- Newest
- Most votes
- Most comments
You can find labels consumed by individual rules of some AWS managed rule groups, like AWS WAF Bot Control and Fraud Control, in the AWS WAF documentation.
While there is currently no API to get 1:1 label to rule mappings in a machine-readable format,
you can use the DescribeManagedRuleGroup
API to get all Rules
of a specific rule set, as well as its all ConsumedLabels
.
Please note that ConsumedLabels
is a different field from AvailableLabels
. Available labels
describe all labels that may be added to requests processed by the rule group upon a condition match.
Unless specified as consumed labels, these labels are not used by the managed rules of the rule set.
You can use the DescribeManagedRuleGroup API like this:
aws wafv2 describe-managed-rule-group --scope=CLOUDFRONT --vendor-name=AWS --name=AWSManagedRulesATPRuleSet > atp.json
Alternatively, you can access the same API with AWS SDK using the programming language of your choice. Here's a short TypeScript snippet to output rules and consumed labels for specific rule groups in Markdown format:
import { WAFV2Client, DescribeManagedRuleGroupCommand } from "@aws-sdk/client-wafv2"; const client = new WAFV2Client(); const describeCommandDefaultInput = { Scope: 'CLOUDFRONT', VendorName: 'AWS' } as const; const sendDescribeRuleGroupCommand = (Name: string) => client.send(new DescribeManagedRuleGroupCommand({ Name, ...describeCommandDefaultInput })); const getSortedNames = (arr: { Name?: string }[]) => arr.map(x => x.Name!).sort(); const RULE_GROUP_NAMES = [ 'AWSManagedRulesBotControlRuleSet', 'AWSManagedRulesACFPRuleSet', 'AWSManagedRulesATPRuleSet', ]; for (const ruleGroupName of RULE_GROUP_NAMES) { const ruleGroup = await sendDescribeRuleGroupCommand(ruleGroupName); console.log('#', ruleGroupName); const consumedLabels = getSortedNames(ruleGroup.ConsumedLabels); console.log('####', consumedLabels.length, 'consumed labels'); consumedLabels.forEach(label => console.log('-', label)); const rules = getSortedNames(ruleGroup.Rules); console.log('####', rules.length, 'rules'); rules.forEach(rule => console.log('-', rule)); }
Also, please note that the number of consumed labels is usually way lower than available labels in any rule set, and rule and label names are usually meaningful enough then to correlate them.
Relevant content
- Accepted Answerasked a month ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated 2 months ago