AWS Security ChangesHomeSearch

AWS waf medium security documentation change

Service: waf · 2025-06-13 · Security-related medium

File: waf/latest/developerguide/getting-started-fms-shield.md

Summary

Added warning about Firewall Manager performance constraints when exceeding Shield Advanced quotas affecting DDoS notifications

Security assessment

Reveals that exceeding resource quotas could prevent DDoS attack notifications, which impacts security monitoring capabilities

Diff

diff --git a/waf/latest/developerguide/getting-started-fms-shield.md b/waf/latest/developerguide/getting-started-fms-shield.md
index 3f31dbb95..60310ec25 100644
--- a//waf/latest/developerguide/getting-started-fms-shield.md
+++ b//waf/latest/developerguide/getting-started-fms-shield.md
@@ -127 +127,3 @@ You can monitor your protected resources for potential DDoS activity using Amazo
-Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed. To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the `DDoSDetected` metric from the account in which the protected resource exists.
+Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed. Additionally, if you exceed the Shield Advanced quota of 1,000 protected resources for each resource type for each account, Firewall Manager performance constraints might prevent the successful delivery of DDoS attack notifications entirely. For more information, see [AWS Shield Advanced quotas](./shield-limits.html). 
+
+To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the `DDoSDetected` metric from the account in which the protected resource exists.