AWS re:Post Knowledge Center Feedback Survey

Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.

How do I use the AWS CLI to create, list, get, or update an AWS WAF IPSet?

5 minute read

I want to use the AWS Command Line Interface (AWS CLI) to create, list, get, or update an IPSet in AWS WAF.

Resolution

Note: If you receive errors when you run AWS CLI commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

This resolution uses wafv2 to create an IPSet in a specific AWS Region or a global IPSet to use in Amazon CloudFront.

Before you proceed, verify that the default Region of the AWS CLI is the Region where you want to create your IPSet. Use the -region option to update the Region, if needed. If you use CloudFront, then create your IPSet in US East (N. Virginia): us-east-1 Region.

Create an IPSet

Complete the following steps:

Run the create-ip-set command to create the IPSet.
Note: -scope specifies whether the IPSet is for a CloudFront distribution or a Regional application. Regional applications include Application Load Balancer, Amazon API Gateway, REST API, AWS AppSync, GraphQL API, or an Amazon Cognito user pool.
The following output is an example of a Regional IPSet:

$ aws wafv2 create-ip-set --name ipv4-block --scope REGIONAL --ip-address-version IPV4 --addresses 10.1.1.1/32 --region us-west-1{
    "Summary": {
        "Name": "ipv4-block",
        "Id": "952c5e24-2352-4a1e-a90b-01499086be1b",
        "Description": "",
        "LockToken": "c54cc0d5-42dc-4b4b-9335-a86c7ad784a6",
        "ARN": "arn:aws:wafv2:us-west-1:1111222233334444:regional/ipset/ipv4-block/952c5e24-2352-4a1e-a90b-01499086be1b"
    }
}

The following output is an example of a CloudFront IPSet:

$ aws wafv2 create-ip-set --name ipv4-block-cf --scope CLOUDFRONT --ip-address-version IPV4 --addresses 10.1.1.1/32 --region us-east-1{
    "Summary": {
        "Name": "ipv4-block-cf",
        "Id": "1fef3860-8b6e-4201-8a56-6d8d49e93057",
        "Description": "",
        "LockToken": "9e9bc59e-678e-4b83-98d8-5a4c119b0123",
        "ARN": "arn:aws:wafv2:us-east-1:1111222233334444:global/ipset/ipv4-block-cf/1fef3860-8b6e-4201-8a56-6d8d49e93057"
    }
}

List IPSets

To list all your IPSets, run the list-ip-sets command.

The following output is an example of a Regional IPSet:

$ aws wafv2 list-ip-sets --scope REGIONAL --region us-west-1{
    "NextMarker": "ipv4-block",
    "IPSets": [
        {
            "Name": "ipv4-block",
            "Id": "952c5e24-2352-4a1e-a90b-01499086be1b",
            "Description": "",
            "LockToken": "c54cc0d5-42dc-4b4b-9335-a86c7ad784a6",
            "ARN": "arn:aws:wafv2:us-west-1:1111222233334444:regional/ipset/ipv4-block/952c5e24-2352-4a1e-a90b-01499086be1b"
        }
    ]
}

The following output is an example of a CloudFront IPSet:

$ aws wafv2 list-ip-sets --scope CLOUDFRONT --region us-east-1{
    "NextMarker": "ipv4-block-cf",
    "IPSets": [
        {
            "Name": "ipv4-block-cf",
            "Id": "1fef3860-8b6e-4201-8a56-6d8d49e93057",
            "Description": "",
            "LockToken": "9e9bc59e-678e-4b83-98d8-5a4c119b0123",
            "ARN": "arn:aws:wafv2:us-east-1:1111222233334444:global/ipset/ipv4-block-cf/1fef3860-8b6e-4201-8a56-6d8d49e93057"
        }
    ]
}

Note: If you specify a value for Limit and have more IPSets than this value, then AWS WAF returns a NextMarker value. For more information, see Request parameters.

Get an IPSet

To retrieve a specific IPSet, run the get-ip-set command.

The following output is an example of a Regional IPSet:

$ aws wafv2 list-ip-sets --scope CLOUDFRONT --region us-east-1{
    "NextMarker": "ipv4-block-cf",
    "IPSets": [
        {
            "Name": "ipv4-block-cf",
            "Id": "1fef3860-8b6e-4201-8a56-6d8d49e93057",
            "Description": "",
            "LockToken": "9e9bc59e-678e-4b83-98d8-5a4c119b0123",
            "ARN": "arn:aws:wafv2:us-east-1:1111222233334444:global/ipset/ipv4-block-cf/1fef3860-8b6e-4201-8a56-6d8d49e93057"
        }
    ]
}

Update an IPSet

To update an IPSet, run the update-ip-set command. You must use either shorthand syntax or a JSON file.

Shorthand syntax

Complete the following steps:

Run the get-ip-set command to get the ID and LockToken for the IPSet that you want to update.
The following output is an example of shorthand syntax to get an IPSet:

$ aws wafv2 get-ip-set --scope REGIONAL --name ipv4-block --id fbce0c08-476b-4487-af2c-e38f0303ac5f --region eu-west-1
{
    "IPSet": 
    {
       "Name": "ipv4-block",
       "Id": "fbce0c08-476b-4487-af2c-e38f0303ac5f",
       "ARN": "arn:aws:wafv2:eu-west-1:11111111:regional/ipset/ipv4-block/fbce0c08-476b-4487-af2c-e38f0303ac5f",
        "Description": "",
        "IPAddressVersion": "IPV4",
        "Addresses": [
        "10.1.1.2/32",
        "10.1.1.1/32"
            ]
    },
 "LockToken": "14562ba3-f99b-4e39-a232-51a703302c88"
}

Note: AWS WAF uses a token for optimistic locking. To change the entity that's associated with the token, include the token for operations, such as update and delete. AWS WAF uses the token to confirm that no changes were made to the entity after you last retrieved it. If a change was made, then the update fails with WAFOptimisticLockException. To resolve this issue, rerun the get-ip-set command. Then, use the new token that the operation returns.

Run the update-ip-set command to override the current IPSet configuration with your new configuration. Include the ID and LockToken values:

$ aws wafv2 update-ip-set --name ipv4-block --scope REGIONAL --id 952c5e24-2352-4a1e-a90b-01499086be1b --addresses "10.1.1.1/32" "10.1.1.2/32" --lock-token c54cc0d5-42dc-4b4b-9335-a86c7ad784a6 --region us-west-1{
    "NextLockToken": "a459c121-f160-4475-9352-fa602ff33df7"
}

Run the get-ip-set command to review the changes to the IPSet. Include the ID and NextLockToken values:

$ aws wafv2 get-ip-set --scope REGIONAL --name ipv4-block --id 952c5e24-2352-4a1e-a90b-01499086be1b --region us-west-1{
    "IPSet": {
        "Name": "ipv4-block",
        "Id": "952c5e24-2352-4a1e-a90b-01499086be1b",
        "ARN": "arn:aws:wafv2:us-west-1:1111222233334444:regional/ipset/ipv4-block/952c5e24-2352-4a1e-a90b-01499086be1b",
        "Description": "",
        "IPAddressVersion": "IPV4",
        "Addresses": [
            "10.1.1.2/32",
            "10.1.1.1/32"
        ]
    },
    "LockToken": "a459c121-f160-4475-9352-fa602ff33df7"
}

JSON file

Complete the following steps:

Use your preferred editor to create a JSON file with your updated request syntax:

$ nano ip.json{
    "Addresses": ["10.1.1.0/24", "10.1.2.0/24", "10.1.3.0/24"]
}

Run the get-ip-set command to get the ID and LockToken for the IPSet that you want to update:

$ aws wafv2 get-ip-set --scope REGIONAL --name ipv4-block --id 952c5e24-2352-4a1e-a90b-01499086be1b --region us-west-1{
    "IPSet": {
        "Name": "ipv4-block",
        "Id": "952c5e24-2352-4a1e-a90b-01499086be1b",
        "ARN": "arn:aws:wafv2:us-west-1:1111222233334444:regional/ipset/ipv4-block/952c5e24-2352-4a1e-a90b-01499086be1b",
        "Description": "",
        "IPAddressVersion": "IPV4",
        "Addresses": [
            "10.1.1.2/32",
            "10.1.1.1/32"
        ]
    },
    "LockToken": "a459c121-f160-4475-9352-fa602ff33df7"
}

Run the update-ip-set command to override the current IPSet configuration with your new configuration. Don't list the IP addresses inline. Instead, reference the JSON file. Include the ID and LockToken values:

$ aws wafv2 update-ip-set --scope REGIONAL --name ipv4-block --id 952c5e24-2352-4a1e-a90b-01499086be1b --lock-token a459c121-f160-4475-9352-fa602ff33df7 --region us-west-1 --cli-input-json file://ip.json{
    "NextLockToken": "238872dc-fcfb-4a45-93fd-115cfcc94480"
}

Run the get-ip-set command to review the changes to the IPSet. Include the ID and NextLockToken values:

$ aws wafv2 get-ip-set --scope REGIONAL --name ipv4-block --id 952c5e24-2352-4a1e-a90b-01499086be1b --region us-west-1{
    "IPSet": {
        "Name": "ipv4-block",
        "Id": "952c5e24-2352-4a1e-a90b-01499086be1b",
        "ARN": "arn:aws:wafv2:us-west-1:1111222233334444:regional/ipset/ipv4-block/952c5e24-2352-4a1e-a90b-01499086be1b",
        "Description": "",
        "IPAddressVersion": "IPV4",
        "Addresses": [
            "10.1.1.0/24",
            "10.1.2.0/24",
            "10.1.3.0/24"
        ]
    },
    "LockToken": "238872dc-fcfb-4a45-93fd-115cfcc94480"
}

Related information

AWS WAFV2

Actions, resources, and condition keys for AWS WAF V2

Creating and managing an IP set

Topics: Security, Identity, & Compliance
Tags: AWS WAF
Language: English

AWS OFFICIALUpdated 2 years ago

No comments

Relevant content

Is there a way to set the ip conditions of AWS WAF all that once by uploading a list?
Viridios
asked 3 years ago
How to update a WebACL in WAFV2 using either PHP SDK or AWS CLI without losing important configuration
Accepted Answer
Peter
asked 3 years ago
Ban a user after being blocked by WAF rule
Accepted Answer
LeJ
asked 2 years ago
How to import AWS::WAFv2::IPSet into existing CloudFormation stack
Accepted Answer
allenm28
asked a year ago
Using CDK to create WAF rules with Firewall Manager
rePost-User-0476594
asked 9 months ago
Why do I get a limit exceeded error when I add rules to AWS WAF?
AWS OFFICIALUpdated 5 months ago
How do I optimize a regex pattern set?
AWS OFFICIALUpdated 7 months ago
What do I do if I exceed my resource quota in AWS WAF?
AWS OFFICIALUpdated 7 months ago
How do I unblock my IP address that an Amazon IP reputation list rule group or Anonymous list rule group blocked in AWS WAF?
AWS OFFICIALUpdated 4 months ago
AWS re:Post Knowledge Center Spotlight: AWS WAF
EXPERT
AWS Official
published 2 years ago