AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-02-27 · Documentation low

File: solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.md

Summary

Updated formatting and syntax in the AWS WAF security automation documentation, including changes to parameter descriptions, note formatting, and URL encoding. Removed some redundant sections and consolidated notes into parameter descriptions.

Security assessment

The changes are primarily formatting and syntax improvements to existing documentation. While the content relates to security features (AWS WAF), there is no evidence of addressing a specific security vulnerability or adding new security documentation.

Diff

diff --git a/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.md
index 4cad22e6b..baf1764a7 100644
--- a/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.md
+++ b/solutions/latest/security-automations-for-aws-waf/step-1.-launch-the-stack.md
@@ -9 +9 @@ This automated AWS CloudFormation template deploys the solution on the AWS Cloud
-  1. Sign in to the [AWS Management Console](https://aws.amazon.com/console/) and select **Launch Solution** to launch the `waf-automation-on-aws.template` CloudFormation template. 
+  1. Sign into [AWS Management Console](https://aws.amazon.com/console) and select the **Launch Solution** to launch `waf-automation-on-aws.template` CloudFormation template.
@@ -11 +11 @@ This automated AWS CloudFormation template deploys the solution on the AWS Cloud
-[ ![Blue oval button with white text reading "Launch solution".](/images/solutions/latest/security-automations-for-aws-waf/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=WAFSecurityAutomations&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fsecurity-automations-for-aws-waf%2Flatest%2Faws-waf-security-automations.template&redirectId=ImplementationGuide)
+[ ![Launch solution](/images/solutions/latest/security-automations-for-aws-waf/images/launch-button.png) ](https://console.aws.amazon.com/cloudformation/home?region=us-east-1#/stacks/new?stackName=WAFSecurityAutomations&templateURL=https:%2F%2Fs3.amazonaws.com%2Fsolutions-reference%2Fsecurity-automations-for-aws-waf%2Flatest%2Faws-waf-security-automations.template&redirectId=ImplementationGuide)
@@ -27,8 +27,4 @@ Parameter  |  Default  |  Description
-**Stack name** |  ``<requires input>`` |  The stack name can’t contain spaces. This name must be unique within your AWS account and is the name of the web ACL that the template creates.   
-**Resource Type**  
-**Endpoint** |  `CloudFront` |  Choose the type of resource being used. 
-
-###### Note
-
-If you choose `CloudFront` as your endpoint, you must launch the solution to create WAF resources in the US East (N. Virginia) Region (`us-east-1`).   
-**AWS Managed IP Reputation Rule Groups**  
+**Stack name** |  `[.red]#`<requires input>` |  The stack name can’t contain spaces. This name must be unique within your AWS account and is the name of the web ACL that the template creates.  
+**Resource Type** |  |   
+**Endpoint** |  `CloudFront` |  Choose the type of resource being used. NOTE: If you choose `CloudFront` as your endpoint, you must launch the solution to create WAF resources in the US East (N. Virginia) Region (`us-east-1`).  
+**AWS Managed IP Reputation Rule Groups** |  |   
@@ -37 +33 @@ If you choose `CloudFront` as your endpoint, you must launch the solution to cre
-**AWS Managed Baseline Rule Groups**  
+**AWS Managed Baseline Rule Groups** |  |   
@@ -41 +37 @@ If you choose `CloudFront` as your endpoint, you must launch the solution to cre
-**AWS Managed Use-case Specific Rule Group**  
+**AWS Managed Use-case Specific Rule Group** |  |   
@@ -48 +44 @@ If you choose `CloudFront` as your endpoint, you must launch the solution to cre
-**Custom Rule – Scanner & Probes**  
+**Custom Rule - Scanner & Probes** |  |   
@@ -50,6 +46,2 @@ If you choose `CloudFront` as your endpoint, you must launch the solution to cre
-**Application Access Log Bucket Name** |  ``<requires input>`` |  If you chose `yes` for the **Activate Scanner & Probe Protection** parameter, enter the name of the Amazon S3 bucket (new or existing) where you want to store access logs for your CloudFront distribution(s) or ALB(s). If you’re using an existing Amazon S3 bucket, it must be located in the same AWS Region where you are deploying the CloudFormation template. You should use a different bucket for each solution deployment.  To deactivate this protection, ignore this parameter. 
-
-###### Note
-
-Turn on web access logging for your CloudFront web distribution(s) or ALB(s) to send log files to this Amazon S3 bucket. Save logs in the same prefix defined in the stack (default prefix `AWSLogs/`). See the **Application Access Log Bucket Prefix** parameter for more information.   
-**Application Access Log Bucket Prefix** |  `AWSLogs/` |  If you chose `yes` for the **Activate Scanner & Probe Protection** parameter, you can enter an optional user defined prefix for the application access logs bucket above.  If you chose `CloudFront` for the **Endpoint** parameter, you can enter any prefix such as `yourprefix/`.  If you chose `ALB` for the **Endpoint** parameter, you must append `AWSLogs/` to your prefix such as `yourprefix/AWSLogs/`.  Use `AWSLogs/` (default) if there isn't a user-defined prefix.  To deactivate this protection, ignore this parameter.   
+**Application Access Log Bucket Name** |  `[.red]<requires input>` |  If you chose `yes` for the **Activate Scanner & Probe Protection** parameter, enter the name of the Amazon S3 bucket (new or existing) where you want to store access logs for your CloudFront distribution(s) or ALB(s). If you’re using an existing Amazon S3 bucket, it must be located in the same AWS Region where you are deploying the CloudFormation template. You should use a different bucket for each solution deployment. To deactivate this protection, ignore this parameter. NOTE: Turn on web access logging for your CloudFront web distribution(s) or ALB(s) to send log files to this Amazon S3 bucket. Save logs in the same prefix defined in the stack (default prefix `AWSLogs/`). See the **Application Access Log Bucket Prefix** parameter for more information.  
+**Application Access Log Bucket Prefix** |  `AWSLogs/` |  If you chose `yes` for the **Activate Scanner & Probe Protection** parameter, you can enter an optional user defined prefix for the application access logs bucket above. If you chose `CloudFront` for the **Endpoint** parameter, you can enter any prefix such as `yourprefix/`. If you chose `ALB` for the **Endpoint** parameter, you must append `AWSLogs/` to your prefix such as `yourprefix/AWSLogs/`. Use `AWSLogs/` (default) if there isn’t a user-defined prefix. To deactivate this protection, ignore this parameter.  
@@ -59 +51 @@ Turn on web access logging for your CloudFront web distribution(s) or ALB(s) to
-**Custom Rule – HTTP Flood**  
+**Custom Rule - HTTP Flood** |  |   
@@ -61,10 +53,6 @@ Turn on web access logging for your CloudFront web distribution(s) or ALB(s) to
-**Default Request Threshold** |  `100` |  If you chose `yes` for the **Activate HTTP Flood Protection** parameter, enter the maximum acceptable requests per five minutes, per IP address.  If you chose `yes - AWS WAF rate-based rule` for the **Activate HTTP Flood Protection** parameter, the minimum acceptable value is `100`.  If you chose `yes - AWS Lambda log parser` or `yes – Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, it can be any value.  To deactivate this protection, ignore this parameter.   
-**Request Threshold by Country** |  _< optional input>_ |  If you chose `yes – Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, you can enter a threshold by country following this JSON format `{"TR":50,"ER":150}`. The solution uses these thresholds for the requests originated from the specified countries. The solution uses the **Default Request Threshold** parameter for the remaining requests. 
-
-###### Note
-
-If you define this parameter, the country will automatically be included in Athena query group, along with IP and other optional group-by fields that you can select with the **Group By Requests in HTTP Flood Athena Query** parameter.  If you chose to deactivate this protection, ignore this parameter.   
-**Group By Requests in HTTP Flood Athena Query** |  `None` |  If you chose `yes – Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, you can choose a group-by field to count requests per IP and the selected group-by field. For example, if you choose `URI`, the solution counts the requests per IP and URI.  If you chose to deactivate this protection, ignore this parameter.   
-**WAF Block Period** |  `240` |  If you chose `yes - AWS Lambda log parser` or `yes – Amazon Athena log parser` for the **Activate Scanner & Probe Protection** or **Activate HTTP Flood Protection** parameters, enter the period (in minutes) to block applicable IP addresses.  To deactivate log parsing, ignore this parameter.   
-**Athena Query Run Time Schedule (Minute)** |  `5` |  If you chose `yes – Amazon Athena log parser` for the **Activate Scanner & Probe Protection** or **Activate HTTP Flood Protection** parameters, you can enter a time interval (in minutes) over which the Athena query runs. By default, the Athena query runs every 5 minutes.  If you chose to deactivate these protections, ignore this parameter.   
-**Custom Rule – Bad Bot**  
+**Default Request Threshold** |  `100` |  If you chose `yes` for the **Activate HTTP Flood Protection** parameter, enter the maximum acceptable requests per five minutes, per IP address. If you chose `yes - AWS WAF rate-based rule` for the **Activate HTTP Flood Protection** parameter, the minimum acceptable value is `100`. If you chose `yes - AWS Lambda log parser` or `yes - Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, it can be any value. To deactivate this protection, ignore this parameter.  
+**Request Threshold by Country** |  _< optional input>_ |  If you chose `yes - Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, you can enter a threshold by country following this JSON format `{"TR":50,"ER":150}`. The solution uses these thresholds for the requests originated from the specified countries. The solution uses the **Default Request Threshold** parameter for the remaining requests. NOTE: If you define this parameter, the country will automatically be included in Athena query group, along with IP and other optional group-by fields that you can select with the **Group By Requests in HTTP Flood Athena Query** parameter. + If you chose to deactivate this protection, ignore this parameter.  
+**Group By Requests in HTTP Flood Athena Query** |  `None` |  If you chose `yes - Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, you can choose a group-by field to count requests per IP and the selected group-by field. For example, if you choose `URI`, the solution counts the requests per IP and URI. If you chose to deactivate this protection, ignore this parameter.  
+**WAF Block Period** |  `240` |  If you chose `yes - AWS Lambda log parser` or `yes - Amazon Athena log parser` for the **Activate Scanner & Probe Protection** or **Activate HTTP Flood Protection** parameters, enter the period (in minutes) to block applicable IP addresses. To deactivate log parsing, ignore this parameter.  
+**Athena Query Run Time Schedule (Minute)** |  `5` |  If you chose `yes - Amazon Athena log parser` for the **Activate Scanner & Probe Protection** or **Activate HTTP Flood Protection** parameters, you can enter a time interval (in minutes) over which the Athena query runs. By default, the Athena query runs every 5 minutes. If you chose to deactivate these protections, ignore this parameter.  
+**Custom Rule - Bad Bot** |  |   
@@ -73,2 +61,2 @@ If you define this parameter, the country will automatically be included in Athe
-**Default Request Threshold** |  100  |  If you chose `yes` for the **Activate HTTP Flood Protection** parameter, enter the maximum acceptable requests per five minutes, per IP address.  If you chose `yes - AWS WAF rate-based rule` for the **Activate HTTP Flood Protection** parameter, the minimum acceptable value is 100.  If you chose `yes - AWS Lambda log parser` or `yes – Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, it can be any value.  To deactivate this protection, ignore this parameter.   
-**Custom Rule – Third Party IP Reputation Lists**  
+**Default Request Threshold** |  100 |  If you chose `yes` for the **Activate HTTP Flood Protection** parameter, enter the maximum acceptable requests per five minutes, per IP address. If you chose `yes - AWS WAF rate-based rule` for the **Activate HTTP Flood Protection** parameter, the minimum acceptable value is 100. If you chose `yes - AWS Lambda log parser` or `yes - Amazon Athena log parser` for the **Activate HTTP Flood Protection** parameter, it can be any value. To deactivate this protection, ignore this parameter.  
+**Custom Rule - Third Party IP Reputation Lists** |  |   
@@ -76,17 +64,5 @@ If you define this parameter, the country will automatically be included in Athe
-**Legacy Custom Rules**  
-**Activate SQL Injection Protection** |  `yes` |  Choose `yes` to turn on the component designed to block common SQL injection attacks. Consider activating it if you aren’t using an AWS managed core rule set or AWS managed SQL database rule group.  You can choose one of the options (`yes` (continue), `yes - MATCH`, or `yes - NO_MATCH`) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, `yes` inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to [Handling oversize web request components](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html).  Choose `no` to deactivate this feature. 
-
-###### Note
-
-The CloudFormation stack adds the selected oversize handling option to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.   
-**Sensitivity Level for SQL Injection Protection** |  `LOW` |  Choose the sensitivity level that you want AWS WAF to use to inspect for SQL injection attacks.  `HIGH` detects more attacks, but might generate more false positives.  `LOW` is generally a better choice for resources that already have other protections against SQL injection attacks or that have a low tolerance for false positives.  For more information, refer to [AWS WAF adds sensitivity levels for SQL injection rule statements](https://aws.amazon.com/about-aws/whats-new/2022/07/aws-waf-sensitivity-levels-sql-injection-rule-statements/) and [SensitivityLevel property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-sqlimatchstatement.html#cfn-wafv2-webacl-sqlimatchstatement-sensitivitylevel) in the _AWS CloudFormation User Guide_.  If you choose to deactivate SQL injection protection, ignore this parameter. 
-
-###### Note
-
-The CloudFormation stack adds the selected sensitivity level to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.   
-**Activate Cross-site Scripting Protection** |  `yes` |  Choose `yes` to turn on the component designed to block common XSS attacks. Consider activating it if you aren’t using an AWS managed core rule set. You can also select one of the options (`yes` (continue), `yes - MATCH`, or `yes - NO_MATCH`) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, `yes` uses the `Continue` option, which inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to [Oversize handling for request components](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html).  Choose `no` to deactivate this feature. 
-
-###### Note
-
-The CloudFormation stack adds the selected oversize handling option to the default cross-site scripting rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.   
-**Allowed and Denied IP Retention Settings**  
+**Legacy Custom Rules** |  |   
+**Activate SQL Injection Protection** |  `yes` |  Choose `yes` to turn on the component designed to block common SQL injection attacks. Consider activating it if you aren’t using an AWS managed core rule set or AWS managed SQL database rule group. You can choose one of the options (`yes` (continue), `yes - MATCH`, or `yes - NO_MATCH`) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, `yes` inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to [Handling oversize web request components](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html). Choose `no` to deactivate this feature. NOTE: The CloudFormation stack adds the selected oversize handling option to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.  
+**Sensitivity Level for SQL Injection Protection** |  `LOW` |  Choose the sensitivity level that you want AWS WAF to use to inspect for SQL injection attacks. `HIGH` detects more attacks, but might generate more false positives. `LOW` is generally a better choice for resources that already have other protections against SQL injection attacks or that have a low tolerance for false positives. For more information, refer to [AWS WAF adds sensitivity levels for SQL injection rule statements](https://aws.amazon.com/about-aws/whats-new/2022/07/aws-waf-sensitivity-levels-sql-injection-rule-statements/) and [SensitivityLevel property](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-sqlimatchstatement.html#cfn-wafv2-webacl-sqlimatchstatement-sensitivitylevel) in the _AWS CloudFormation User Guide_. If you choose to deactivate SQL injection protection, ignore this parameter. NOTE: The CloudFormation stack adds the selected sensitivity level to the default SQL injection protection rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.  
+**Activate Cross-site Scripting Protection** |  `yes` |  Choose `yes` to turn on the component designed to block common XSS attacks. Consider activating it if you aren’t using an AWS managed core rule set. You can also select one of the options (`yes` (continue), `yes - MATCH`, or `yes - NO_MATCH`) that you want AWS WAF to handle oversized request exceeding 8 KB (8192 bytes). By default, `yes` uses the `Continue` option, which inspects the request component contents that are within the size limitations according to the rule inspection criteria. For more information, refer to [Oversize handling for request components](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html). Choose `no` to deactivate this feature. NOTE: The CloudFormation stack adds the selected oversize handling option to the default cross-site scripting rule and deploys it into your AWS account. If you customized the rule outside of CloudFormation, your changes will be overwritten after the stack update.  
+**Allowed and Denied IP Retention Settings** |  |   
@@ -96 +72 @@ The CloudFormation stack adds the selected oversize handling option to the defau
-**Advanced Settings**  
+**Advanced Settings** |  |   
@@ -115 +90,0 @@ When using this solution, you will see all functions in the AWS Lambda console,
-To see details about the stack resources, choose the **Outputs** tab. This includes the **BadBotHoneypotEndpoint** value, which is the API Gateway honeypot endpoint. Remember this value because you will use it in [Embed the Honeypot link in your web application](./embed-the-honeypot-link-in-your-web-application-optional.html). 
@@ -118,0 +94 @@ To see details about the stack resources, choose the **Outputs** tab. This inclu
+To see details about the stack resources, choose the **Outputs** tab. This includes the **BadBotHoneypotEndpoint** value, which is the API Gateway honeypot endpoint. Remember this value because you will use it in [Embed the Honeypot link in your web application](./embed-the-honeypot-link-in-your-web-application-optional.html).