AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-03-10 · Documentation low

File: AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.md

Summary

Added JA4 fingerprint matching documentation for web requests in WAF

Security assessment

Documents TLS fingerprint analysis capability as a security feature, not addressing a specific vulnerability

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.md
index 4c4069416..95292f9c1 100644
--- a/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.md
+++ b/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-fieldtomatch.md
@@ -161 +161,9 @@ _Required_ : No
-Property description not available.
+Available for use with Amazon CloudFront distributions and Application Load Balancers. Match against the request's JA4 fingerprint. The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+
+###### Note
+
+You can use this choice only with a string match `ByteMatchStatement` with the `PositionalConstraint` set to `EXACTLY`. 
+
+You can obtain the JA4 fingerprint for client requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields](https://docs.aws.amazon.com/waf/latest/developerguide/logging-fields.html) in the _AWS WAF Developer Guide_. 
+
+Provide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration.