How can I create, list, or update an IPSet in AWS WAF using the AWS Command Line Interface (AWS CLI)?

An IPSet specifies which web requests to permit or block based on the IP addresses from which the requests originate. You can use IPSet to define a set of IP addresses for a web access control list (ACL) using the AWS CLI.

Before proceeding, be sure to install the AWS CLI or upgrade to the latest version.

This resolution uses the waf-regional CLI (available botocore version 1.4.85 or later) to create an IPSet in a specific AWS Region. If you create a global IPSet in Amazon CloudFront, you can use the waf CLI.

Important: When using the waf-regional command, be sure to check the default region of the AWS CLI before proceeding, and verify that the Region is where you want to create the IPSet. Otherwise, you must specify the correct AWS Region for the IPSet (using the --region option) in your commands.

Create an IPSet

1.    Sign in to the AWS CLI.

2.    Generate a change token using the command get-change-token.

Note: Change tokens prevent your application from submitting conflicting requests to AWS WAF. You must get a change token and include it in any requests to create, update, or delete AWS WAF objects. Each request must use a unique change token. For more information, see GetChangeToken.

Example output:

$ aws waf-regional get-change-token
{
    "ChangeToken": "96836241-b667-4f0a-a655-e4bc49eaa2c4"
}

3.    Create an IPSet using the command create-ip-set. Example output:

$ aws waf-regional create-ip-set --name test_ipset --change-token 96836241-b667-4f0a-a655-e4bc49eaa2c4
{
    "IPSet": {
        "IPSetId": " bd37ef8c-102b-4d7a-9532-80fb97e4c281",
        "Name": "test_ipset",
        "IPSetDescriptors": []
    },
    "ChangeToken": "96836241-b667-4f0a-a655-e4bc49eaa2c4"
}

List IPSets

To list IPSets, use the command list-ip-sets. The response returns an array of IPSetSummary objects.

Example output:

$ aws waf-regional list-ip-sets
{
    "IPSets": [
        {
            "IPSetId": "bd37ef8c-102b-4d7a-9532-80fb97e4c281",
            "Name": "test-ipset"
        }
    ],
    "NextMarker": "bd37ef8c-102b-4d7a-9532-80fb97e4c281"
}

Note: If you specify a value for Limit and have more IPSets than this value, AWS WAF returns a NextMarker value. See Request Parameters.

Update an IPSet

To update an IPSet, use the command update-ip-set with either shorthand syntax or a JSON file.

Shorthand syntax method:

$ aws waf-regional update-ip-set --ip-set-id bd37ef8c-102b-4d7a-9532-80fb97e4c281 --change-token c47ddcba-d128-4ec9-acd6-ce981c6655c5 --updates Action="INSERT",IPSetDescriptor='{Type="IPV4",Value="192.168.2.1/32"}' Action="INSERT",IPSetDescriptor='{Type="IPV4",Value="192.168.2.2/32"}' Action="INSERT",IPSetDescriptor='{Type="IPV4",Value="192.168.2.3/32"}' Action="INSERT",IPSetDescriptor='{Type="IPV4",Value="192.168.2.4/32"}' Action="INSERT",IPSetDescriptor='{Type="IPV4",Value="192.168.2.5/32"}'
{
    "ChangeToken": " c47ddcba-d128-4ec9-acd6-ce981c6655c5"
}

JSON file method:

1.    Generate a change token using the command get-change-token as described in the previous section Create an IPSet.

2.    Create a JSON file (such as test.json) with your update request syntax using your preferred editor. For example:

$ nano test.json
{
       "ChangeToken": "b3d8178a-666a-484a-92af-1dcd02cafcfa",
       "IPSetId": "bd37ef8c-102b-4d7a-9532-80fb97e4c281",
       "Updates": [{
              "Action": "DELETE",
              "IPSetDescriptor": {
                      "Type": "IPV4",
                      "Value": "192.168.2.5/32"
              }
       }]
}

3.    Use the command update-ip-set to make your requested change to the IPSet using the JSON file you just created. For example:

$ aws waf-regional update-ip-set --ip-set-id bd37ef8c-102b-4d7a-9532-80fb97e4c281 --cli-input-json file:///home/ec2-user/test.json
{
    "ChangeToken": "b3d8178a-666a-484a-92af-1dcd02cafcfa"
}

4.    Validate the changes you requested for the IPSet using the command get-ip-set. For example:  

$ aws waf-regional get-ip-set --ip-set-id bd37ef8c-102b-4d7a-9532-80fb97e4c281
{
    "IPSet": {
        "IPSetId": "bd37ef8c-102b-4d7a-9532-80fb97e4c281",
        "Name": "test-ipset",
        "IPSetDescriptors": [
            {
                "Type": "IPV4",
                "Value": "192.168.2.2/32"
            },
            {
                "Type": "IPV4",
                "Value": "192.168.2.3/32"
            },
            {
                "Type": "IPV4",
                "Value": "192.168.2.1/32"
            },
            {
                "Type": "IPV4",
                "Value": "192.168.2.4/32"
            }
        ]
    }
}

AWS WAF (supported API actions)

Working with IP Match Conditions (AWS WAF console)


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2018-09-22