AWS waf documentation change
Summary
Added documentation about a new console experience and expanded references to include 'protection pack' alongside web ACL in permissions requirements
Security assessment
The changes introduce references to 'protection packs' in IAM permission requirements, indicating documentation of a new security-related feature (protection packs). While this clarifies access control requirements for a security feature, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/waf/latest/developerguide/security_iam_service-with-iam.md b/waf/latest/developerguide/security_iam_service-with-iam.md index 5e6727e52..ef8135871 100644 --- a//waf/latest/developerguide/security_iam_service-with-iam.md +++ b//waf/latest/developerguide/security_iam_service-with-iam.md @@ -6,0 +7,4 @@ Identity-based policiesResource-based policiesPolicy actionsPolicy resourcesPoli +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -100 +104 @@ Some actions require permissions that can't be completely described in [Actions -This section lists the permissions required to associate a web ACL to a resource using the AWS WAF action `AssociateWebACL`. +This section lists the permissions required to associate a protection pack or web ACL to a resource using the AWS WAF action `AssociateWebACL`. @@ -106 +110 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront -Requires permission to call API Gateway `SetWebACL` on the REST API resource type and to call AWS WAF `AssociateWebACL` on a web ACL. +Requires permission to call API Gateway `SetWebACL` on the REST API resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. @@ -132 +136 @@ Requires permission to call API Gateway `SetWebACL` on the REST API resource typ -Requires permission to call `elasticloadbalancing:SetWebACL` action on the Application Load Balancer resource type and to call AWS WAF `AssociateWebACL` on a web ACL. +Requires permission to call `elasticloadbalancing:SetWebACL` action on the Application Load Balancer resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. @@ -158 +162 @@ Requires permission to call `elasticloadbalancing:SetWebACL` action on the Appli -Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource type and to call AWS WAF `AssociateWebACL` on a web ACL. +Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. @@ -184 +188 @@ Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource -Requires permission to call the Amazon Cognito `AssociateWebACL` action on the user pool resource type and to call AWS WAF `AssociateWebACL` on a web ACL. +Requires permission to call the Amazon Cognito `AssociateWebACL` action on the user pool resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. @@ -262 +266 @@ Requires permission to call the `ec2:AssociateVerifiedAccessInstanceWebAcl` acti -This section lists the permissions required to disassociate a web ACL from a resource using the AWS WAF action `DisassociateWebACL`. +This section lists the permissions required to disassociate a protection pack or web ACL from a resource using the AWS WAF action `DisassociateWebACL`. @@ -264 +268 @@ This section lists the permissions required to disassociate a web ACL from a res -For Amazon CloudFront distributions, instead of this action, use the CloudFront action `UpdateDistribution` with an empty web ACL ID. For information, see [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) in the _Amazon CloudFront API Reference_. +For Amazon CloudFront distributions, instead of this action, use the CloudFront action `UpdateDistribution` with an empty protection pack or web ACL ID. For information, see [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) in the _Amazon CloudFront API Reference_. @@ -382 +386 @@ Requires permission to call the `ec2:DisassociateVerifiedAccessInstanceWebAcl` a -This section lists the permissions required to get the web ACL for a protected resource using the AWS WAF action `GetWebACLForResource`. +This section lists the permissions required to get the protection pack or web ACL for a protected resource using the AWS WAF action `GetWebACLForResource`. @@ -388 +392 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront -`GetWebACLForResource` requires the permission to call `GetWebACL`. In this context, AWS WAF uses `GetWebACL` only to verify that your account has the permission it needs to access the web ACL that `GetWebACLForResource` returns. When you call `GetWebACLForResource`, you might get an error indicating that your account is not authorized to perform `wafv2:GetWebACL` on the resource. AWS WAF doesn't add this type of error to the AWS CloudTrail event history. +`GetWebACLForResource` requires the permission to call `GetWebACL`. In this context, AWS WAF uses `GetWebACL` only to verify that your account has the permission it needs to access the protection pack or web ACL that `GetWebACLForResource` returns. When you call `GetWebACLForResource`, you might get an error indicating that your account is not authorized to perform `wafv2:GetWebACL` on the resource. AWS WAF doesn't add this type of error to the AWS CloudTrail event history. @@ -392 +396 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront -Require permission to call AWS WAF `GetWebACLForResource` and `GetWebACL` for a web ACL. +Require permission to call AWS WAF `GetWebACLForResource` and `GetWebACL` for a protection pack or web ACL. @@ -490 +494 @@ Requires permission to call the `ec2:GetVerifiedAccessInstanceWebAcl` action on -This section lists the permissions required to retrieve the list of protected resources for a web ACL using the AWS WAF action `ListResourcesForWebACL`. +This section lists the permissions required to retrieve the list of protected resources for a protection pack or web ACL using the AWS WAF action `ListResourcesForWebACL`. @@ -625 +629 @@ The following lists requirements that are specific to the ARNs of `wafv2` resour -For example, the following ARN specifies all web ACLs with regional scope for the account `111122223333` in Region `us-west-1`: +For example, the following ARN specifies all protection pack or web ACLs with regional scope for the account `111122223333` in Region `us-west-1`: