AWS waf medium security documentation change
Summary
Added warning about Firewall Manager performance constraints when exceeding Shield Advanced quotas affecting DDoS notifications
Security assessment
Reveals that exceeding resource quotas could prevent DDoS attack notifications, which impacts security monitoring capabilities
Diff
diff --git a/waf/latest/developerguide/getting-started-fms-shield.md b/waf/latest/developerguide/getting-started-fms-shield.md index 3f31dbb95..60310ec25 100644 --- a//waf/latest/developerguide/getting-started-fms-shield.md +++ b//waf/latest/developerguide/getting-started-fms-shield.md @@ -127 +127,3 @@ You can monitor your protected resources for potential DDoS activity using Amazo -Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed. To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the `DDoSDetected` metric from the account in which the protected resource exists. +Amazon SNS notifications of potential DDoS activity are not sent in real time and can be delayed. Additionally, if you exceed the Shield Advanced quota of 1,000 protected resources for each resource type for each account, Firewall Manager performance constraints might prevent the successful delivery of DDoS attack notifications entirely. For more information, see [AWS Shield Advanced quotas](./shield-limits.html). + +To enable real-time notifications of potential DDoS activity, you can use a CloudWatch alarm. Your alarm must be based on the `DDoSDetected` metric from the account in which the protected resource exists.