REST Resource: organizations.environments.securityActions

Resource: SecurityAction

A SecurityAction is rule that can be enforced at an environment level. The result is one of: - A denied API call - An explicitly allowed API call - A flagged API call (HTTP headers added before the target receives it) At least one condition is required to create a SecurityAction.

JSON representation
{
  "name": string,
  "description": string,
  "state": enum (State),
  "createTime": string,
  "updateTime": string,
  "apiProxies": [
    string
  ],
  "conditionConfig": {
    object (ConditionConfig)
  },

  // Union field action_type can be only one of the following:
  "allow": {
    object (Allow)
  },
  "deny": {
    object (Deny)
  },
  "flag": {
    object (Flag)
  }
  // End of list of possible types for union field action_type.

  // Union field expiration can be only one of the following:
  "expireTime": string,
  "ttl": string
  // End of list of possible types for union field expiration.
}
Fields
name

string

Immutable. This field is ignored during creation as per AIP-133. Please set the securityActionId field in the CreateSecurityActionRequest when creating a new SecurityAction. Format: organizations/{org}/environments/{env}/securityActions/{securityAction}

description

string

Optional. An optional user provided description of the SecurityAction.

state

enum (State)

Required. Only an ENABLED SecurityAction is enforced. An ENABLED SecurityAction past its expiration time will not be enforced.

createTime

string (Timestamp format)

Output only. The create time for this SecurityAction.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

updateTime

string (Timestamp format)

Output only. The update time for this SecurityAction. This reflects when this SecurityAction changed states.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

apiProxies[]

string

Optional. If unset, this would apply to all proxies in the environment. If set, this action is enforced only if at least one proxy in the repeated list is deployed at the time of enforcement. If set, several restrictions are enforced on SecurityActions. There can be at most 100 enabled actions with proxies set in an env. Several other restrictions apply on conditions and are detailed later.

conditionConfig

object (ConditionConfig)

Required. A valid SecurityAction must contain at least one condition.

Union field action_type. The action that needs to be taken when a request matches this SecurityAction. action_type can be only one of the following:
allow

object (Allow)

Allow a request through if it matches this SecurityAction.

deny

object (Deny)

Deny a request through if it matches this SecurityAction.

flag

object (Flag)

Flag a request through if it matches this SecurityAction.

Union field expiration. A SecurityAction will not be enforced beyond this time even if it is enabled. If unset the rule never expires. expiration can be only one of the following:
expireTime

string (Timestamp format)

The expiration for this SecurityAction.

A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: "2014-10-02T15:01:23Z" and "2014-10-02T15:01:23.045123456Z".

ttl

string (Duration format)

Input only. The TTL for this SecurityAction.

A duration in seconds with up to nine fractional digits, ending with 's'. Example: "3.5s".

State

An enum of valid states that a SecurityAction can exist in.

Enums
STATE_UNSPECIFIED The default value. This only exists for forward compatibility. A create request with this value will be rejected.
ENABLED An ENABLED SecurityAction is actively enforced if the expiration_time is in the future.
DISABLED A disabled SecurityAction is never enforced.

Allow

This type has no fields.

Message that should be set in case of an Allow Action. This does not have any fields.

Deny

Message that should be set in case of a Deny Action.

JSON representation
{
  "responseCode": integer
}
Fields
responseCode

integer

Optional. The HTTP response code if the Action = DENY.

Flag

The message that should be set in the case of a Flag action.

JSON representation
{
  "headers": [
    {
      object (HttpHeader)
    }
  ]
}
Fields
headers[]

object (HttpHeader)

Optional. A list of HTTP headers to be sent to the target in case of a FLAG SecurityAction. Limit 5 headers per SecurityAction. At least one is mandatory.

HttpHeader

An HTTP header.

JSON representation
{
  "name": string,
  "value": string
}
Fields
name

string

The header name to be sent to the target.

value

string

The header value to be sent to the target.

ConditionConfig

The following are a list of conditions. A valid SecurityAction must contain at least one condition. Within a condition, each element is ORed. Across conditions elements are ANDed. For example if a SecurityAction has the following: ipAddressRanges: ["ip1", "ip2"] and botReasons: ["Flooder", "Robot Abuser"] then this is interpreted as: enforce the action if the incoming request has ((ipAddressRanges = "ip1" OR ipAddressRanges = "ip2") AND (botReasons="Flooder" OR botReasons="Robot Abuser")). Conditions other than ipAddressRanges and botReasons cannot be ANDed.

JSON representation
{
  "ipAddressRanges": [
    string
  ],
  "botReasons": [
    string
  ],
  "httpMethods": [
    string
  ],
  "apiKeys": [
    string
  ],
  "accessTokens": [
    string
  ],
  "apiProducts": [
    string
  ],
  "developerApps": [
    string
  ],
  "developers": [
    string
  ],
  "userAgents": [
    string
  ],
  "regionCodes": [
    string
  ],
  "asns": [
    string
  ]
}
Fields
ipAddressRanges[]

string

Optional. A list of IP addresses. This could be either IPv4 or IPv6. Limited to 100 per action.

botReasons[]

string

Optional. A list of Bot Reasons. Current options: Flooder, Brute Guessor, Static Content Scraper, OAuth Abuser, Robot Abuser, TorListRule, Advanced Anomaly Detection, Advanced API Scraper, Search Engine Crawlers, Public Clouds, Public Cloud AWS, Public Cloud Azure, and Public Cloud Google.

httpMethods[]

string

Optional. Act only on particular HTTP methods. E.g. A read-only API can block POST/PUT/DELETE methods. Accepted values are: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE and PATCH.

apiKeys[]

string

Optional. A list of API keys. Limit 1000 per action.

accessTokens[]

string

Optional. A list of accessTokens. Limit 1000 per action.

apiProducts[]

string

Optional. A list of API Products. Limit 1000 per action.

developerApps[]

string

Optional. A list of developer apps. Limit 1000 per action.

developers[]

string

Optional. A list of developers. Limit 1000 per action.

userAgents[]

string

Optional. A list of user agents to deny. We look for exact matches. Limit 50 per action.

regionCodes[]

string

Optional. A list of countries/region codes to act on, e.g. US. This follows https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2.

asns[]

string (int64 format)

Optional. A list of ASN numbers to act on, e.g. 23. https://en.wikipedia.org/wiki/Autonomous_system_(Internet) This uses int64 instead of uint32 because of https://linter.aip.dev/141/forbidden-types.

Methods

create

CreateSecurityAction creates a SecurityAction.

disable

Disable a SecurityAction.

enable

Enable a SecurityAction.

get

Get a SecurityAction by name.

list

Returns a list of SecurityActions.