/AWS1/CL_WA2AWSMANAGEDRLSATP00¶
Details for your use of the account takeover prevention managed rule group, AWSManagedRulesATPRuleSet. This configuration is used in ManagedRuleGroupConfig.
For additional information about this and the other intelligent threat mitigation rule groups, see Intelligent threat mitigation in WAF and Amazon Web Services Managed Rules rule groups list in the WAF Developer Guide.
CONSTRUCTOR¶
IMPORTING¶
Required arguments:¶
iv_loginpath TYPE /AWS1/WA2STRING /AWS1/WA2STRING¶
The path of the login endpoint for your application. For example, for the URL
https://example.com/web/login, you would provide the path/web/login. Login paths that start with the path that you provide are considered a match. For example/web/loginmatches the login paths/web/login,/web/login/,/web/loginPage, and/web/login/thisPage, but doesn't match the login path/home/web/loginor/website/login.The rule group inspects only HTTP
POSTrequests to your specified login endpoint.
Optional arguments:¶
io_requestinspection TYPE REF TO /AWS1/CL_WA2REQUESTINSPECTION /AWS1/CL_WA2REQUESTINSPECTION¶
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
io_responseinspection TYPE REF TO /AWS1/CL_WA2RESPONSEINSPECTION /AWS1/CL_WA2RESPONSEINSPECTION¶
The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.
iv_enableregexinpath TYPE /AWS1/WA2BOOLEAN /AWS1/WA2BOOLEAN¶
Allow the use of regular expressions in the login page path.
Queryable Attributes¶
LoginPath¶
The path of the login endpoint for your application. For example, for the URL
https://example.com/web/login, you would provide the path/web/login. Login paths that start with the path that you provide are considered a match. For example/web/loginmatches the login paths/web/login,/web/login/,/web/loginPage, and/web/login/thisPage, but doesn't match the login path/home/web/loginor/website/login.The rule group inspects only HTTP
POSTrequests to your specified login endpoint.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_LOGINPATH() |
Getter for LOGINPATH, with configurable default |
ASK_LOGINPATH() |
Getter for LOGINPATH w/ exceptions if field has no value |
HAS_LOGINPATH() |
Determine if LOGINPATH has a value |
RequestInspection¶
The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_REQUESTINSPECTION() |
Getter for REQUESTINSPECTION |
ResponseInspection¶
The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates.
Response inspection is available only in web ACLs that protect Amazon CloudFront distributions.
The ATP rule group evaluates the responses that your protected resources send back to client login attempts, keeping count of successful and failed attempts for each IP address and client session. Using this information, the rule group labels and mitigates requests from client sessions and IP addresses that have had too many failed login attempts in a short amount of time.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_RESPONSEINSPECTION() |
Getter for RESPONSEINSPECTION |
EnableRegexInPath¶
Allow the use of regular expressions in the login page path.
Accessible with the following methods¶
| Method | Description |
|---|---|
GET_ENABLEREGEXINPATH() |
Getter for ENABLEREGEXINPATH |