**Presentamos una nueva experiencia de consola para AWS WAF**
Ahora puede usar la experiencia actualizada para acceder a las AWS WAF funciones desde cualquier parte de la consola. Para obtener más información, consulte [Trabajar con la consola](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html).
Las traducciones son generadas a través de traducción automática. En caso de conflicto entre la traducción y la version original de inglés, prevalecerá la version en inglés.
# Ejemplos de protección de datos
En esta sección, se proporcionan ejemplos de registro de protección de datos del tráfico de paquetes de protección (ACL web).
## DataProtection hash
Webacl config
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "SINGLE_QUERY_ARGUMENT",
"field_keys": [
"hoppy"
]
},
"action": "HASH",
"exclude_rule_match_details": false,
"exclude_rate_based_details": false
}
]
}
```
Ejemplo DataProtection de hash: entrada de registro protegida con el SingleQuery argumento «hoppy».
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [{
"ruleId": "ProtectedSQLIHeadersVisibleInSTM",
"action": "COUNT",
"ruleMatchDetails": [{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": [ "z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM=" ],
"matchedFieldName": "hoppy"
}]
}],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}],
"uri": "/CanaryTest",
"args": "hoppy=z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM=&yellow=hello&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## DataProtection sustitución
Webacl config
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "SINGLE_QUERY_ARGUMENT",
"field_keys": [
"hoppy"
]
},
"action": "SUBSTITUTION",
"exclude_rule_match_details": false,
"exclude_rate_based_details": false
}
]
}
```
Ejemplo de DataProtection sustitución: entrada de registro con el argumento de consulta única «hoppy» protegido
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": []
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}],
"uri": "/CanaryTest",
"args": "hoppy=REDACTED&yellow=hello&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Retención de datos en RuleMatchDetails
Webacl config
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "SINGLE_HEADER",
"field_keys": [
"hoppy"
]
},
"action": "HASH",
"exclude_rule_match_details": true,
"exclude_rate_based_details": false
}
]
}
```
Ejemplo de retención de datos en RuleMatchDetails: entrada de registro con un único `Header` «hoppy» protegido, pero el valor solo se conserva en`RuleMatchDetails`.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [{
"ruleId": "ProtectedSQLIHeadersVisibleInSTM",
"action": "COUNT",
"ruleMatchDetails": [{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "HEADER",
"matchedData": [ "10", "AND", "1" ],
"matchedFieldName": "hoppy"
}]
}],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "hoppy",
"value": "zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}, {
"name": "hoppy",
"value": "z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM="
}],
"uri": "/CanaryTest",
"args": "happy=true",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Retención de datos en rateBasedRule
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "SINGLE_HEADER",
"field_keys": [
"hoppy"
]
},
"action": "HASH",
"exclude_rule_match_details": false,
"exclude_rate_based_details": true
}
]
}
```
Ejemplo de retención de datos en rateBasedRule una lista: entrada de registro con el único `Header` «hoppy» protegido, pero el valor solo se conserva en `rateBasedRuleList`
```
{
"timestamp": 1683355579981,
"formatVersion": 1,
"webaclId": ...,
"terminatingRuleId": "RateBasedRule",
"terminatingRuleType": "RATE_BASED",
"action": "BLOCK",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "EXAMPLE11:rjvegx5guh:CanaryTest",
"ruleGroupList": [],
"rateBasedRuleList": [{
"rateBasedRuleId": ...,
"rateBasedRuleName": "RateBasedRule",
"limitKey": "CUSTOMKEYS",
"maxRateAllowed": 100,
"evaluationWindowSec": "120",
"customValues": [{
"key": "HEADER",
"name": "hoppy",
"value": "ella"
}]
}],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "52.46.82.45",
"country": "FR",
"headers": [{
"name": "X-Forwarded-For",
"value": "52.46.82.45"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "rjvegx5guh.execute-api.eu-west-3.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-645566cf-7cb058b04d9bb3ee01dc4036"
}, {
"name": "hoppy",
"value": "zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="
}, {
"name": "User-Agent",
"value": "RateBasedRuleTestKoipOneKeyModulePV2"
}, {
"name": "Accept-Encoding",
"value": "gzip,deflate"
}],
"uri": "/CanaryTest",
"args": "",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "Ed0AiHF_CGYF-DA="
}
}
```
## Protección de datos para el cuerpo
AWS WAF registre solo subconjuntos de Body. `RuleMatchDetails`
Webacl config
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "BODY"
},
"action": "SUBSTITUTE",
"exclude_rule_match_details": false,
"exclude_rate_based_details": false
}
]
}
```
Ejemplo DataProtection de cuerpo: entrada de registro con cuerpo sustituido. `ruleMatchDetails`
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [{
"ruleId": "ProtectedSQLIBody",
"action": "COUNT",
"ruleMatchDetails": [{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "BODY",
"matchedData": ["REDACTED"]
}]
}],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}, {
"name": "cookie",
"value": "hoppy=dog;"
}],
"uri": "/CanaryTest",
"args": "baloo=abc&hoppy-query=xyz&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Protección de datos para `SINGLE_COOKIE`
Webacl config
```
"data_protection_config": {
"data_protections": [
{
"field": {
"field_type": "SINGLE_COOKIE",
"field_keys": [
"MILO"
]
},
"action": "HASH",
"exclude_rule_match_details": false,
"exclude_rate_based_details": false
}
]
}
```
Ejemplo DataProtection para`SINGLE_COOKIE`: entrada de registro protegida con un `SINGLE_COOKIE` nombre «MILO».
El registro completo muestra que la cookie denominada MILO está protegida en `ruleMatchDetails` y el encabezado de la cookie. Solo se protegen los valores de las cookies y se excluyen los nombres de las claves.
**nota**
Todos los campos protegidos (encabezado único, cookie, argumento de consulta) no distinguen mayúsculas de minúsculas. Por lo tanto, en este ejemplo, “MILO” coincide con “milo”.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [{
"ruleId": "ProtectedSQLIHeadersVisibleInSTM",
"action": "COUNT",
"ruleMatchDetails": [{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "COOKIE",
"matchedData": ["zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="],
"matchedFieldName": "milo"
}]
}],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}, {
"name": "cookie",
"value": "hoppy=dog;milo=zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=;aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg=="
}],
"uri": "/CanaryTest",
"args": "baloo=abc&hoppy-query=xyz&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Protección de datos para todas las cookies
Puede configurar la protección de datos para las cookies mediante el uso de `SINGLE_HEADER`. Solo se protegen los valores de las cookies y se excluyen los nombres de las claves.
```
"DataProtectionConfig": {
"DataProtections": [
{
"Field": {
"FieldType": "SINGLE_HEADER",
"FieldKeys": ["cookie"]
},
"Action": "SUBSTITUTION",
"ExcludeRuleMatchDetails": false,
"ExcludeRateBasedDetails": false
}
]
}
```
Ejemplo DataProtection de `header ` «COOKIE»: entrada de registro con el encabezado de la cookie protegido.
**nota**
El nombre de la cookie `AWS-WAF-TOKEN` está fuera del alcance de la protección de datos.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}, {
"name": "cookie",
"value": "hoppy=REDACTED;milo=REDACTED;aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg=="
}],
"uri": "/CanaryTest",
"args": "baloo=xyz=&hoppy-query=abc&x-hoppy-extra=abc",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Protección de datos para argumentos de consulta única
Puede configurar la protección de datos para una cadena de consulta mediante `SINGLE_QUERY_ARGUMENT`. Esto afecta a las claves y los valores de todos los argumentos de consulta. En los siguientes ejemplos, la cadena de consulta original era `baloo=10 AND 1=1&hoppy=10 AND 1=1&x-hoppy-extra=generic-%3Cwords`.
Webacl config
```
"DataProtectionConfig": {
"DataProtections": [
{
"Field": {
"FieldType": "SINGLE_QUERY_ARGUMENT",
"FieldKeys": ["hoppy"]
},
"Action": "SUBSTITUTION",
"ExcludeRuleMatchDetails": false,
"ExcludeRateBasedDetails": false
}
]
}
```
Ejemplo DataProtection de`SINGLE_QUERY_ARGUEMENT`: entrada de registro con cadena de consulta «hoppy» protegida con sustituciones.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [
{
"ruleId": "ProtectedHoppyQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": ["REDACTED"],
"matchedFieldName": "hoppy"
}]
},
{
"ruleId": "FullQueryStringInspectionWhichDetectsTheFirstFieldWithSQLi_Baloo_IsAlsoMaskedMasked",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "QUERY_ARGS",
"matchedData": ["REDACTED"],
}]
},
{
"ruleId": "ProtectedBalooQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": [ "10", "AND", "1" ],
"matchedFieldName": "baloo"
}]
}
],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}],
"uri": "/CanaryTest",
"args": "baloo=10 AND 1=1&hoppy=REDACTED&x-hoppy-extra=generic-%3Cwords",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Protección de datos para cadenas de consulta
Puede configurar la protección de datos para una cadena de consulta mediante `QUERY_STRING`. Esto afecta a las claves y los valores de todos los argumentos de consulta. En los siguientes ejemplos, la cadena de consulta original era `baloo=10 AND 1=1&hoppy-query=10 AND 1=1&x-hoppy-extra=generic-%3Cwords`.
Webacl config
```
"DataProtectionConfig": {
"DataProtections": [
{
"Field": {
"FieldType": "QUERY_STRING"
},
"Action": "SUBSTITUTION",
"ExcludeRuleMatchDetails": false,
"ExcludeRateBasedDetails": false
}
]
}
```
Ejemplo DataProtection de`QUERY_STRING`: entrada de registro con una cadena de consulta protegida con sustituciones.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [
{
"ruleId": "ProtectedHoppyQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "QUERY_STRING",
"matchedData": ["REDACTED"]
}]
},
{
"ruleId": "ProtectedBalooQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": [ "REDACTED" ],
"matchedFieldName": "REDACTED"
}]
}
],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}],
"uri": "/CanaryTest",
"args": "REDACTED",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
## Protección de datos para múltiples argumentos de consulta
Puede configurar la protección de datos para argumentos de consulta individuales mediante `SINGLE_QUERY_ARGUMENT`. Al reportar información local, usamos protecciones locales. Sin embargo, las cadenas que coinciden en la cadena de consulta y en el encabezado de la cookie tienen muchas configuraciones de protección que podrían aplicarse. Para simplificar, se aplica la protección más estricta para `RuleMatchDetails`, incluso si no se superpone con el rango de datos específico correspondiente.
En los siguientes ejemplos, la cadena de consulta original era `baloo=is_a_good_boy&hoppy=likes_to_sleep&x-hoppy-extra=10 AND 1=1`.
```
"DataProtectionConfig": {
"DataProtections": [
{
"Field": {
"FieldType": "SINGLE_QUERY_ARGUMENT",
"FieldKeys": ["hoppy"]
},
"Action": "SUBSTITUTION",
"ExcludeRuleMatchDetails": false,
"ExcludeRateBasedDetails": false
},
{
"Field": {
"FieldType": "SINGLE_QUERY_ARGUMENT",
"FieldKeys": ["baloo"]
},
"Action": "HASH",
"ExcludeRuleMatchDetails": false,
"ExcludeRateBasedDetails": false
}
]
}
```
Ejemplo DataProtection de varios argumentos de consulta.
```
{
"timestamp": 1738705092889,
"formatVersion": 1,
"webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5",
"terminatingRuleId": "Default_Action",
"terminatingRuleType": "REGULAR",
"action": "ALLOW",
"terminatingRuleMatchDetails": [],
"httpSourceName": "APIGW",
"httpSourceId": "746533260405:xt7v59bhn7:ABC",
"ruleGroupList": [],
"rateBasedRuleList": [],
"nonTerminatingMatchingRules": [
{
"ruleId": "ProtectedHoppyQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": ["REDACTED"],
"matchedFieldName": "hoppy"
}]
},
{
"ruleId": "ProtectedBalooQueryArg",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "SINGLE_QUERY_ARG",
"matchedData": ["zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="],
"matchedFieldName": "baloo"
}]
},
{
"ruleId": "FullQueryStringDetects_x-hoppy-extra_IsSubstituted",
"action": "COUNT",
"ruleMatchDetails": [
{
"conditionType": "SQL_INJECTION",
"sensitivityLevel": "HIGH",
"location": "QUERY_ARGS",
"matchedData": ["REDACTED"], // Harshest of Protection Config
}]
}
],
"requestHeadersInserted": null,
"responseCodeSent": null,
"httpRequest": {
"clientIp": "54.239.98.137",
"country": "US",
"headers": [{
"name": "X-Forwarded-For",
"value": "54.239.98.137"
}, {
"name": "X-Forwarded-Proto",
"value": "https"
}, {
"name": "X-Forwarded-Port",
"value": "443"
}, {
"name": "Host",
"value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com"
}, {
"name": "X-Amzn-Trace-Id",
"value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3"
}, {
"name": "Accept-Encoding",
"value": "gzip"
}, {
"name": "User-Agent",
"value": "okhttp/3.12.1"
}],
"uri": "/CanaryTest",
"args": "baloo=zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=&hoppy=REDACTED&x-hoppy-extra=10 AND 1=1",
"httpVersion": "HTTP/1.1",
"httpMethod": "GET",
"requestId": "FepO0F8fIAMEqoQ="
},
"labels": [{
"name": "awswaf:forwardedip:geo:country:US"
}, {
"name": "awswaf:forwardedip:geo:region:US-VA"
}]
}
```
**nota**
No puede especificar tanto el **QueryString enmascaramiento como el** **enmascaramiento de argumento de consulta única en la misma WebACL**.