AWS Security ChangesHomeSearch

AWS amplify documentation change

Service: amplify · 2025-03-30 · Documentation low

File: amplify/latest/userguide/WAF-integration.md

Summary

Restructured documentation with updated feature availability status (GA instead of preview), removed detailed configuration steps, and added topic links to dedicated pages. Added clearer explanation of AWS WAF integration benefits.

Security assessment

The changes primarily restructure content and remove preview limitations, but do not address a specific security vulnerability. The added description of AWS WAF integration and security controls qualifies as adding security documentation.

Diff

diff --git a/amplify/latest/userguide/WAF-integration.md b/amplify/latest/userguide/WAF-integration.md
index 4426e5e7d..4204eb573 100644
--- a/amplify/latest/userguide/WAF-integration.md
+++ b/amplify/latest/userguide/WAF-integration.md
@@ -5 +5 @@
-Enabling AWS WAF for an Amplify appDisassociate a web ACL from an Amplify appHow Amplify integrates with AWS WAFFirewall preview limitationsFirewall pricing
+# Firewall support for Amplify hosted sites
@@ -7 +7 @@ Enabling AWS WAF for an Amplify appDisassociate a web ACL from an Amplify appHow
-# Firewall support for hosted sites
+Firewall support for Amplify hosted sites enables you to protect your web applications with a direct integration with AWS WAF. AWS WAF allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or monitor (count) web requests based on customizable web security rules and conditions that you define. When you integrate your Amplify app with AWS WAF, you gain more control and visibility into the HTTP traffic accepted by your app. To learn more about AWS WAF, see [How AWS WAF Works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html) in the _AWS WAF Developer Guide_. 
@@ -9,7 +9 @@ Enabling AWS WAF for an Amplify appDisassociate a web ACL from an Amplify appHow
-###### Note
-
-Firewall support for hosted applications is a preview release and is subject to change. For more information, see Firewall preview limitations.
-
-Firewall support is available today, in preview, in all AWS Regions in which Amplify Hosting operates, **except for the opt-in regions**. This integration falls under an AWS WAF global resource, similar to CloudFront. Web ACLs can be attached to multiple Amplify Hosting apps, but they must reside in the same region.
-
-Firewall support for hosted sites enables you to protect your web applications with a direct integration with AWS WAF. AWS WAF allows you to configure a set of rules, called a web access control list (web ACL), that allow, block, or monitor (count) web requests based on customizable web security rules and conditions that you define. When you integrate your Amplify app with AWS WAF, you gain more control and visibility into the HTTP traffic accepted by your app. To learn more about AWS WAF, see [How AWS WAF Works](https://docs.aws.amazon.com/waf/latest/developerguide/how-aws-waf-works.html) in the _AWS WAF Developer Guide_. 
+Firewall support is available in all AWS Regions in which Amplify Hosting operates. This integration falls under an AWS WAF global resource, similar to CloudFront. Web ACLs can be attached to multiple Amplify Hosting apps, but they must reside in the same Region.
@@ -27,133 +21 @@ Security is a shared responsibility between AWS and you. AWS WAF isn't the solut
-## Enabling AWS WAF for an Amplify app
-
-You can enable the Firewall capabilities either when you create a new app or by editing the settings for an existing Amplify app. In both workflows, you will associate an AWS WAF web ACL to your Amplify Hosting app.
-
-Use the following procedure to enable AWS WAF for an existing app in the Amplify console.
-
-###### Enable AWS WAF for an existing Amplify app
-
-  1. Sign in to the AWS Management Console and open the Amplify console at [https://console.aws.amazon.com/amplify/](https://console.aws.amazon.com/amplify/).
-
-  2. On the **All apps** page, choose the name of the deployed app to enable the Firewall feature on.
-
-  3. In the navigation pane, choose **Hosting** , and then choose **Firewall**.
-
-The following screenshot shows how to navigate to the **Add firewall** page in the Amplify console.
-
-![The Amplify console Add firewall page.](/images/amplify/latest/userguide/images/Amplify-WAF-1.png)
-
-  4. On the **Add firewall** page, your actions will depend on whether you want to create a new AWS WAF configuration or use an existing one.
-
-     * Create a new AWS WAF configuration.
-
-       1. Choose **Create new**.
-
-       2. Optionally, enable any of the following configurations:
-
-         1. Turn on **Enable Amplify-recommended Firewall protection**.
-
-         2. Turn on **Restrict access to amplifyapp.com** to prevent access to your app on the default Amplify domain.
-
-         3. For **IP addresses** , turn on **Enable IP address protections**.
-
-           1. For **Action** , choose **Allow** if you want to specify the IP addresses that will have access and all others will be blocked. Choose **Block** if you want to specify the IP addresses that will be blocked and all others will have access.
-
-           2. For **IP version** , select either **IPV4** or **IPV6**.
-
-           3. In the **IP addresses** text box, enter either your allowed or blocked IP addresses, one per line, in CIDR format.
-
-         4. For **Countries** , turn on **Enable country protection**.
-
-           1. For **Action** , choose **Allow** if you want to specify the countries that will have access and all others will be blocked. Choose **Block** if you want to specify the countries that will be blocked and all others will have access.
-
-           2. For **Countries** , select either your allowed or blocked countries from the list.
-
-The following screenshot demonstrates how to enable a new AWS WAF configuration for an app. 
-
-![The Amplify console Add firewall with all of the firewall setting enabled.](/images/amplify/latest/userguide/images/Amplify-WAF-2.png)
-
-     * Use an existing AWS WAF configuration.
-
-       1. Choose **Use existing AWS WAF configuration**.
-
-       2. Select a saved configuration from the list of web ACLs in AWS WAF in your AWS account.
-
-  5. Choose **Add firewall**.
-
-  6. On the **Firewall** page, the **Associating** status is displayed to indicate that the AWS WAF settings are being propagated. When the process is complete, the status changes to **Enabled**.
-
-The following screenshots show the firewall progress status in the Amplify console, indicating when the AWS WAF configuration is **Associating** and **Enabled**.
-
-![The Amplify console Firewall status progress in the Associating state.](/images/amplify/latest/userguide/images/Amplify-WAF-3.png)
-
-![The Amplify console Firewall status progress in the Enabled state.](/images/amplify/latest/userguide/images/Amplify-WAF-4.png)
-
-
-
-
-## Disassociate a web ACL from an Amplify app
-
-You can't delete a web ACL that is associated with an Amplify app. You must first disassociate the web ACL from the app in the Amplify console. Then you can delete it in the AWS WAF console.
-
-###### To disassociate a web ACL from an Amplify app
-
-  1. Sign in to the AWS Management Console and open the Amplify console at [https://console.aws.amazon.com/amplify/](https://console.aws.amazon.com/amplify/).
-
-  2. On the **All apps** page, choose the name of the app to disassociate a web ACL from.
-
-  3. In the navigation pane, choose **Hosting** , and then choose **Firewall**.
-
-  4. On the **Firewall** page, choose **Actions** , then choose **Disassociate firewall**.
-
-  5. In the confirmation modal, enter `disassociate`, then choose **Disassociate firewall**.
-
-  6. On the **Firewall** page, the **Disassociating** status is displayed to indicate that the AWS WAF settings are being propagated.
-
-When the process is complete, you can delete the web ACL in the AWS WAF console.
-
-
-
-
-## How Amplify integrates with AWS WAF
-
-The following list provides specific details about how Firewall support is integrated with AWS WAF and the constraints to consider when creating web ACLs and associating them with Amplify apps.
-
-  * You can enable AWS WAF for any type of Amplify app. This includes any supported framework, server-side rendered (SSR) apps, and fully static sites. AWS WAF is supported for Amplify Gen 1 and Gen 2 apps.
-
-  * You must create web ACLs that you want to associate with an Amplify app in the Global (CloudFront) Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.
-
-  * The web ACL and the Amplify app must be created in the same AWS account. You can use AWS Firewall Manager to replicate AWS WAF rules across AWS accounts, to simplify keeping organization rules centralized and distributed across multiple AWS accounts. For more information, see [AWS Firewall Manager](https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html) in the _AWS WAF Developer Guide_.
-
-  * You can share the same web ACL across multiple Amplify apps in the same AWS account. All of the apps must be in the same Region. 
-
-  * When you associate a web ACL with an Amplify app, the web ACL attaches to every branch in the app by default. When you create new branches, they will have the web ACL. 
-
-  * When you associate a web ACL to an Amplify app, it is automatically associated with all of the app’s domains. However, you can configure rules that apply to a single domain name using Host-header matching rules. 
-
-  * You can't delete a web ACL that is associated with an Amplify app. Before you delete a web ACL in the AWS WAF console, you need to disassociate it from the app.
-
-
-
-
-### Amplify web ACL resource policy
-
-To allow Amplify to access your web ACL, a resource policy is attached to the web ACL during association. Amplify constructs this resource policy automatically, but you can view it using the AWS WAFV2 [GetPermissionPolicy](https://docs.aws.amazon.com/waf/latest/APIReference/API_GetPermissionPolicy.html) API. The following IAM permissions are required for associating a web ACL to an Amplify app.
-
-  * amplify:AssociateWebACL
-
-  * wafv2:AssociateWebACL
-
-  * wafv2:PutPermissionPolicy
-
-  * wafv2:GetPermissionPolicy
-
-
-
-
-## Firewall preview limitations
-
-The preview Firewall release has the following limitations. 
-
-  1. During the preview period, Amplify supports partial integration with CloudTrail. Some management events during web ACL association will not appear in the CloudTrail logs.
-
-  2. During preview, when your web ACL is associated to an Amplify resource, this new Amplify resource will not display in the **Associated AWS resources** in the AWS WAF console. You can use the Amplify [GetApp](https://docs.aws.amazon.com/amplify/latest/APIReference/API_GetApp.html) API to display the web ACL associated to an app. You can associate and disassociate the Amplify resource from the Firewall by navigating to the **Firewall** page for an app in the Amplify Hosting console. 
+###### Topics
@@ -161 +23 @@ The preview Firewall release has the following limitations.
-  3. During preview, AWS Config integration will not be available.
+  * [Enabling AWS WAF for an Amplify application in the AWS Management Console](./getting-started-using-waf.html)
@@ -163 +25 @@ The preview Firewall release has the following limitations.
-  4. The Firewall feature is not available in the opt-in regions where Amplify exists today: Asia Pacific (Hong Kong)(_ap-east-1_), Europe (Milan)(_eu-south-1_), and Middle East (Bahrain)(_me-south-1_).
+  * [Disassociate a web ACL from an Amplify application](./disassociate-web-acl.html)
@@ -164,0 +27 @@ The preview Firewall release has the following limitations.
+  * [Enabling AWS WAF for an Amplify application using the AWS CDK](./amplify-waf-CDK.html)
@@ -165,0 +29 @@ The preview Firewall release has the following limitations.
+  * [How Amplify integrates with AWS WAF](./amplify-waf-configuration.html)
@@ -166,0 +31 @@ The preview Firewall release has the following limitations.
+  * [Firewall pricing for Amplify applications](./waf-pricing.html)
@@ -168 +32,0 @@ The preview Firewall release has the following limitations.
-## Firewall pricing
@@ -170 +33,0 @@ The preview Firewall release has the following limitations.
-During the preview, you will only incur utilization-based charges from the AWS WAF service. AWS WAF charges $5/month per web ACL and $1 per rule, among other charges. At a minimum, you will pay $7 for this integration, assuming you have one web ACL with two rules. For pricing details, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).
@@ -172 +34,0 @@ During the preview, you will only incur utilization-based charges from the AWS W
-In addition to the AWS WAF usage charges, this integration will incur a flat fee per app from the Amplify service once it enters General Availability (GA). Specific pricing details will be communicated at GA.
@@ -182 +44 @@ Managing app performance
-Security
+Enable AWS WAF using the console