AWS waf documentation change
Summary
Added guidance for Anti-DDoS rule group configuration, clarified DDoS protection options (Shield Advanced vs. Anti-DDoS), and emphasized using production traffic for baselining Anti-DDoS rules.
Security assessment
The changes provide best practices for configuring security features (Anti-DDoS, Shield Advanced) but do not indicate a specific security vulnerability being patched. The updates improve documentation for existing security controls.
Diff
diff --git a/waf/latest/developerguide/waf-managed-protections-best-practices.md b/waf/latest/developerguide/waf-managed-protections-best-practices.md index 5b540f2fd..14495bd1b 100644 --- a//waf/latest/developerguide/waf-managed-protections-best-practices.md +++ b//waf/latest/developerguide/waf-managed-protections-best-practices.md @@ -35 +35 @@ For detailed pricing information, see [AWS WAF Pricing](https://aws.amazon.com/w - * **Enable the targeted protection level of the Bot Control rule group during normal web traffic** – Some rules of the targeted protection level need time to establish baselines for normal traffic patterns before they can recognize and respond to irregular or malicious traffic patterns. For example, the `TGT_ML_*` rules need up to 24 hours to warm up. + * **Do not limit the requests that you send to the Anti-DDoS rule group** – This rule group operates best when you configure it in to monitor all web traffic that you aren't explicitly allowing through. Position it in your web ACL to be evaluated only after rules with the Allow rule action and before all other rules. @@ -37 +37,13 @@ For detailed pricing information, see [AWS WAF Pricing](https://aws.amazon.com/w -Add these protections when you are not experiencing an attack and give them time to establish their baselines before expecting them to respond appropriately to attacks. If you add these rules during an attack, after the attack subsides, the time to establish a baseline is usually from double to triple the normal required time, because of the skewing added by the attack traffic. For additional information about the rules and any warm-up times that they require, see [Rules listing](./aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules). + * **For distributed denial of service (DDoS) protection for Amazon CloudFront distributions, use either Anti-DDoS or Shield Advanced automatic application layer DDoS mitigation** – The other intelligent threat mitigation rule groups don't provide DDoS protection. ACFP protects against fraudulent account creation attempts to your application's sign-up page. ATP protects against account takeover attempts to your login page. Bot Control focuses on enforcing human-like access patterns using tokens and dynamic rate limiting on client sessions. + +Anti-DDoS allows you to monitor and control DDoS attacks, allowing for quick response and mitigation of threats. Shield Advanced with automatic application layer DDoS mitigation automatically responds to detected DDoS attacks by creating, evaluating, and deploying custom AWS WAF mitigations on your behalf. + +For more information about Shield Advanced, see [AWS Shield Advanced overview](./ddos-advanced-summary.html), and [Protecting the application layer (layer 7) with AWS Shield Advanced and AWS WAF](./ddos-app-layer-protections.html). + +For more information about Distributed Denial of Service (DDoS) prevention, see [Anti-DDoS rule group](./aws-managed-rule-groups-anti-ddos.html) and [Distributed Denial of Service (DDoS) prevention](./waf-anti-ddos.html). + + * **Enable the Anti-DDoS rule group and the targeted protection level of the Bot Control rule group during normal web traffic** – These rule categories need time to establish baselines for normal traffic. + +**Enable the targeted protection level of the Bot Control rule group during normal web traffic** – Some rules of the targeted protection level need time to establish baselines for normal traffic patterns before they can recognize and respond to irregular or malicious traffic patterns. For example, the `TGT_ML_*` rules need up to 24 hours to warm up. + +Add these protections when you are not experiencing an attack and give them time to establish their baselines before expecting them to respond appropriately. If you add these rules during an attack, you will need to enable the Anti-DDoS rule group in count mode. After the attack subsides, the time to establish a baseline is usually from double to triple the normal required time, because of the skewing added by the attack traffic. For additional information about the rules and any warm-up times that they require, see [Rules listing](./aws-managed-rule-groups-bot.html#aws-managed-rule-groups-bot-rules). @@ -42,0 +55,2 @@ When you use Shield Advanced with automatic application layer DDoS mitigation en + * **Use production traffic loads when you establish baselines for the Anti-DDoS rule group** – It is common practice to test other rule groups using artificial test traffic. However, when you test and establish baselines for the Anti-DDoS rule group, we recommend that you use traffic flows that reflect the loads in your production environment. Establishing Anti-DDoS baselines using typical traffic is the best way to ensure your resources will be protected when the rule group is enabled in a production environment. +