Note
This is the latest version of AWS WAF , named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide .
Provides high-level information for a managed rule group, including descriptions of the rules.
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
describe-managed-rule-group
--vendor-name <value>
--name <value>
--scope <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]
--vendor-name
(string)
The name of the managed rule group vendor. You use this, along with the rule group name, to identify the rule group.
--name
(string)
The name of the managed rule group. You use this, along with the vendor name, to identify the rule group.
--scope
(string)
Specifies whether this is for an AWS CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB) or an API Gateway stage.
To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:
CLI - Specify the Region when you use the CloudFront scope:
--scope=CLOUDFRONT --region=us-east-1
.API and SDKs - For all calls, use the Region endpoint us-east-1.
Possible values:
CLOUDFRONT
REGIONAL
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
--cli-auto-prompt
(boolean)
Automatically prompt for CLI input parameters.
See ‘aws help’ for descriptions of global parameters.
To retrieve the description for a managed rule group
The following describe-managed-rule-group
retrieves the description for an AWS managed rule group.
aws wafv2 describe-managed-rule-group \
--vendor-name AWS \
--name AWSManagedRulesCommonRuleSet \
--scope REGIONAL
Output:
{
"Capacity": 700,
"Rules": [
{
"Name": "NoUserAgent_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "UserAgent_BadBots_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "SizeRestrictions_QUERYSTRING",
"Action": {
"Block": {}
}
},
{
"Name": "SizeRestrictions_Cookie_HEADER",
"Action": {
"Block": {}
}
},
{
"Name": "SizeRestrictions_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "SizeRestrictions_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "EC2MetaDataSSRF_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "EC2MetaDataSSRF_COOKIE",
"Action": {
"Block": {}
}
},
{
"Name": "EC2MetaDataSSRF_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "EC2MetaDataSSRF_QUERYARGUMENTS",
"Action": {
"Block": {}
}
},
{
"Name": "GenericLFI_QUERYARGUMENTS",
"Action": {
"Block": {}
}
},
{
}
"Name": "GenericLFI_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "GenericLFI_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "RestrictedExtensions_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "RestrictedExtensions_QUERYARGUMENTS",
"Action": {
"Block": {}
}
},
{
"Name": "GenericRFI_QUERYARGUMENTS",
"Action": {
"Block": {}
}
},
{
"Name": "GenericRFI_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "GenericRFI_URIPATH",
"Action": {
"Block": {}
}
},
{
"Name": "CrossSiteScripting_COOKIE",
"Action": {
"Block": {}
}
},
{
"Name": "CrossSiteScripting_QUERYARGUMENTS",
"Action": {
"Block": {}
}
},
{
"Name": "CrossSiteScripting_BODY",
"Action": {
"Block": {}
}
},
{
"Name": "CrossSiteScripting_URIPATH",
"Action": {
"Block": {}
}
}
]
}
For more information, see Managed Rule Groups in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.
Capacity -> (long)
The web ACL capacity units (WCUs) required for this rule group. AWS WAF uses web ACL capacity units (WCU) to calculate and control the operating resources that are used to run your rules, rule groups, and web ACLs. AWS WAF calculates capacity differently for each rule type, to reflect each rule’s relative cost. Rule group capacity is fixed at creation, so users can plan their web ACL WCU usage when they use a rule group. The WCU limit for web ACLs is 1,500.
Rules -> (list)
(structure)
Note
This is the latest version of AWS WAF , named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide .
High-level information about a Rule , returned by operations like DescribeManagedRuleGroup . This provides information like the ID, that you can use to retrieve and manage a
RuleGroup
, and the ARN, that you provide to the RuleGroupReferenceStatement to use the rule group in a Rule .Name -> (string)
The name of the rule.
Action -> (structure)
Note
This is the latest version of AWS WAF , named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide .
The action that AWS WAF should take on a web request when it matches a rule’s statement. Settings at the web ACL level can override the rule action setting.
Block -> (structure)
Instructs AWS WAF to block the web request.
Allow -> (structure)
Instructs AWS WAF to allow the web request.
Count -> (structure)
Instructs AWS WAF to count the web request and allow it.