AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/create-policy.md

Summary

Added protection pack references in policy creation steps and token domain configuration. Introduced new console experience announcement.

Security assessment

Documents expanded security configuration options (protection packs) and token domain management, but no evidence of vulnerability remediation. Updates security feature documentation without addressing specific issues.

Diff

diff --git a/waf/latest/developerguide/create-policy.md b/waf/latest/developerguide/create-policy.md
index 2479eb020..caa7d10c9 100644
--- a//waf/latest/developerguide/create-policy.md
+++ b//waf/latest/developerguide/create-policy.md
@@ -6,0 +7,4 @@ Create a policy for AWS WAFCreate a policy for AWS WAF ClassicCreate a policy fo
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -84 +88 @@ When you're finished with your settings, choose **Save rule**.
-  10. Set the default action for the web ACL. This is the action that AWS WAF takes when a web request doesn't match any of the rules in the web ACL. You can add custom headers with the **Allow** action, or custom responses for the **Block** action. For more information about default web ACL actions, see [Setting the web ACL default action in AWS WAF](./web-acl-default-action.html). For information about setting custom web requests and responses, see [Customized web requests and responses in AWS WAF](./waf-custom-request-response.html).
+  10. Set the default action for the web ACL. This is the action that AWS WAF takes when a web request doesn't match any of the rules in the web ACL. You can add custom headers with the **Allow** action, or custom responses for the **Block** action. For more information about default web ACL actions, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). For information about setting custom web requests and responses, see [Customized web requests and responses in AWS WAF](./waf-custom-request-response.html).
@@ -90 +94 @@ When you're finished with your settings, choose **Save rule**.
-  13. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under **Filter logs** , for each filter that you want to apply, choose **Add filter** , then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the **Default logging behavior**. For more information, see [Finding your web ACL records](./logging-management.html) in the _AWS WAF Developer Guide_.
+  13. (Optional) If you don't want to send all requests to the logs, add your filtering criteria and behavior. Under **Filter logs** , for each filter that you want to apply, choose **Add filter** , then choose your filtering criteria and specify whether you want to keep or drop requests that match the criteria. When you finish adding filters, if needed, modify the **Default logging behavior**. For more information, see [Finding your protection pack or web ACL records](./logging-management.html) in the _AWS WAF Developer Guide_.
@@ -96 +100 @@ Public suffixes aren't allowed. For example, you can't use `gov.au` or `co.uk` a
-By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists) in the _AWS WAF Developer Guide_.
+By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists) in the _AWS WAF Developer Guide_.