AWS waf documentation change
Summary
Updated documentation to include 'protection pack' terminology alongside web ACL references throughout the JavaScript challenge integration guide. Added a section about the new console experience.
Security assessment
The changes expand documentation scope to include protection packs as part of AWS WAF's security configuration options, but there's no evidence of addressing a specific vulnerability. The updates relate to existing security features (CAPTCHA/challenge token verification) rather than patching a security flaw.
Diff
diff --git a/waf/latest/developerguide/waf-js-challenge-api.md b/waf/latest/developerguide/waf-js-challenge-api.md index a6ed956cf..fcfb66250 100644 --- a//waf/latest/developerguide/waf-js-challenge-api.md +++ b//waf/latest/developerguide/waf-js-challenge-api.md @@ -4,0 +5,4 @@ +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -25 +29 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA - 4. In the tab, select the web ACL that you want to integrate with. The web ACL list includes only web ACLs that use the `AWSManagedRulesACFPRuleSet` managed rule group, the `AWSManagedRulesATPRuleSet` managed rule group, or the targeted protection level of the `AWSManagedRulesBotControlRuleSet` managed rule group. + 4. In the tab, select the protection pack or web ACL that you want to integrate with. The protection pack or web ACL list includes only protection pack or web ACLs that use the `AWSManagedRulesACFPRuleSet` managed rule group, the `AWSManagedRulesATPRuleSet` managed rule group, or the targeted protection level of the `AWSManagedRulesBotControlRuleSet` managed rule group. @@ -29 +33 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA - 6. In your application page code, in the `<head>` section, insert the script tag that you copied for the web ACL. This inclusion causes your client application to automatically retrieve a token in the background on page load. + 6. In your application page code, in the `<head>` section, insert the script tag that you copied for the protection pack or web ACL. This inclusion causes your client application to automatically retrieve a token in the background on page load. @@ -32 +36 @@ If you use the CAPTCHA API, you can skip this step. When you install the CAPTCHA - <script type="text/javascript" src="Web ACL integration URL/challenge.js” defer></script> + <script type="text/javascript" src="protection pack or web ACL integration URL/challenge.js” defer></script> @@ -37 +41 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch - 2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the web ACL. To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). + 2. **(Optional) Add domain configuration for the client's tokens** – By default, when AWS WAF creates a token, it uses the host domain of the resource that’s associated with the protection pack or web ACL. To provide additional domains for the JavaScript APIs, follow the guidance at [Providing domains for use in the tokens](./waf-js-challenge-api-set-token-domain.html). @@ -41 +45 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch - 4. **Add token verification in your web ACL** – Add at least one rule to your web ACL that checks for a valid challenge token in the web requests that your client sends. You can use rule groups that check and monitor challenge tokens, like the targeted level of the Bot Control managed rule group, and you can use the Challenge rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). + 4. **Add token verification in your protection pack or web ACL** – Add at least one rule to your protection pack or web ACL that checks for a valid challenge token in the web requests that your client sends. You can use rule groups that check and monitor challenge tokens, like the targeted level of the Bot Control managed rule group, and you can use the Challenge rule action to check, as described in [CAPTCHA and Challenge in AWS WAF](./waf-captcha-and-challenge.html). @@ -43 +47 @@ This `<script>` listing is configured with the `defer` attribute, but you can ch -The web ACL additions verify that requests to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired token pass the Challenge inspection and do not send another silent challenge to your client. +The protection pack or web ACL additions verify that requests to your protected endpoints include the token that you've acquired in your client integration. Requests that include a valid, unexpired token pass the Challenge inspection and do not send another silent challenge to your client.