Sign In to the Console
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS Documentation » AWS CloudFormation » User Guide » Template Reference » AWS Resource and Property Types Reference » AWS WAF Resource Types Reference » AWS::WAF::XssMatchSet

AWS::WAF::XssMatchSet

The AWS::WAF::XssMatchSet resource specifies the parts of web requests that you want AWS WAF to inspect for cross-site scripting attacks and the name of the header to inspect. For more information, see XssMatchSet in the AWS WAF API Reference.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::WAF::XssMatchSet",
  "Properties" : {
    "Name" : String,
    "XssMatchTuples" : [ XssMatchTuple, ... ]
  }
}

YAML

Type: "AWS::WAF::XssMatchSet"
Properties: 
  Name: String
  XssMatchTuples:
    - XssMatchTuple

Properties

Name

A friendly name or description for the XssMatchSet.

Required: Yes

Type: String

Update requires: Replacement

XssMatchTuples

The parts of web requests that you want to inspect for cross-site scripting attacks.

Required: No

Type: List of AWS WAF XssMatchSet XssMatchTuple

Update requires: No interruption

Return Value

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource physical ID, such as 1234a1a-a1b1-12a1-abcd-a123b123456.

For more information about using the Ref function, see Ref.

Examples

Define Which Part of a Request to Check for Cross-site Scripting

The following example looks for cross-site scripting in the URI or query string of an HTTP request.

JSON

"DetectXSS": {
  "Type": "AWS::WAF::XssMatchSet",
  "Properties": {
    "Name": "XssMatchSet",
    "XssMatchTuples": [
      {
        "FieldToMatch": {
          "Type": "URI"
        },
        "TextTransformation": "NONE"
      },
      {
        "FieldToMatch": {
          "Type": "QUERY_STRING"
        },
        "TextTransformation": "NONE"
      }
    ]
  }
}

YAML

DetectXSS: 
  Type: "AWS::WAF::XssMatchSet"
  Properties: 
    Name: "XssMatchSet"
    XssMatchTuples: 
      - 
        FieldToMatch: 
          Type: "URI"
        TextTransformation: "NONE"
      - 
        FieldToMatch: 
          Type: "QUERY_STRING"
        TextTransformation: "NONE"

Associate an XssMatchSet with a Web ACL Rule

The following example associates the DetectXSS match set with a web access control list (ACL) rule.

JSON

"XSSRule" : {
  "Type": "AWS::WAF::Rule",
  "Properties": {
    "Name": "XSSRule",
    "MetricName" : "XSSRule",
    "Predicates": [
      {
        "DataId" : {  "Ref" : "DetectXSS" },
        "Negated" : false,
        "Type" : "XssMatch"
      }
    ]
  }
}

YAML

XSSRule: 
  Type: "AWS::WAF::Rule"
  Properties: 
    Name: "XSSRule"
    MetricName: "XSSRule"
    Predicates: 
      - 
        DataId: 
          Ref: "DetectXSS"
        Negated: false
        Type: "XssMatch"

Create a Web ACL

The following example associates the XSSRule rule with a web ACL. The web ACL allows all requests except for ones that contain cross-site scripting in the URI or query string of an HTTP request.

JSON

"MyWebACL": {
  "Type": "AWS::WAF::WebACL",
  "Properties": {
    "Name": "Web ACL to block cross-site scripting",
    "DefaultAction": {
      "Type": "ALLOW"
    },
    "MetricName" : "DetectXSSWebACL",
    "Rules": [
      {
        "Action" : {
          "Type" : "BLOCK"
        },
        "Priority" : 1,
        "RuleId" : { "Ref" : "XSSRule" }
      }
    ]
  }
}

YAML

MyWebACL: 
  Type: "AWS::WAF::WebACL"
  Properties: 
    Name: "Web ACL to block cross-site scripting"
    DefaultAction: 
      Type: "ALLOW"
    MetricName: "DetectXSSWebACL"
    Rules: 
      - 
        Action: 
          Type: "BLOCK"
        Priority: 1
        RuleId: 
          Ref: "XSSRule"