AWS::WAFv2::WebACL Cookies - Amazon CloudFormation
SyntaxPropertiesExamples
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::WAFv2::WebACL Cookies

Inspect the cookies in the web request. You can specify the parts of the cookies to inspect and you can narrow the set of cookies to inspect by including or excluding specific keys.

This is used to indicate the web request component to inspect, in the FieldToMatch specification.

Example JSON: "Cookies": { "MatchPattern": { "All": {} }, "MatchScope": "KEY", "OversizeHandling": "MATCH" }

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "MatchPattern" : CookieMatchPattern,
  "MatchScope" : String,
  "OversizeHandling" : String
}

Properties

MatchPattern

The filter to use to identify the subset of cookies to inspect in a web request.

You must specify exactly one setting: either All, IncludedCookies, or ExcludedCookies.

Example JSON: "MatchPattern": { "IncludedCookies": {"KeyToInclude1", "KeyToInclude2", "KeyToInclude3"} }

Required: Yes

Type: CookieMatchPattern

Update requires: No interruption

MatchScope

The parts of the cookies to inspect with the rule inspection criteria. If you specify All, Amazon WAF inspects both keys and values.

Required: Yes

Type: String

Allowed values: ALL | KEY | VALUE

Update requires: No interruption

OversizeHandling

What Amazon WAF should do if the cookies of the request are larger than Amazon WAF can inspect. Amazon WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to Amazon WAF.

The options for oversize handling are the following:

  • CONTINUE - Inspect the cookies normally, according to the rule inspection criteria.

  • MATCH - Treat the web request as matching the rule statement. Amazon WAF applies the rule action to the request.

  • NO_MATCH - Treat the web request as not matching the rule statement.

Required: Yes

Type: String

Allowed values: CONTINUE | MATCH | NO_MATCH

Update requires: No interruption

Examples

Set the Cookies specification

The following shows an example Cookies field to match specification.

YAML

FieldToMatch:
  Cookies:
    MatchPattern:
      IncludedCookies:
      - "session-id"
      - "session-id-time"
    MatchScope: ALL 
    OversizeHandling: MATCH

JSON

"FieldToMatch": {
  "Cookies": {
    "MatchPattern": {
      "IncludedCookies": [
        "session-id",
        "session-id-time"
      ]
    },
    "MatchScope": "ALL",
    "OversizeHandling": "MATCH" 
  }
}