AWS AmazonCloudWatch medium security documentation change
Summary
Changed AWS WAF configuration guidance from recommending custom user-agent strings to requiring a fixed 'CloudWatchSynthetics' string match condition
Security assessment
Addresses potential WAF misconfiguration that could block legitimate canary traffic. Explicitly recommends security configuration to prevent service disruption.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md index 0d770b615..3b4b68b19 100644 --- a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md +++ b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_Troubleshoot.md @@ -131,12 +131 @@ Enter the following command to change the runtime management of the Lambda funct -To allow canary traffic through AWS WAF,create a AWS WAF string match condition that allows a custom string that you specify. For more information, see [Working with string match conditions ](https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html) in the AWS WAF documentation. - -We strongly recommend that you use your own custom user-agent string instead of using default values. This provides better control over AWS WAF filtering and improves security. - -To set a custom user-agent string, do the following: - - * For Playwright runtimes, you can append your AWS WAF approved custom user-agent string using the Synthetics configuration file. For more information, see [CloudWatch Synthetics configurations](./Synthetics_WritingCanary_Nodejs_Playwright.html#Synthetics_canary_configure_Playwright_script). - - * For Puppeteer or Selenium runtimes, you can add your custom user-agent string using supported library functions. For Puppeteer runtimes, see [async addUserAgent(page, userAgentString);](./CloudWatch_Synthetics_Canaries_Library_Nodejs.html#CloudWatch_Synthetics_Library_addUserAgent). For Selenium runtimes, see [ add_user_agent(user_agent_str)](./CloudWatch_Synthetics_Canaries_Library_Python.html#CloudWatch_Synthetics_Library_add_user_agent). - - - +To prevent AWS WAF from blocking your canary, set up a AWS WAF string match condition that allows the string `CloudWatchSynthetics`. For more information, see [Working with string match conditions ](https://docs.aws.amazon.com/waf/latest/developerguide/classic-web-acl-string-conditions.html) in the AWS WAF documentation.