AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/how-aws-waf-works-resources.md

Summary

Added documentation for new 'protection pack' terminology alongside existing web ACL references, introduced updated console experience information, and updated regional compatibility statements

Security assessment

The changes introduce 'protection packs' as a new security control mechanism alongside web ACLs, indicating expanded security capabilities. However, there's no evidence of addressing a specific vulnerability. The updates enhance documentation about security features (protection packs and resource associations) but don't reference any patched vulnerabilities or security incidents.

Diff

diff --git a/waf/latest/developerguide/how-aws-waf-works-resources.md b/waf/latest/developerguide/how-aws-waf-works-resources.md
index 2e1e1e66b..316116b20 100644
--- a//waf/latest/developerguide/how-aws-waf-works-resources.md
+++ b//waf/latest/developerguide/how-aws-waf-works-resources.md
@@ -4,0 +5,4 @@
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -7 +11 @@
-You can use an AWS WAF web ACL to protect global or regional resource types. You do this by associating the web ACL with the resources that you want to protect. The web ACL and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia).
+You can use an AWS WAF protection pack or web ACL to protect global or regional resource types. You do this by associating the protection pack or web ACL with the resources that you want to protect. The protection pack or web ACL and any AWS WAF resources that it uses must be located in the Region where the associated resource is located. For Amazon CloudFront distributions, this is set to US East (N. Virginia).
@@ -11 +15 @@ You can use an AWS WAF web ACL to protect global or regional resource types. You
-You can associate an AWS WAF web ACL with a CloudFront distribution using the AWS WAF console or APIs. You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. To configure an association in AWS CloudFormation, you must use the CloudFront distribution configuration. For information about Amazon CloudFront, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the _Amazon CloudFront Developer Guide_.
+You can associate an AWS WAF protection pack or web ACL with a CloudFront distribution using the AWS WAF console or APIs. You can also associate a protection pack or web ACL with a CloudFront distribution when you create or update the distribution itself. To configure an association in AWS CloudFormation, you must use the CloudFront distribution configuration. For information about Amazon CloudFront, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the _Amazon CloudFront Developer Guide_.
@@ -13 +17 @@ You can associate an AWS WAF web ACL with a CloudFront distribution using the AW
-AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your web ACL and any resources used in the web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".
+AWS WAF is available globally for CloudFront distributions, but you must use the Region US East (N. Virginia) to create your protection pack or web ACL and any resources used in the protection pack or web ACL, such as rule groups, IP sets, and regex pattern sets. Some interfaces offer a region choice of "Global (CloudFront)". Choosing this is identical to choosing Region US East (N. Virginia) or "us-east-1".
@@ -38 +42 @@ You can use AWS WAF to protect the following regional resource types:
-You can only associate a web ACL to an Application Load Balancer that's within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that's on AWS Outposts.
+You can only associate a protection pack or web ACL to an Application Load Balancer that's within AWS Regions. For example, you cannot associate a protection pack or web ACL to an Application Load Balancer that's on AWS Outposts.
@@ -40 +44 @@ You can only associate a web ACL to an Application Load Balancer that's within A
-You must create web ACLs that you want to associate with an Amplify app in the Global CloudFront Region. Regional web ACLs might already exist in your AWS account, but they are not compatible with Amplify.
+You must create any protection pack or web ACL that you want to associate with an Amplify app in the Global CloudFront Region. You might already have a Regional protection pack or web ACL in your AWS account, but they are not compatible with Amplify.
@@ -42 +46 @@ You must create web ACLs that you want to associate with an Amplify app in the G
-The web ACL and any other AWS WAF resources that it uses must be located in the same Region as the protected resources. When monitoring and managing web requests for a protected regional resource, AWS WAF keeps all data in the same Region as the protected resource. 
+The protection pack or web ACL and any other AWS WAF resources that it uses must be located in the same Region as the protected resources. When monitoring and managing web requests for a protected regional resource, AWS WAF keeps all data in the same Region as the protected resource. 
@@ -46 +50 @@ The web ACL and any other AWS WAF resources that it uses must be located in the
-You can associate a single web ACL with one or more AWS resources, with the following restrictions:
+You can associate a single protection pack or web ACL with one or more AWS resources, with the following restrictions:
@@ -48 +52 @@ You can associate a single web ACL with one or more AWS resources, with the foll
-  * You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many. 
+  * You can associate each AWS resource with only one protection pack or web ACL. The relationship between protection pack or web ACL and AWS resources is one-to-many. 
@@ -50 +54 @@ You can associate a single web ACL with one or more AWS resources, with the foll
-  * You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.
+  * You can associate a protection pack or web ACL with one or more CloudFront distributions. You cannot associate a protection pack or web ACL that you have associated with a CloudFront distribution with any other AWS resource type.
@@ -63 +67 @@ How AWS WAF works
-Using web ACLs
+Working with the updated console experience