AWS AWSCloudFormation documentation change
Summary
Added documentation for JA4 fingerprint-based rate limiting and fallback behaviors when TLS Client Hello data is insufficient
Security assessment
The change documents security features related to WAF rate limiting using TLS fingerprinting and fallback handling, but does not indicate a specific security vulnerability being addressed.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratelimitja4fingerprint.md index dd92fd7b5..d9a468905 100644 --- a/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratelimitja4fingerprint.md +++ b/AWSCloudFormation/latest/UserGuide/aws-properties-wafv2-webacl-ratelimitja4fingerprint.md @@ -7 +7 @@ SyntaxProperties -The `RateLimitJA4Fingerprint` property type specifies Property description not available. for an [AWS::WAFv2::WebACL](./aws-resource-wafv2-webacl.html). +Use the request's JA4 fingerprint derived from the TLS Client Hello of an incoming request as an aggregate key. If you use a single JA4 fingerprint as your custom key, then each value fully defines an aggregation instance. @@ -32 +32,10 @@ To declare this entity in your AWS CloudFormation template, use the following sy -Property description not available. +The match status to assign to the web request if there is insufficient TSL Client Hello information to compute the JA4 fingerprint. + +You can specify the following fallback behaviors: + + * `MATCH` \- Treat the web request as matching the rule statement. AWS WAF applies the rule action to the request. + + * `NO_MATCH` \- Treat the web request as not matching the rule statement. + + +