AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-03-10 · Documentation low

File: waf/latest/developerguide/waf-rule-statement-fields-list.md

Summary

Added documentation for JA4 fingerprint inspection capability in WAF rule statements

Security assessment

The change introduces documentation for JA4 fingerprint analysis, which is a security feature for client identification through TLS fingerprinting. However, there's no evidence this addresses a specific security vulnerability - it appears to document a new security capability rather than fix an issue.

Diff

diff --git a/waf/latest/developerguide/waf-rule-statement-fields-list.md
index 1e274316c..49f979047 100644
--- a/waf/latest/developerguide/waf-rule-statement-fields-list.md
+++ b/waf/latest/developerguide/waf-rule-statement-fields-list.md
@@ -5 +5 @@
-HTTP methodSingle headerAll headersHeader orderCookiesURI pathJA3 fingerprintQuery stringSingle query parameterAll query parametersBodyJSON body
+HTTP methodSingle headerAll headersHeader orderCookiesURI pathJA3 fingerprintJA4 fingerprintQuery stringSingle query parameterAll query parametersBodyJSON body
@@ -43,0 +44,2 @@ The rest of this section describes the options for the part of the web request t
+  * JA4 fingerprint
+
@@ -155,0 +158,22 @@ To use this match option, you must log your web ACL traffic. For information, se
+## JA4 fingerprint
+
+Inspects the request's JA4 fingerprint. 
+
+###### Note
+
+JA4 fingerprint inspection is available only for Amazon CloudFront distributions and Application Load Balancers.
+
+The JA4 fingerprint is a 36-character hash derived from the TLS Client Hello of an incoming request. This fingerprint serves as a unique identifier for the client's TLS configuration. JA4 fingerprinting is an extension of the JA3 fingerprinting that can result in fewer unique fingerprints for some browsers. AWS WAF calculates and logs this fingerprint for each request that has enough TLS Client Hello information for the calculation. Almost all web requests include this information.
+
+###### How to get the JA4 fingerprint for a client
+
+You can obtain the JA4 fingerprint for a client's requests from the web ACL logs. If AWS WAF is able to calculate the fingerprint, it includes it in the logs. For information about the logging fields, see [Log fields for web ACL traffic](./logging-fields.html).
+
+###### Rule statement requirements
+
+You can inspect the JA4 fingerprint only inside a string match statement that's set to exactly match the string that you provide. Provide the JA4 fingerprint string from the logs in your string match statement specification, to match with any future requests that have the same TLS configuration. For information about the string match statement, see [String match rule statement](./waf-rule-statement-type-string-match.html).
+
+You must provide a fallback behavior for this rule statement. The fallback behavior is the match status that you want AWS WAF to assign to the web request if AWS WAF is unable to calculate the JA4 fingerprint. If you choose to match, AWS WAF treats the request as matching the rule statement and applies the rule action to the request. If you choose to not match, AWS WAF treats the request as not matching the rule statement.
+
+To use this match option, you must log your web ACL traffic. For information, see [Logging AWS WAF web ACL traffic](./logging.html).
+