AWS waf medium security documentation change
Summary
Updated policy change history entries to reflect corrections in logging permissions and expanded logging options, with references to protection packs in logging documentation.
Security assessment
The documentation explicitly states that permission corrections resolved access denied errors during logging configuration. Improper logging permissions could lead to loss of security visibility, making this a security-related configuration improvement. However, there's no mention of active exploitation or CVE association.
Diff
diff --git a/waf/latest/developerguide/security-iam-awsmanpol.md b/waf/latest/developerguide/security-iam-awsmanpol.md index d54707405..61502e16f 100644 --- a//waf/latest/developerguide/security-iam-awsmanpol.md +++ b//waf/latest/developerguide/security-iam-awsmanpol.md @@ -6,0 +7,4 @@ AWSWAFReadOnlyAccessAWSWAFFullAccessAWSWAFConsoleReadOnlyAccessAWSWAFConsoleFull +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -61 +65 @@ Policy | Description of change | Date - * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF web ACL associated with an Amplify resource + * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF protection pack or web ACL associated with an Amplify resource @@ -63 +67 @@ Policy | Description of change | Date - * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF web ACL + * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF protection pack or web ACL @@ -79,3 +83,3 @@ Policy | Description of change | Date - * `amplify:AssociateWebACL` – Grants permission to associate an AWS WAF web ACL to an Amplify resource - * `amplify:DisassociateWebACL` – Grants permission to disassociate an AWS WAF web ACL from an Amplify resource - * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF web ACL associated with an Amplify resource + * `amplify:AssociateWebACL` – Grants permission to associate an AWS WAF protection pack or web ACL to an Amplify resource + * `amplify:DisassociateWebACL` – Grants permission to disassociate an AWS WAF protection pack or web ACL from an Amplify resource + * `amplify:GetWebACLForResource` – Grants permission to retrieve the AWS WAF protection pack or web ACL associated with an Amplify resource @@ -83 +87 @@ Policy | Description of change | Date - * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF web ACL + * `amplify:ListResourcesForWebACL` – Grants permission to retrieve the Amplify apps associated with an AWS WAF protection pack or web ACL @@ -89,4 +93,4 @@ Policy | Description of change | Date - * `cloudfront:AssociateDistributionTenantWebACL` – Grants permission to associate an AWS WAF web ACL with a CloudFront distribution tenant - * `cloudfront:AssociateDistributionWebACL` – Grants permission to associate an AWS WAF web ACL with a CloudFront distribution - * `cloudfront:DisassociateDistributionTenantWebACL` – Grants permission to disassociate an AWS WAF web ACL with a CloudFront distribution tenant - * `cloudfront:DisassociateDistributionWebACL` – Grants permission to disassociate an AWS WAF web ACL with a CloudFront distribution + * `cloudfront:AssociateDistributionTenantWebACL` – Grants permission to associate an AWS WAF protection pack or web ACL with a CloudFront distribution tenant + * `cloudfront:AssociateDistributionWebACL` – Grants permission to associate an AWS WAF protection pack or web ACL with a CloudFront distribution + * `cloudfront:DisassociateDistributionTenantWebACL` – Grants permission to disassociate an AWS WAF protection pack or web ACL with a CloudFront distribution tenant + * `cloudfront:DisassociateDistributionWebACL` – Grants permission to disassociate an AWS WAF protection pack or web ACL with a CloudFront distribution @@ -118,4 +122,4 @@ AWS WAF additions to change tracking | AWS WAF started tracking changes for the -`AWSWAFFullAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFFullAccess$serviceLevelSummary). | Corrected the permissions settings for log delivery for Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. This change resolves access denied errors that were occurring during logging configuration. For information about logging your web ACL traffic, see [Logging AWS WAF web ACL traffic](./logging.html). | 2022-01-11 -`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Corrected the permissions settings for log delivery for Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. This change resolves access errors that were occurring during logging configuration. For information about logging your web ACL traffic, see [Logging AWS WAF web ACL traffic](./logging.html). | 2022-01-11 -`AWSWAFFullAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFFullAccess$serviceLevelSummary). | Added new permissions for expanded logging options. This change gives AWS WAF access to the additional logging destinations Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. For information about logging your web ACL traffic, see [Logging AWS WAF web ACL traffic](./logging.html). | 2021-11-15 -`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Added new permissions for expanded logging options. This change gives AWS WAF access to the additional logging destinations Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. For information about logging your web ACL traffic, see [Logging AWS WAF web ACL traffic](./logging.html). | 2021-11-15 +`AWSWAFFullAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFFullAccess$serviceLevelSummary). | Corrected the permissions settings for log delivery for Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. This change resolves access denied errors that were occurring during logging configuration. For information about logging your protection pack or web ACL traffic, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). | 2022-01-11 +`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Corrected the permissions settings for log delivery for Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. This change resolves access errors that were occurring during logging configuration. For information about logging your protection pack or web ACL traffic, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). | 2022-01-11 +`AWSWAFFullAccess` This policy allows AWS WAF to manage AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFFullAccess$serviceLevelSummary). | Added new permissions for expanded logging options. This change gives AWS WAF access to the additional logging destinations Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. For information about logging your protection pack or web ACL traffic, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). | 2021-11-15 +`AWSWAFConsoleFullAccess` This policy allows AWS WAF to manage AWS console resources and other AWS resources on your behalf in AWS WAF and in integrated services. Details in IAM console: [AWSWAFConsoleFullAccess](https://console.aws.amazon.com/iam/home#/policies/arn:aws:iam::aws:policy/AWSWAFConsoleFullAccess$serviceLevelSummary). | Added new permissions for expanded logging options. This change gives AWS WAF access to the additional logging destinations Amazon Simple Storage Service (Amazon S3) and Amazon CloudWatch Logs. For information about logging your protection pack or web ACL traffic, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). | 2021-11-15