[ aws . wafv2 ]




This is the latest version of AWS WAF , named AWS WAFV2, released in November, 2019. For information, including how to migrate your AWS WAF resources from the prior release, see the AWS WAF Developer Guide .

Retrieves the keys that are currently blocked by a rate-based rule. The maximum number of managed keys that can be blocked for a single rate-based rule is 10,000. If more than 10,000 addresses exceed the rate limit, those with the highest rates are blocked.

See also: AWS API Documentation

See ‘aws help’ for descriptions of global parameters.


--scope <value>
--web-acl-name <value>
--web-acl-id <value>
--rule-name <value>
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--cli-auto-prompt <value>]


--scope (string)

Specifies whether this is for an AWS CloudFront distribution or for a regional application. A regional application can be an Application Load Balancer (ALB) or an API Gateway stage.

To work with CloudFront, you must also specify the Region US East (N. Virginia) as follows:

  • CLI - Specify the Region when you use the CloudFront scope: --scope=CLOUDFRONT --region=us-east-1 .

  • API and SDKs - For all calls, use the Region endpoint us-east-1.

Possible values:



--web-acl-name (string)

The name of the Web ACL. You cannot change the name of a Web ACL after you create it.

--web-acl-id (string)

The unique identifier for the Web ACL. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

--rule-name (string)

The name of the rate-based rule to get the keys for.

--cli-input-json | --cli-input-yaml (string) Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.

--generate-cli-skeleton (string) Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command.

--cli-auto-prompt (boolean) Automatically prompt for CLI input parameters.

See ‘aws help’ for descriptions of global parameters.


To retrieve a list of IP addresses that are blocked by a rate-based rule

The following get-rate-based-statement-managed-keys retrieves the IP addresses currently blocked by a rate-based rule that’s being used for a regional application.

aws wafv2 get-rate-based-statement-managed-keys \
    --scope REGIONAL \
    --web-acl-name testwebacl2 \
    --web-acl-id a1b2c3d4-5678-90ab-cdef-EXAMPLE11111 \
    --rule-name ratebasedtest




For more information, see Rate-Based Rule Statement in the AWS WAF, AWS Firewall Manager, and AWS Shield Advanced Developer Guide.


ManagedKeysIPV4 -> (structure)

The keys that are of Internet Protocol version 4 (IPv4).

IPAddressVersion -> (string)

Addresses -> (list)

The IP addresses that are currently blocked.


ManagedKeysIPV6 -> (structure)

The keys that are of Internet Protocol version 6 (IPv6).

IPAddressVersion -> (string)

Addresses -> (list)

The IP addresses that are currently blocked.