**Introducing a new console experience for AWS WAF** You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). # Data protection AWS WAF adds data protection options AWS WAF now lets you configure data protection either at the protection pack (web ACL) level or at the logging only level. AWS WAF data protection settings let you implement customized and granular protection of sensitive information (passwords, API keys, authentication tokens, and other confidential data) on specific data fields such as headers, parameters, and body content. You can configure data protection at either: + The protection pack (web ACL) level, which applies across all output destinations. + Logging only, which only affects the data that AWS WAF sends to the configured logging destination. Data protection can be specified as either a substitution or hashing. Substitution refers to replacing content with the word `REDACTED`. Hashing refers to replacing content, from string to SHA-256 binary to Base64: 1. First, the algorithm builds a string from account\$1number and content. 1. It then applies SHA-256 to produce a binary hash. 1. Finally, it encodes those bytes using Base64. **Tip** You should review the characteristics of SHA-256 hashing to determine if it meets your requirements before you select the appropriate data protection method. We do not recommend relying on SHA-256 hashing if you intend to achieve an outcome equivalent to encryption or tokenization. **Topics** + [ # Enabling data protection ](enable-protection.md) + [ # Data protection exceptions ](data-protection-exceptions.md) + [ # Data protection limitations ](data-protection-limitations.md) + [ # Examples of data protection ](data-protection-examples.md) + [ # Configuring data protection for a protection pack (web ACL) ](data-protection-configure.md) # Enabling data protection Enabling data protection This section explains the data protection and log configuration options you can select from the console. You can protect data that appears in logs by enabling data protection on certain fields. Data protection can be applied to transform sensitive information in various types of outputs, including full logs, sample requests, and Security Lake. **To enable data protection in the AWS WAF console** Navigate to the **protection packs (web ACLs)** page in the console to **enable protection settings**. To enable data protection for your logs, choose whether to apply it to all logs or to a specific logging destination. For information, see [Log fields for protection pack (web ACL) traffic](logging-fields.md). **Note** You don't need to enable logging to apply data protection on all logging. Data protection will be applied across all output destinations, regardless of whether logging is enabled. At the bottom of the **Enable protection settings** page, select the **Add field** button on the **Data protection fields** panel. Select the field type from the drop down menu. For information about how each field's data is protected with data protection, see the table below. | Field type | Details | | --- | --- | | `Single header` | Permanently transform the specified header key value according to the specified option (hashing or subsitution). The transformed value will also be reflected in full Logs. | | `Body` | Permanently transforms the body value. Only applicable for `RuleMatchDetails` in the log. | | `Query string` | Permanently transform the query string according to the specified option (hashing or subsitution). The transformed value will also be reflected in full Logs. | | `Single query argument` | Permanently transform the specified query arg value according to the specified option (hashing or subsitution). The transformed value will also be reflected in full Logs. | | `Single cookie` | Permanently transform the cookie value according to the specified option (hashing or subsitution). The transformed value will also be reflected in full Logs. | # Data protection exceptions Data protection exceptions When enabled, data protection will apply to the fields it is enabled on, including `RuleMatchDetails` and `rateBasedRuleList`. However, there are instances when you may want to include the protected data and content in `RuleMatchDetails` and `rateBasedRuleList` for troubleshooting and visibility purposes. In these scenarios, you can specify exceptions to the data protection for that field. + **`ExcludeRuleMatchDetails`**: If you specify this exception for a specific field, `RuleMatchDetails` will show the value of the field and won't be in scope for data protection. + **`ExcludeRateBasedDetails`**: If you specify this exception for a specific field, `rateBasedRuleList` will show the value of the field and won't be in scope for data protection. Example: The `ExcludeRateBasedDetails` rule is enabled on **SINGLE\$1HEADER** and **HEADER\$1NAME** for "dogname". If an exception is not applied to the rule, the value for "dogname" will appear as `REDACTED`. ``` "rateBasedRuleList":[ {"rateBasedRuleId": ..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ {"key":"HEADER", "name":"dogname", "value":"REDACTED" } ] } ] ``` If an exception is enabled on the rule, the "dogname" value will appear in the log. ``` "rateBasedRuleList":[ {"rateBasedRuleId": ..., "rateBasedRuleName":"RateBasedRule", "limitKey":"CUSTOMKEYS", "maxRateAllowed":100, "evaluationWindowSec":"120", "customValues":[ {"key":"HEADER", "name":"dogname", "value":"ELLA" } ] } ] ``` **Warning** The data protection feature may potentially affect troubleshooting AWS WAF capabilities. These settings can cause unexpected detection and mitigation behaviors. Limit data protection for specific parameters to only those that are absolutely necessary. # Data protection limitations Data protection limitations The following are limitations to consider when using data protection. ## QueryString and SingleQueryArg **QueryString Protection** + Data protection on `QueryString` applies to all query arguments, substituting/hashing both keys and values according to the specified settings. **QueryString in `RuleMatch` details and `RateBased` rule lists** + If data protection is applied to a single-query argument, then the entire query string will be substituted/hashed in the `RuleMatchDetails` and `RateBasedRule` section in full logs. + If different protection methods are specified (substitution and hashing) in multiple single-query arguments, the stricter method, substitution, will be applied to the entire query string in the `RuleMatchDetails` and `RateBasedRule` section in full logs. ## Cookies **Note** Data protection is only applied to the values of the cookie when the single header cookie is protected. **Single cookie in `RuleMatchDetails` and `RateBasedRule` lists** + If data protection is applied to a single cookie, then the entire cookie header will be substituted/hashed in the `RuleMatchDetails` and `RateBasedRule` section in full logs. + If different protection methods are specified (substitution and hashing), the stricter method, substitution, will be applied to the entire cookie in the `RuleMatchDetails` and `RateBasedRule` section in full logs. # Examples of data protection Examples of data protection This section provides log examples of data protection logging of protection pack (web ACL) traffic. ## DataProtection hashing Webacl config ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "SINGLE_QUERY_ARGUMENT", "field_keys": [ "hoppy" ] }, "action": "HASH", "exclude_rule_match_details": false, "exclude_rate_based_details": false } ] } ``` Example DataProtection hashing: Log entry with the SingleQuery argument "hoppy" protected. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [{ "ruleId": "ProtectedSQLIHeadersVisibleInSTM", "action": "COUNT", "ruleMatchDetails": [{ "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": [ "z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM=" ], "matchedFieldName": "hoppy" }] }], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }], "uri": "/CanaryTest", "args": "hoppy=z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM=&yellow=hello&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## DataProtection substitution Webacl Config ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "SINGLE_QUERY_ARGUMENT", "field_keys": [ "hoppy" ] }, "action": "SUBSTITUTION", "exclude_rule_match_details": false, "exclude_rate_based_details": false } ] } ``` Example DataProtection substitution: Log entry with Single Query Argument “hoppy” protected ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [] "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }], "uri": "/CanaryTest", "args": "hoppy=REDACTED&yellow=hello&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Retaining data in RuleMatchDetails Webacl config ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "SINGLE_HEADER", "field_keys": [ "hoppy" ] }, "action": "HASH", "exclude_rule_match_details": true, "exclude_rate_based_details": false } ] } ``` Example of retaining data in RuleMatchDetails: Log entry with single `Header` “hoppy” protected but the value is retained only in `RuleMatchDetails`. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [{ "ruleId": "ProtectedSQLIHeadersVisibleInSTM", "action": "COUNT", "ruleMatchDetails": [{ "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "HEADER", "matchedData": [ "10", "AND", "1" ], "matchedFieldName": "hoppy" }] }], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "hoppy", "value": "zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }, { "name": "hoppy", "value": "z6hpYAFaMYdtiTeHhxnN5ydgRE5E1WgyVIdgqH0D3iM=" }], "uri": "/CanaryTest", "args": "happy=true", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Retaining data in rateBasedRule ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "SINGLE_HEADER", "field_keys": [ "hoppy" ] }, "action": "HASH", "exclude_rule_match_details": false, "exclude_rate_based_details": true } ] } ``` Example Retaining data in rateBasedRuleList: Log entry with the Single `Header` “hoppy” protected but the value is retained only in `rateBasedRuleList` ``` { "timestamp": 1683355579981, "formatVersion": 1, "webaclId": ..., "terminatingRuleId": "RateBasedRule", "terminatingRuleType": "RATE_BASED", "action": "BLOCK", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "EXAMPLE11:rjvegx5guh:CanaryTest", "ruleGroupList": [], "rateBasedRuleList": [{ "rateBasedRuleId": ..., "rateBasedRuleName": "RateBasedRule", "limitKey": "CUSTOMKEYS", "maxRateAllowed": 100, "evaluationWindowSec": "120", "customValues": [{ "key": "HEADER", "name": "hoppy", "value": "ella" }] }], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "52.46.82.45", "country": "FR", "headers": [{ "name": "X-Forwarded-For", "value": "52.46.82.45" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "rjvegx5guh.execute-api.eu-west-3.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-645566cf-7cb058b04d9bb3ee01dc4036" }, { "name": "hoppy", "value": "zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=" }, { "name": "User-Agent", "value": "RateBasedRuleTestKoipOneKeyModulePV2" }, { "name": "Accept-Encoding", "value": "gzip,deflate" }], "uri": "/CanaryTest", "args": "", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "Ed0AiHF_CGYF-DA=" } } ``` ## Data protection for Body AWS WAF only log subsets of Body in `RuleMatchDetails`. Webacl config ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "BODY" }, "action": "SUBSTITUTE", "exclude_rule_match_details": false, "exclude_rate_based_details": false } ] } ``` Example DataProtection for Body: Log entry with Body Subsituted in `ruleMatchDetails`. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [{ "ruleId": "ProtectedSQLIBody", "action": "COUNT", "ruleMatchDetails": [{ "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "BODY", "matchedData": ["REDACTED"] }] }], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }, { "name": "cookie", "value": "hoppy=dog;" }], "uri": "/CanaryTest", "args": "baloo=abc&hoppy-query=xyz&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Data protection for `SINGLE_COOKIE` Webacl config ``` "data_protection_config": { "data_protections": [ { "field": { "field_type": "SINGLE_COOKIE", "field_keys": [ "MILO" ] }, "action": "HASH", "exclude_rule_match_details": false, "exclude_rate_based_details": false } ] } ``` Example DataProtection for `SINGLE_COOKIE`: Log entry with a `SINGLE_COOKIE` named "MILO" protected. The full Log shows the Cookie named MILO is protected in `ruleMatchDetails` and the cookie header. Only cookie values are protected and key names are excluded. **Note** All protected fields (single header, cookie, query arg) are not case sensitive. So, for this example, "MILO" matches "milo". ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [{ "ruleId": "ProtectedSQLIHeadersVisibleInSTM", "action": "COUNT", "ruleMatchDetails": [{ "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "COOKIE", "matchedData": ["zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="], "matchedFieldName": "milo" }] }], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }, { "name": "cookie", "value": "hoppy=dog;milo=zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=;aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg==" }], "uri": "/CanaryTest", "args": "baloo=abc&hoppy-query=xyz&x-hoppy-extra=generic-%3Cwords%3E-in-angle-brackets", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Data protection for all cookies You can configure data protection for cookies by using `SINGLE_HEADER`. Only cookie values are protected and key names are excluded. ``` "DataProtectionConfig": { "DataProtections": [ { "Field": { "FieldType": "SINGLE_HEADER", "FieldKeys": ["cookie"] }, "Action": "SUBSTITUTION", "ExcludeRuleMatchDetails": false, "ExcludeRateBasedDetails": false } ] } ``` Example DataProtection for the `header ` "COOKIE": Log entry with the cookie header protected. **Note** The cookie name `AWS-WAF-TOKEN` is out of scope for data protection. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionhashACL/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }, { "name": "cookie", "value": "hoppy=REDACTED;milo=REDACTED;aws-waf-token=51c71352-41f5-4f6d-b676-c24907bdf819:EQoAZ/J+AAQAAAAA:t9wvxbw042wva7E2Y6lgud/bS6YG0CJKVAJqaRqDZ140ythKW0Zj9wKB2O8lSkYDRqf1yONcVBFo5u0eYi0tvT4rtQCXsu+KanAardW8go4QSLw4yoED59lgV7oAhGyCalAzE7ra29j+RvvZPsQyoQuDCrtoY/TvQyMTXIXzGPDC/rKBbg==" }], "uri": "/CanaryTest", "args": "baloo=xyz=&hoppy-query=abc&x-hoppy-extra=abc", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Data protection for single query arguments You can configure data protection for a query string by using `SINGLE_QUERY_ARGUMENT`. This affects the keys and values of all query args. For the following examples, the original query string was `baloo=10 AND 1=1&hoppy=10 AND 1=1&x-hoppy-extra=generic-%3Cwords`. Webacl config ``` "DataProtectionConfig": { "DataProtections": [ { "Field": { "FieldType": "SINGLE_QUERY_ARGUMENT", "FieldKeys": ["hoppy"] }, "Action": "SUBSTITUTION", "ExcludeRuleMatchDetails": false, "ExcludeRateBasedDetails": false } ] } ``` Example DataProtection for `SINGLE_QUERY_ARGUEMENT`: Log entry with "hoppy" query string protected with substitution. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [ { "ruleId": "ProtectedHoppyQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": ["REDACTED"], "matchedFieldName": "hoppy" }] }, { "ruleId": "FullQueryStringInspectionWhichDetectsTheFirstFieldWithSQLi_Baloo_IsAlsoMaskedMasked", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "QUERY_ARGS", "matchedData": ["REDACTED"], }] }, { "ruleId": "ProtectedBalooQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": [ "10", "AND", "1" ], "matchedFieldName": "baloo" }] } ], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }], "uri": "/CanaryTest", "args": "baloo=10 AND 1=1&hoppy=REDACTED&x-hoppy-extra=generic-%3Cwords", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Data protection for query strings You can configure data protection for a query string by using `QUERY_STRING`. This affects the keys and values of all query args. For the following examples, the original query string was `baloo=10 AND 1=1&hoppy-query=10 AND 1=1&x-hoppy-extra=generic-%3Cwords`. Webacl config ``` "DataProtectionConfig": { "DataProtections": [ { "Field": { "FieldType": "QUERY_STRING" }, "Action": "SUBSTITUTION", "ExcludeRuleMatchDetails": false, "ExcludeRateBasedDetails": false } ] } ``` Example DataProtection for `QUERY_STRING`: Log entry with query string protected with substitution. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [ { "ruleId": "ProtectedHoppyQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "QUERY_STRING", "matchedData": ["REDACTED"] }] }, { "ruleId": "ProtectedBalooQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": [ "REDACTED" ], "matchedFieldName": "REDACTED" }] } ], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }], "uri": "/CanaryTest", "args": "REDACTED", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` ## Data protection for multiple query arguments You can configure data protection for individual query args by using `SINGLE_QUERY_ARGUMENT`. When reporting local information we use local protections. However, strings that matched in query string and cookie header have many protection configs that could apply. To simplify, the strictest protection for `RuleMatchDetails` is applied, even if it doesn't overlap with the specific data range that matched. For the following examples, the original query string was `baloo=is_a_good_boy&hoppy=likes_to_sleep&x-hoppy-extra=10 AND 1=1`. ``` "DataProtectionConfig": { "DataProtections": [ { "Field": { "FieldType": "SINGLE_QUERY_ARGUMENT", "FieldKeys": ["hoppy"] }, "Action": "SUBSTITUTION", "ExcludeRuleMatchDetails": false, "ExcludeRateBasedDetails": false }, { "Field": { "FieldType": "SINGLE_QUERY_ARGUMENT", "FieldKeys": ["baloo"] }, "Action": "HASH", "ExcludeRuleMatchDetails": false, "ExcludeRateBasedDetails": false } ] } ``` Example DataProtection for multiple query arguments. ``` { "timestamp": 1738705092889, "formatVersion": 1, "webaclId": "arn:aws:wafv2:us-east-1:111122223333:regional/webacl/DataProtectionSubstituteQueryString/4eede063-e611-44f5-b357-ffc9d7b7fed5", "terminatingRuleId": "Default_Action", "terminatingRuleType": "REGULAR", "action": "ALLOW", "terminatingRuleMatchDetails": [], "httpSourceName": "APIGW", "httpSourceId": "746533260405:xt7v59bhn7:ABC", "ruleGroupList": [], "rateBasedRuleList": [], "nonTerminatingMatchingRules": [ { "ruleId": "ProtectedHoppyQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": ["REDACTED"], "matchedFieldName": "hoppy" }] }, { "ruleId": "ProtectedBalooQueryArg", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "SINGLE_QUERY_ARG", "matchedData": ["zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE="], "matchedFieldName": "baloo" }] }, { "ruleId": "FullQueryStringDetects_x-hoppy-extra_IsSubstituted", "action": "COUNT", "ruleMatchDetails": [ { "conditionType": "SQL_INJECTION", "sensitivityLevel": "HIGH", "location": "QUERY_ARGS", "matchedData": ["REDACTED"], // Harshest of Protection Config }] } ], "requestHeadersInserted": null, "responseCodeSent": null, "httpRequest": { "clientIp": "54.239.98.137", "country": "US", "headers": [{ "name": "X-Forwarded-For", "value": "54.239.98.137" }, { "name": "X-Forwarded-Proto", "value": "https" }, { "name": "X-Forwarded-Port", "value": "443" }, { "name": "Host", "value": "xt7xxx9bhn7.gamma.execute-api.us-east-1.amazonaws.com" }, { "name": "X-Amzn-Trace-Id", "value": "Root=1-67a288c4-27acb3cd5795dd8456b7e3c3" }, { "name": "Accept-Encoding", "value": "gzip" }, { "name": "User-Agent", "value": "okhttp/3.12.1" }], "uri": "/CanaryTest", "args": "baloo=zuomr2mxQxofg6EI6f7hMNGaJhhPxt0rFVAXog6FLxE=&hoppy=REDACTED&x-hoppy-extra=10 AND 1=1", "httpVersion": "HTTP/1.1", "httpMethod": "GET", "requestId": "FepO0F8fIAMEqoQ=" }, "labels": [{ "name": "awswaf:forwardedip:geo:country:US" }, { "name": "awswaf:forwardedip:geo:region:US-VA" }] } ``` **Note** You cannot specify both **QueryString Masking** and **Single Query Arg Masking** in the same webACL. # Configuring data protection for a protection pack (web ACL) Configuring data protection for a protection pack (web ACL) This section provides instructions for configuring data protection for a protection pack (web ACL). **To configure data protection for a protection pack (web ACL)** 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). 1. In the navigation pane, choose **protection packs (web ACLs)**. 1. Choose the name of the protection pack (web ACL) that you want to enable data protection for. The console takes you to the protection pack (web ACL)'s description, where you can edit it. 1. On the **Logging and metrics** tab, in the **Data protection settings** pane, choose **Enable** or **Edit**. 1. Choose the scope **Global** and then make your field data protection selections. For each field data protection configuration, you can also specify exceptions to exclude from the protection behavior. 1. When you've completed your selections, choose **Save**. The interface returns to the **Logging and metrics** tab where your selections are summarized.