AWS config documentation change
Summary
Updated rule description to generalize Shield Advanced protection checks and clarified parameter descriptions for WebACLId, resource scope, tags, and exclusion logic
Security assessment
Improves documentation about security feature (Shield Advanced protection) but no evidence of addressing a specific vulnerability
Diff
diff --git a/config/latest/developerguide/fms-shield-resource-policy-check.md index 8df5e44e5..9133c1217 100644 --- a/config/latest/developerguide/fms-shield-resource-policy-check.md +++ b/config/latest/developerguide/fms-shield-resource-policy-check.md @@ -9 +9 @@ AWS CloudFormation template -Checks whether an Application Load Balancer, Amazon CloudFront distributions, Elastic Load Balancer or Elastic IP has AWS Shield protection. It also checks if they have web ACL associated for Application Load Balancer and Amazon CloudFront distributions. +Checks if resources that AWS Shield Advanced can protect are protected by Shield Advanced. The rule is NON_COMPLIANT if a specified resource is not protected. @@ -25 +25 @@ Type: String -The WebACLId of the web ACL. +A unique identifier for a Web ACL. @@ -31 +31 @@ Type: String -The resource scope which this config rule will be applied to. +The resource types you specify for the rule to check. @@ -37 +37 @@ Type: String -The resource tags that the rule should be associated with (for example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] }). +The resource tags you specify for the rule to check. For example, { "tagKey1" : ["tagValue1"], "tagKey2" : ["tagValue2", "tagValue3"] }. @@ -43 +43 @@ Type: boolean -If true, exclude the resources that match the resourceTags. If false, include all the resources that match the resourceTags. +If true, the rule excludes the resources specified in resourceTags. If false, the rule includes all the resources specified in resourceTags.