AWS AWSCloudFormation documentation change
Summary
Clarified behavior of invalid rule name overrides in managed vs customer-owned rule groups
Security assessment
The change improves documentation accuracy about configuration behavior but does not directly relate to security features or vulnerabilities.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-wafv2-webacl-managedrulegroupstatement.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-wafv2-webacl-managedrulegroupstatement.md index da566ab79..686541a7c 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-wafv2-webacl-managedrulegroupstatement.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-wafv2-webacl-managedrulegroupstatement.md @@ -78,0 +79,2 @@ The rule groups used for intelligent threat mitigation require additional config + * Use the `AWSManagedRulesAntiDDoSRuleSet` configuration object to configure the anti-DDoS managed rule group. The configuration includes the sensitivity levels to use in the rules that typically block and challenge requests that might be participating in DDoS attacks and the specification to use to indicate whether a request can handle a silent browser challenge. + @@ -112 +114 @@ Action settings to use in the place of the rule actions that are configured insi -Take care to verify the rule names in your overrides. If you provide a rule name that doesn't match the name of any rule in the rule group, AWS WAF doesn't return an error and doesn't apply the override setting. +Verify the rule names in your overrides carefully. With managed rule groups, AWS WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn't exactly match the case-sensitive name of an existing rule in the rule group.