Amazon AWS WAF Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Note:
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Amazon AWS WAF sample messages when you use the Amazon AWS S3 REST API protocol
Sample 1: The following sample event message shows that Amazon AWS WAF allowed access the underlying resource.
{"timestamp":1613576332142,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_Ru
le","terminatingRuleType":"REGULAR","action":"ALLOW","terminatingRuleMatchDetails":
[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGr
oupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":
[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":
{"clientIp":"10.2.173.13","country":"country","headers":[{"name":"accept","value":"text/
html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip,
deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cachecontrol","
value":"max-age=0"},{"name":"Host","value":"1111111111.executeapi.
region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetchmode","
value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetchuser","
value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"useragent","
value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-
Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},
{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},
{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/
First_API_Gateway/pets","args":"","httpVersion":"HTTP/
1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
ALLOW |
|
Event Category |
For this DSM, the value in JSA is always AmazonAWSWAF. |
|
Timestamp |
1613576332142 |
|
Src IP |
10.2.173.13 |
Sample 2: The following sample event message shows that Amazon AWS WAF blocked traffic to the underlying resource.
{"timestamp":16135764421213,"formatVersion":1,"webaclId":"webaclId","terminatingRuleId":"First_R
ule","terminatingRuleType":"REGULAR","action":"BLOCK","terminatingRuleMatchDetails":
[],"httpSourceName":"APIGW","httpSourceId":"11111111111111:1111111111:First_API_Gateway","ruleGr
oupList":[],"rateBasedRuleList":[],"nonTerminatingMatchingRules":
[],"requestHeadersInserted":null,"responseCodeSent":null,"httpRequest":
{"clientIp":"10.2.173.14","country":"country","headers":[{"name":"accept","value":"text/
html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/
*;q=0.8,application/signed-exchange;v=b3;q=0.9"},{"name":"accept-encoding","value":"gzip,
deflate, br"},{"name":"accept-language","value":"en-US,en;q=0.9"},{"name":"cachecontrol","
value":"max-age=0"},{"name":"Host","value":"1111111111.executeapi.
region.amazonaws.com"},{"name":"sec-fetch-dest","value":"document"},{"name":"sec-fetchmode","
value":"navigate"},{"name":"sec-fetch-site","value":"none"},{"name":"sec-fetchuser","
value":"?1"},{"name":"upgrade-insecure-requests","value":"1"},{"name":"useragent","
value":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like
Gecko) Chrome/88.0.4324.150 Safari/537.36"},{"name":"X-Amzn-Trace-
Id","value":"Root=1-111111aaaaa1111111"},{"name":"X-Forwarded-For","value":"10.2.173.13"},
{"name":"X-Forwarded-Port","value":"443"},{"name":"X-Forwarded-Proto","value":"https"},
{"name":"Content-Length","value":"0"},{"name":"Connection","value":"Keep-Alive"}],"uri":"/
First_API_Gateway/pets","args":"","httpVersion":"HTTP/
1.1","httpMethod":"GET","requestId":"111111aaaa1aaa1"}}|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
BLOCK |
|
Event Category |
For this DSM, the value in JSA is always AmazonAWSWAF. |
|
Timestamp |
16135764421213 |
|
Src IP |
10.2.173.14 |