector inspector)
      Examines the CloudFormation resource and discloses attributes.

      Specified by:
      inspect in interface IInspectable
      Parameters:
      inspector - tree inspector to collect and process attributes. This parameter is required.

    • renderProperties

      @Stability(Stable) @NotNull protected Map<String,Object> renderProperties(@NotNull Map<String,Object> props)
      Overrides:
      renderProperties in class CfnResource
      Parameters:
      props - This parameter is required.

    • getAttrArn

      @Stability(Stable) @NotNull public String getAttrArn()
      The Amazon Resource Name (ARN) of the web ACL.

    • getAttrCapacity

      @Stability(Stable) @NotNull public Number getAttrCapacity()
      The web ACL capacity units (WCUs) currently being used by this web ACL.

      AWS WAF uses WCUs to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect the relative cost of each rule. Simple rules that cost little to run use fewer WCUs than more complex rules that use more processing power. Rule group capacity is fixed at creation, which helps users plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.

    • getAttrId

      @Stability(Stable) @NotNull public String getAttrId()
      The ID of the web ACL.

    • getAttrLabelNamespace

      @Stability(Stable) @NotNull public String getAttrLabelNamespace()
      The label namespace prefix for this web ACL.

      All labels added by rules in this web ACL have this prefix.

      The syntax for the label namespace prefix for a web ACL is the following: awswaf:<account ID>:webacl:<web ACL name>:

      When a rule with a label matches a web request, AWS WAF adds the fully qualified label to the request. A fully qualified label is made up of the label namespace from the rule group or web ACL where the rule is defined and the label from the rule, separated by a colon.

    • getCfnProperties

      @Stability(Stable) @NotNull protected Map<String,Object> getCfnProperties()
      Overrides:
      getCfnProperties in class CfnResource

    • getTags

      @Stability(Stable) @NotNull public TagManager getTags()
      Tag Manager which manages the tags for this resource.
      Specified by:
      getTags in interface ITaggable

    • getWebAclRef

      @Stability(Stable) @NotNull public WebACLReference getWebAclRef()
      A reference to a WebACL resource.
      Specified by:
      getWebAclRef in interface IWebACLRef

    • getDefaultAction

      @Stability(Stable) @NotNull public Object getDefaultAction()
      The action to perform if none of the Rules contained in the WebACL match.

      Returns union: either IResolvable or CfnWebACL.DefaultActionProperty

    • setDefaultAction

      @Stability(Stable) public void setDefaultAction(@NotNull IResolvable value)
      The action to perform if none of the Rules contained in the WebACL match.

    • setDefaultAction

      @Stability(Stable) public void setDefaultAction(@NotNull CfnWebACL.DefaultActionProperty value)
      The action to perform if none of the Rules contained in the WebACL match.

    • getScope

      @Stability(Stable) @NotNull public String getScope()
      Specifies whether this is for an Amazon CloudFront distribution or for a regional application.

    • setScope

      @Stability(Stable) public void setScope(@NotNull String value)
      Specifies whether this is for an Amazon CloudFront distribution or for a regional application.

    • getVisibilityConfig

      @Stability(Stable) @NotNull public Object getVisibilityConfig()
      Defines and enables Amazon CloudWatch metrics and web request sample collection.

      Returns union: either IResolvable or CfnWebACL.VisibilityConfigProperty

    • setVisibilityConfig

      @Stability(Stable) public void setVisibilityConfig(@NotNull IResolvable value)
      Defines and enables Amazon CloudWatch metrics and web request sample collection.

    • setVisibilityConfig

      @Stability(Stable) public void setVisibilityConfig(@NotNull CfnWebACL.VisibilityConfigProperty value)
      Defines and enables Amazon CloudWatch metrics and web request sample collection.

    • getApplicationConfig

      @Stability(Stable) @Nullable public Object getApplicationConfig()
      Returns a list of ApplicationAttribute s.

      Returns union: either IResolvable or CfnWebACL.ApplicationConfigProperty

    • setApplicationConfig

      @Stability(Stable) public void setApplicationConfig(@Nullable IResolvable value)
      Returns a list of ApplicationAttribute s.

    • setApplicationConfig

      @Stability(Stable) public void setApplicationConfig(@Nullable CfnWebACL.ApplicationConfigProperty value)
      Returns a list of ApplicationAttribute s.

    • getAssociationConfig

      @Stability(Stable) @Nullable public Object getAssociationConfig()
      Specifies custom configurations for the associations between the web ACL and protected resources.

      Returns union: either IResolvable or CfnWebACL.AssociationConfigProperty

    • setAssociationConfig

      @Stability(Stable) public void setAssociationConfig(@Nullable IResolvable value)
      Specifies custom configurations for the associations between the web ACL and protected resources.

    • setAssociationConfig

      @Stability(Stable) public void setAssociationConfig(@Nullable CfnWebACL.AssociationConfigProperty value)
      Specifies custom configurations for the associations between the web ACL and protected resources.

    • getCaptchaConfig

      @Stability(Stable) @Nullable public Object getCaptchaConfig()
      Specifies how AWS WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings.

      Returns union: either IResolvable or CfnWebACL.CaptchaConfigProperty

    • setCaptchaConfig

      @Stability(Stable) public void setCaptchaConfig(@Nullable IResolvable value)
      Specifies how AWS WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings.

    • setCaptchaConfig

      @Stability(Stable) public void setCaptchaConfig(@Nullable CfnWebACL.CaptchaConfigProperty value)
      Specifies how AWS WAF should handle CAPTCHA evaluations for rules that don't have their own CaptchaConfig settings.

    • getChallengeConfig

      @Stability(Stable) @Nullable public Object getChallengeConfig()
      Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings.

      Returns union: either IResolvable or CfnWebACL.ChallengeConfigProperty

    • setChallengeConfig

      @Stability(Stable) public void setChallengeConfig(@Nullable IResolvable value)
      Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings.

    • setChallengeConfig

      @Stability(Stable) public void setChallengeConfig(@Nullable CfnWebACL.ChallengeConfigProperty value)
      Specifies how AWS WAF should handle challenge evaluations for rules that don't have their own ChallengeConfig settings.

    • getCustomResponseBodies

      @Stability(Stable) @Nullable public Object getCustomResponseBodies()
      A map of custom response keys and content bodies.

      Returns union: either IResolvable or Mapinvalid input: '<'String, either IResolvable or CfnWebACL.CustomResponseBodyProperty>

    • setCustomResponseBodies

      @Stability(Stable) public void setCustomResponseBodies(@Nullable IResolvable value)
      A map of custom response keys and content bodies.

    • setCustomResponseBodies

      @Stability(Stable) public void setCustomResponseBodies(@Nullable Map<String,Object> value)
      A map of custom response keys and content bodies.

    • getDataProtectionConfig

      @Stability(Stable) @Nullable public Object getDataProtectionConfig()
      Specifies data protection to apply to the web request data for the web ACL.

      Returns union: either IResolvable or CfnWebACL.DataProtectionConfigProperty

    • setDataProtectionConfig

      @Stability(Stable) public void setDataProtectionConfig(@Nullable IResolvable value)
      Specifies data protection to apply to the web request data for the web ACL.

    • setDataProtectionConfig

      @Stability(Stable) public void setDataProtectionConfig(@Nullable CfnWebACL.DataProtectionConfigProperty value)
      Specifies data protection to apply to the web request data for the web ACL.

    • getDescription

      @Stability(Stable) @Nullable public String getDescription()
      A description of the web ACL that helps with identification.

    • setDescription

      @Stability(Stable) public void setDescription(@Nullable String value)
      A description of the web ACL that helps with identification.

    • getName

      @Stability(Stable) @Nullable public String getName()
      The name of the web ACL.

    • setName

      @Stability(Stable) public void setName(@Nullable String value)
      The name of the web ACL.

    • getOnSourceDDoSProtectionConfig

      @Stability(Stable) @Nullable public Object getOnSourceDDoSProtectionConfig()
      Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers.

      Returns union: either IResolvable or CfnWebACL.OnSourceDDoSProtectionConfigProperty

    • setOnSourceDDoSProtectionConfig

      @Stability(Stable) public void setOnSourceDDoSProtectionConfig(@Nullable IResolvable value)
      Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers.

    • setOnSourceDDoSProtectionConfig

      @Stability(Stable) public void setOnSourceDDoSProtectionConfig(@Nullable CfnWebACL.OnSourceDDoSProtectionConfigProperty value)
      Configures the level of DDoS protection that applies to web ACLs associated with Application Load Balancers.

    • getRules

      @Stability(Stable) @Nullable public Object getRules()
      The rule statements used to identify the web requests that you want to manage.

      Returns union: either IResolvable or Listinvalid input: '<'either IResolvable or CfnWebACL.RuleProperty>

    • setRules

      @Stability(Stable) public void setRules(@Nullable IResolvable value)
      The rule statements used to identify the web requests that you want to manage.

    • setRules

      @Stability(Stable) public void setRules(@Nullable List<Object> value)
      The rule statements used to identify the web requests that you want to manage.

    • getTagsRaw

      @Stability(Stable) @Nullable public List<CfnTag> getTagsRaw()
      Key:value pairs associated with an AWS resource.

    • setTagsRaw

      @Stability(Stable) public void setTagsRaw(@Nullable List<CfnTag> value)
      Key:value pairs associated with an AWS resource.

    • getTokenDomains

      @Stability(Stable) @Nullable public List<String> getTokenDomains()
      Specifies the domains that AWS WAF should accept in a web request token.

    • setTokenDomains

      @Stability(Stable) public void setTokenDomains(@Nullable List<String> value)
      Specifies the domains that AWS WAF should accept in a web request token.