AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-02-27 · Documentation low

File: solutions/latest/security-automations-for-aws-waf/architecture-overview.md

Summary

Changed image placement and formatting, updated bullet point formatting with escape characters, and modified section header for Well-Architected design

Security assessment

The changes are primarily formatting and structural adjustments. While the document discusses security features, the changes themselves do not introduce new security information or address specific security issues.

Diff

diff --git a/solutions/latest/security-automations-for-aws-waf/architecture-overview.md
index f27338f2c..42d95ca0b 100644
--- a/solutions/latest/security-automations-for-aws-waf/architecture-overview.md
+++ b/solutions/latest/security-automations-for-aws-waf/architecture-overview.md
@@ -15 +15 @@ Deploying this solution with the default parameters deploys the following compon
-![CloudFormation template deploys AWS WAF and other AWS resources to protect your web application from common attacks.](/images/solutions/latest/security-automations-for-aws-waf/images/aws-waf-architecture-overview.png)
+**CloudFormation template deploys AWS WAF and other AWS resources to protect your web application from common attacks.**
@@ -17 +17 @@ Deploying this solution with the default parameters deploys the following compon
-_**Security Automations for AWS WAF architecture on AWS**_
+![aws waf architecture overview](/images/solutions/latest/security-automations-for-aws-waf/images/aws-waf-architecture-overview.png)
@@ -27 +27 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **AWS Managed Rules (A)** – This component contains AWS Managed Rules [IP reputation rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html), [baseline rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html), and [use-case specific rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html). These rule groups protect against exploitation of common application vulnerabilities or other unwanted traffic, including those described in [OWASP](https://owasp.org/) publications, without having to write your own rules. 
+  * **AWS Managed Rules (A)** \- This component contains AWS Managed Rules [IP reputation rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-ip-rep.html), [baseline rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html), and [use-case specific rule groups](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-use-case.html). These rule groups protect against exploitation of common application vulnerabilities or other unwanted traffic, including those described in [OWASP](https://owasp.org/) publications, without having to write your own rules.
@@ -29 +29 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **Manual IP lists (B and C)** – These components create two AWS WAF rules. With these rules, you can manually insert IP addresses that you want to allow or deny. You can configure IP retention and remove expired IP addresses on allowed or denied IP sets using [Amazon EventBridge](https://aws.amazon.com/eventbridge) [rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html) and [Amazon DynamoDB](https://aws.amazon.com/dynamodb). For more information, refer to [Configure IP retention on Allowed and Denied AWS WAF IP sets](./configure-ip-retention-on-allowed-and-denied-aws-waf-ip-sets.html). 
+  * **Manual IP lists (B and C)** \- These components create two AWS WAF rules. With these rules, you can manually insert IP addresses that you want to allow or deny. You can configure IP retention and remove expired IP addresses on allowed or denied IP sets using [Amazon EventBridge](https://aws.amazon.com/eventbridge) [rules](https://docs.aws.amazon.com/eventbridge/latest/userguide/eb-rules.html) and [Amazon DynamoDB](https://aws.amazon.com/dynamodb). For more information, refer to [Configure IP retention on Allowed and Denied AWS WAF IP sets](./configure-ip-retention-on-allowed-and-denied-aws-waf-ip-sets.html).
@@ -31 +31 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **SQL Injection (D) and XSS (E)** – These components configure two AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request. 
+  * **SQL Injection (D) and XSS (E)** \- These components configure two AWS WAF rules that are designed to protect against common SQL injection or cross-site scripting (XSS) patterns in the URI, query string, or body of a request.
@@ -33 +33 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **HTTP Flood (F)** – This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. With this rule, you set a quota that defines the maximum number of incoming requests allowed from a single IP address within a default five-minute period (configurable with the **Athena Query Run Time Schedule** parameter). After this threshold is breached, additional requests from the IP address are temporarily blocked. You can implement this rule by using an AWS WAF rate-based rule, or by processing AWS WAF logs using a Lambda function or Athena query. For more information about the tradeoffs related to HTTP flood mitigation options, refer to [Log parser options](./log-parser-options.html). 
+  * **HTTP Flood (F)** \- This component protects against attacks that consist of a large number of requests from a particular IP address, such as a web-layer DDoS attack or a brute-force login attempt. With this rule, you set a quota that defines the maximum number of incoming requests allowed from a single IP address within a default five-minute period (configurable with the **Athena Query Run Time Schedule** parameter). After this threshold is breached, additional requests from the IP address are temporarily blocked. You can implement this rule by using an AWS WAF rate-based rule, or by processing AWS WAF logs using a Lambda function or Athena query. For more information about the tradeoffs related to HTTP flood mitigation options, refer to [Log parser options](./log-parser-options.html).
@@ -35 +35 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **Scanner and Probe (G)** – This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. Then it blocks those suspicious source IP addresses for a customer-defined period of time. You can implement this rule using a [Lambda](https://aws.amazon.com/lambda/) function or [Athena](https://aws.amazon.com/athena/) query. For more information about the tradeoffs related to scanner and probe mitigation options, refer to [Log parser options](./log-parser-options.html). 
+  * **Scanner and Probe (G)** \- This component parses application access logs searching for suspicious behavior, such as an abnormal amount of errors generated by an origin. Then it blocks those suspicious source IP addresses for a customer-defined period of time. You can implement this rule using a [Lambda](https://aws.amazon.com/lambda/) function or [Athena](https://aws.amazon.com/athena/) query. For more information about the tradeoffs related to scanner and probe mitigation options, refer to [Log parser options](./log-parser-options.html).
@@ -37 +37 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **IP Reputation Lists (H)** – This component is the `IP Lists Parser` Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list. 
+  * **IP Reputation Lists (H)** \- This component is the `IP Lists Parser` Lambda function that checks third-party IP reputation lists hourly for new ranges to block. These lists include the Spamhaus Don’t Route Or Peer (DROP) and Extended DROP (EDROP) lists, the Proofpoint Emerging Threats IP list, and the Tor exit node list.
@@ -39 +39 @@ The group labels don’t reflect the priority level of the WAF rules.
-  * **Bad Bot (I)** – This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. This solution’s honeypot is a trap endpoint that you can insert in your website to detect inbound requests from content scrapers and bad bots. If a source accesses the honeypot, the `Access Handler` Lambda function intercepts and inspects the request to extract its IP address, and then adds it to an AWS WAF block list. 
+  * **Bad Bot (I)** \- This component automatically sets up a honeypot, which is a security mechanism intended to lure and deflect an attempted attack. This solution’s honeypot is a trap endpoint that you can insert in your website to detect inbound requests from content scrapers and bad bots. If a source accesses the honeypot, the `Access Handler` Lambda function intercepts and inspects the request to extract its IP address, and then adds it to an AWS WAF block list.
@@ -54 +54 @@ Concepts and definitions
-Well-Architected design
+AWS Well-Architected design considerations