AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/aws-managed-rule-groups-baseline.md

Summary

Added information about a new console experience and updated references from 'web ACL' to 'protection pack or web ACL' in multiple rule descriptions

Security assessment

The changes introduce 'protection pack' terminology alongside existing web ACL references, indicating a new security configuration option. While this documents a security feature enhancement, there is no evidence of addressing a specific vulnerability or security incident.

Diff

diff --git a/waf/latest/developerguide/aws-managed-rule-groups-baseline.md b/waf/latest/developerguide/aws-managed-rule-groups-baseline.md
index c8dc34e51..d41fee327 100644
--- a//waf/latest/developerguide/aws-managed-rule-groups-baseline.md
+++ b//waf/latest/developerguide/aws-managed-rule-groups-baseline.md
@@ -6,0 +7,4 @@ Core rule set (CRS)Admin protectionKnown bad inputs
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -25 +29 @@ The core rule set (CRS) rule group contains rules that are generally applicable
-This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
+This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack or web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
@@ -39 +43 @@ Rule name | Description and label
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:EC2MetaDataSSRF_Body`  
@@ -49 +53 @@ This rule only inspects the request body up to the body size limit for the web A
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericLFI_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericLFI_Body`  
@@ -57 +61 @@ This rule only inspects the request body up to the body size limit for the web A
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericRFI_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:GenericRFI_Body`  
@@ -77 +81 @@ The rule match details in the AWS WAF logs is not populated for version 2.0 of t
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:core-rule-set:CrossSiteScripting_Body`  
@@ -98 +102 @@ The Admin protection rule group contains rules that allow you to block external
-This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
+This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack or web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
@@ -118 +122 @@ The Known bad inputs rule group contains rules to block request patterns that ar
-This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
+This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack or web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). 
@@ -131 +135 @@ This rule only inspects the first 8 KB of the request headers or the first 200 h
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:JavaDeserializationRCE_Body`  
@@ -147 +151 @@ This rule only inspects the first 8 KB of the request headers or the first 200 h
-This rule only inspects the request body up to the body size limit for the web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body`  
+This rule only inspects the request body up to the body size limit for the protection pack or web ACL and resource type. For Application Load Balancer and AWS AppSync, the limit is fixed at 8 KB. For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access, the default limit is 16 KB and you can increase the limit up to 64 KB in your protection pack or web ACL configuration. This rule uses the `Continue` option for oversize content handling. For more information, see [Oversize web request components in AWS WAF](./waf-oversize-request-components.html).  Rule action: Block Label: `awswaf:managed:aws:known-bad-inputs:Log4JRCE_Body`