diff --git a/.changes/next-release/feature-AWSWAFV2-6ab7436.json b/.changes/next-release/feature-AWSWAFV2-6ab7436.json new file mode 100644 index 000000000000..4272c7c0aeff --- /dev/null +++ b/.changes/next-release/feature-AWSWAFV2-6ab7436.json @@ -0,0 +1,6 @@ +{ + "type": "feature", + "category": "AWS WAFV2", + "contributor": "", + "description": "Adds support for AWS WAF Fraud Control account takeover prevention (ATP), with configuration options for the new managed rule group AWSManagedRulesATPRuleSet and support for application integration SDKs for Android and iOS mobile apps." +} diff --git a/services/wafv2/src/main/resources/codegen-resources/service-2.json b/services/wafv2/src/main/resources/codegen-resources/service-2.json index 9de10859488c..8e8841140a71 100644 --- a/services/wafv2/src/main/resources/codegen-resources/service-2.json +++ b/services/wafv2/src/main/resources/codegen-resources/service-2.json @@ -300,6 +300,22 @@ ], "documentation":"

Disassociates a web ACL from a regional application resource. A regional application can be an Application Load Balancer (ALB), an Amazon API Gateway REST API, or an AppSync GraphQL API.

For Amazon CloudFront, don't use this call. Instead, use your CloudFront distribution configuration. To disassociate a web ACL, provide an empty web ACL ID in the CloudFront call UpdateDistribution. For information, see UpdateDistribution.

" }, + "GenerateMobileSdkReleaseUrl":{ + "name":"GenerateMobileSdkReleaseUrl", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GenerateMobileSdkReleaseUrlRequest"}, + "output":{"shape":"GenerateMobileSdkReleaseUrlResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFNonexistentItemException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"

Generates a presigned download URL for the specified release of the mobile SDK.

The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF.

" + }, "GetIPSet":{ "name":"GetIPSet", "http":{ @@ -348,6 +364,22 @@ ], "documentation":"

Retrieves the specified managed rule set.

This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

" }, + "GetMobileSdkRelease":{ + "name":"GetMobileSdkRelease", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetMobileSdkReleaseRequest"}, + "output":{"shape":"GetMobileSdkReleaseResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFNonexistentItemException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"

Retrieves information for the specified mobile SDK release, including release notes and tags.

The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF.

" + }, "GetPermissionPolicy":{ "name":"GetPermissionPolicy", "http":{ @@ -534,6 +566,21 @@ ], "documentation":"

Retrieves the managed rule sets that you own.

This is intended for use only by vendors of managed rule sets. Vendors are Amazon Web Services and Amazon Web Services Marketplace sellers.

Vendors, you can use the managed rule set APIs to provide controlled rollout of your versioned managed rule group offerings for your customers. The APIs are ListManagedRuleSets, GetManagedRuleSet, PutManagedRuleSetVersions, and UpdateManagedRuleSetVersionExpiryDate.

" }, + "ListMobileSdkReleases":{ + "name":"ListMobileSdkReleases", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListMobileSdkReleasesRequest"}, + "output":{"shape":"ListMobileSdkReleasesResponse"}, + "errors":[ + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFInvalidParameterException"}, + {"shape":"WAFInvalidOperationException"} + ], + "documentation":"

Retrieves a list of the available releases for the mobile SDK and the specified device platform.

The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF.

" + }, "ListRegexPatternSets":{ "name":"ListRegexPatternSets", "http":{ @@ -1858,6 +1905,7 @@ "members":{ } }, + "DownloadUrl":{"type":"string"}, "EntityDescription":{ "type":"string", "max":256, @@ -1907,6 +1955,12 @@ "NO_MATCH" ] }, + "FieldIdentifier":{ + "type":"string", + "max":512, + "min":1, + "pattern":".*\\S.*" + }, "FieldToMatch":{ "type":"structure", "members":{ @@ -2076,6 +2130,32 @@ "ANY" ] }, + "GenerateMobileSdkReleaseUrlRequest":{ + "type":"structure", + "required":[ + "Platform", + "ReleaseVersion" + ], + "members":{ + "Platform":{ + "shape":"Platform", + "documentation":"

The device platform.

" + }, + "ReleaseVersion":{ + "shape":"VersionKeyString", + "documentation":"

The release version. For the latest available version, specify LATEST.

" + } + } + }, + "GenerateMobileSdkReleaseUrlResponse":{ + "type":"structure", + "members":{ + "Url":{ + "shape":"DownloadUrl", + "documentation":"

The presigned download URL for the specified SDK release.

" + } + } + }, "GeoMatchStatement":{ "type":"structure", "members":{ @@ -2179,6 +2259,32 @@ } } }, + "GetMobileSdkReleaseRequest":{ + "type":"structure", + "required":[ + "Platform", + "ReleaseVersion" + ], + "members":{ + "Platform":{ + "shape":"Platform", + "documentation":"

The device platform.

" + }, + "ReleaseVersion":{ + "shape":"VersionKeyString", + "documentation":"

The release version. For the latest available version, specify LATEST.

" + } + } + }, + "GetMobileSdkReleaseResponse":{ + "type":"structure", + "members":{ + "MobileSdkRelease":{ + "shape":"MobileSdkRelease", + "documentation":"

Information for a specified SDK release, including release notes and tags.

" + } + } + }, "GetPermissionPolicyRequest":{ "type":"structure", "required":["ResourceArn"], @@ -2411,6 +2517,10 @@ "LockToken":{ "shape":"LockToken", "documentation":"

A token used for optimistic locking. WAF returns a token to your get and list requests, to mark the state of the entity at the time of the request. To make changes to the entity associated with the token, you provide the token to operations like update and delete. WAF uses the token to ensure that no changes have been made to the entity since you last retrieved it. If a change has been made, the update fails with a WAFOptimisticLockException. If this happens, perform another get, and use the new token returned by that operation.

" + }, + "ApplicationIntegrationURL":{ + "shape":"OutputUrl", + "documentation":"

The URL to use in SDK integrations with Amazon Web Services managed rule groups. For example, you can use the integration SDKs with the account takeover prevention managed rule group AWSManagedRulesATPRuleSet. This is only populated if you are using a rule group in your web ACL that integrates with your applications in this way. For more information, see WAF application integration in the WAF Developer Guide.

" } } }, @@ -2904,6 +3014,37 @@ "max":500, "min":1 }, + "ListMobileSdkReleasesRequest":{ + "type":"structure", + "required":["Platform"], + "members":{ + "Platform":{ + "shape":"Platform", + "documentation":"

The device platform to retrieve the list for.

" + }, + "NextMarker":{ + "shape":"NextMarker", + "documentation":"

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

" + }, + "Limit":{ + "shape":"PaginationLimit", + "documentation":"

The maximum number of objects that you want WAF to return for this request. If more objects are available, in the response, WAF provides a NextMarker value that you can use in a subsequent call to get the next batch of objects.

" + } + } + }, + "ListMobileSdkReleasesResponse":{ + "type":"structure", + "members":{ + "ReleaseSummaries":{ + "shape":"ReleaseSummaries", + "documentation":"

High level information for the available SDK releases.

" + }, + "NextMarker":{ + "shape":"NextMarker", + "documentation":"

When you request a list of objects with a Limit setting, if the number of objects that are still available for retrieval exceeds the limit, WAF returns a NextMarker value in the response. To retrieve the next batch of objects, provide the marker from the prior call in your next request.

" + } + } + }, "ListRegexPatternSetsRequest":{ "type":"structure", "required":["Scope"], @@ -3115,6 +3256,39 @@ }, "documentation":"

Filtering that specifies which web requests are kept in the logs and which are dropped, defined for a web ACL's LoggingConfiguration.

You can filter on the rule action and on the web request labels that were applied by matching rules during web ACL evaluation.

" }, + "LoginPathString":{ + "type":"string", + "max":256, + "min":1, + "pattern":".*\\S.*" + }, + "ManagedRuleGroupConfig":{ + "type":"structure", + "members":{ + "LoginPath":{ + "shape":"LoginPathString", + "documentation":"

The login endpoint for your application. For example https://example.com/web/login.

" + }, + "PayloadType":{ + "shape":"PayloadType", + "documentation":"

The payload type for your login endpoint, either JSON or form encoded.

" + }, + "UsernameField":{ + "shape":"UsernameField", + "documentation":"

Details about your login page username field.

" + }, + "PasswordField":{ + "shape":"PasswordField", + "documentation":"

Details about your login page password field.

" + } + }, + "documentation":"

Additional information that's used by a managed rule group. Most managed rule groups don't require this.

Use this for the account takeover prevention managed rule group AWSManagedRulesATPRuleSet, to provide information about the sign-in page of your application.

" + }, + "ManagedRuleGroupConfigs":{ + "type":"list", + "member":{"shape":"ManagedRuleGroupConfig"}, + "min":1 + }, "ManagedRuleGroupStatement":{ "type":"structure", "required":[ @@ -3141,6 +3315,10 @@ "ScopeDownStatement":{ "shape":"Statement", "documentation":"

An optional nested statement that narrows the scope of the web requests that are evaluated by the managed rule group. Requests are only evaluated by the rule group if they match the scope-down statement. You can use any nestable Statement in the scope-down statement, and you can nest statements at any level, the same as you can for a rule statement.

" + }, + "ManagedRuleGroupConfigs":{ + "shape":"ManagedRuleGroupConfigs", + "documentation":"

Additional information that's used by a managed rule group. Most managed rule groups don't require this.

Use this for the account takeover prevention managed rule group AWSManagedRulesATPRuleSet, to provide information about the sign-in page of your application.

" } }, "documentation":"

A rule statement used to run the rules that are defined in a managed rule group. To use this, provide the vendor name and the name of the rule group in this statement. You can retrieve the required names by calling ListAvailableManagedRuleGroups.

You cannot nest a ManagedRuleGroupStatement, for example for use inside a NotStatement or OrStatement. It can only be referenced as a top-level statement within a rule.

" @@ -3300,6 +3478,28 @@ "min":1, "pattern":"^[\\w#:\\.\\-/]+$" }, + "MobileSdkRelease":{ + "type":"structure", + "members":{ + "ReleaseVersion":{ + "shape":"VersionKeyString", + "documentation":"

The release version.

" + }, + "Timestamp":{ + "shape":"Timestamp", + "documentation":"

The timestamp of the release.

" + }, + "ReleaseNotes":{ + "shape":"ReleaseNotes", + "documentation":"

Notes describing the release.

" + }, + "Tags":{ + "shape":"TagList", + "documentation":"

Tags that are associated with the release.

" + } + }, + "documentation":"

Information for a release of the mobile SDK, including release notes and tags.

The mobile SDK is not generally available. Customers who have access to the mobile SDK can use it to establish and manage Security Token Service (STS) security tokens for use in HTTP(S) requests from a mobile device to WAF.

" + }, "NextMarker":{ "type":"string", "max":256, @@ -3334,6 +3534,7 @@ }, "documentation":"

A logical rule statement used to combine other rule statements with OR logic. You provide more than one Statement within the OrStatement.

" }, + "OutputUrl":{"type":"string"}, "OverrideAction":{ "type":"structure", "members":{ @@ -3412,13 +3613,40 @@ "EXPIRE_TIMESTAMP", "CHANGE_PROPAGATION_STATUS", "ASSOCIABLE_RESOURCE", - "LOG_DESTINATION" + "LOG_DESTINATION", + "MANAGED_RULE_GROUP_CONFIG", + "PAYLOAD_TYPE" ] }, "ParameterExceptionParameter":{ "type":"string", "min":1 }, + "PasswordField":{ + "type":"structure", + "required":["Identifier"], + "members":{ + "Identifier":{ + "shape":"FieldIdentifier", + "documentation":"

The name of the password field. For example /form/password.

" + } + }, + "documentation":"

Details about your login page password field, used in a ManagedRuleGroupConfig.

" + }, + "PayloadType":{ + "type":"string", + "enum":[ + "JSON", + "FORM_ENCODED" + ] + }, + "Platform":{ + "type":"string", + "enum":[ + "IOS", + "ANDROID" + ] + }, "PolicyString":{ "type":"string", "max":395000, @@ -3711,6 +3939,25 @@ "type":"list", "member":{"shape":"Regex"} }, + "ReleaseNotes":{"type":"string"}, + "ReleaseSummaries":{ + "type":"list", + "member":{"shape":"ReleaseSummary"} + }, + "ReleaseSummary":{ + "type":"structure", + "members":{ + "ReleaseVersion":{ + "shape":"VersionKeyString", + "documentation":"

The release version.

" + }, + "Timestamp":{ + "shape":"Timestamp", + "documentation":"

The timestamp of the release.

" + } + }, + "documentation":"

High level information for an SDK release.

" + }, "ResourceArn":{ "type":"string", "max":2048, @@ -4594,6 +4841,17 @@ }, "documentation":"

The path component of the URI of a web request. This is the part of a web request that identifies a resource. For example, /images/daily-ad.jpg.

This is used only to indicate the web request component for WAF to inspect, in the FieldToMatch specification.

JSON specification: \"UriPath\": {}

" }, + "UsernameField":{ + "type":"structure", + "required":["Identifier"], + "members":{ + "Identifier":{ + "shape":"FieldIdentifier", + "documentation":"

The name of the username field. For example /form/username.

" + } + }, + "documentation":"

Details about your login page username field, used in a ManagedRuleGroupConfig.

" + }, "VendorName":{ "type":"string", "max":128,