AWS waf documentation change
Summary
Updated documentation to include references to 'protection packs' alongside web ACLs in label processing contexts, and added a note about the new console experience.
Security assessment
The changes introduce 'protection packs' as a new organizational structure for security rules but do not address any specific security vulnerability. The updates enhance documentation about security features (label-based rule evaluation and monitoring) by incorporating protection packs as part of AWS WAF's security configuration options.
Diff
diff --git a/waf/latest/developerguide/waf-labels.md b/waf/latest/developerguide/waf-labels.md index 377f8e8fb..a7d75f292 100644 --- a//waf/latest/developerguide/waf-labels.md +++ b//waf/latest/developerguide/waf-labels.md @@ -4,0 +5,4 @@ +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -9 +13 @@ This section explains what AWS WAF labels are. -A label is metadata added to a web request by a rule when the rule matches the request. Once added, a label remains available on the request until the web ACL evaluation ends. You can access labels in rules that run later in the web ACL evaluation by using a label match statement. For details, see [Label match rule statement](./waf-rule-statement-type-label-match.html). +A label is metadata added to a web request by a rule when the rule matches the request. Once added, a label remains available on the request until the protection pack or web ACL evaluation ends. You can access labels in rules that run later in the protection pack or web ACL evaluation by using a label match statement. For details, see [Label match rule statement](./waf-rule-statement-type-label-match.html). @@ -17 +21 @@ Common use cases for AWS WAF labels include the following: - * **Evaluating a web request against multiple rule statements before taking action on the request** – After a match is found with a rule in a web ACL, AWS WAF continues evaluating the request against the web ACL if the rule action doesn't terminate the web ACL evaluation. You can use labels to evaluate and collect information from multiple rules before you decide to allow or block the request. To do this, change the actions for your existing rules to Count and configure them to add labels to matching requests. Then, add one or more new rules to run after your other rules, and configure them to evaluate the labels and manage the requests according to the label match combinations. + * **Evaluating a web request against multiple rule statements before taking action on the request** – After a match is found with a rule in a protection pack or web ACL, AWS WAF continues evaluating the request against the protection pack or web ACL if the rule action doesn't terminate the protection pack or web ACL evaluation. You can use labels to evaluate and collect information from multiple rules before you decide to allow or block the request. To do this, change the actions for your existing rules to Count and configure them to add labels to matching requests. Then, add one or more new rules to run after your other rules, and configure them to evaluate the labels and manage the requests according to the label match combinations. @@ -21 +25 @@ Common use cases for AWS WAF labels include the following: - * **Reusing logic across multiple rules** – If you need to reuse the same logic across multiple rules, you can use labels to single-source the logic and just test for the results. When you have multiple complex rules that use a common subset of nested rule statements, duplicating the common rule set across your complex rules can be time consuming and error prone. With labels, you can create a new rule with the common rule subset that counts matching requests and adds a label to them. You add the new rule to your web ACL so that it runs before your original complex rules. Then, in your original rules, you replace the shared rule subset with a single rule that checks for the label. + * **Reusing logic across multiple rules** – If you need to reuse the same logic across multiple rules, you can use labels to single-source the logic and just test for the results. When you have multiple complex rules that use a common subset of nested rule statements, duplicating the common rule set across your complex rules can be time consuming and error prone. With labels, you can create a new rule with the common rule subset that counts matching requests and adds a label to them. You add the new rule to your protection pack or web ACL so that it runs before your original complex rules. Then, in your original rules, you replace the shared rule subset with a single rule that checks for the label. @@ -23 +27 @@ Common use cases for AWS WAF labels include the following: -For example, say you have multiple rules that you want to only apply to your login paths. Rather than have each rule specify the same logic to match potential login paths, you can implement a single new rule that contains that logic. Have the new rule add a label to matching requests to indicate that the request is on a login path. In your web ACL, give this new rule a lower numeric priority setting than your original rules so that it runs first. Then, in your original rules, replace the shared logic with a check for the presence of the label. For information about priority settings, see [Setting rule priority in a web ACL](./web-acl-processing-order.html). +For example, say you have multiple rules that you want to only apply to your login paths. Rather than have each rule specify the same logic to match potential login paths, you can implement a single new rule that contains that logic. Have the new rule add a label to matching requests to indicate that the request is on a login path. In your protection pack or web ACL, give this new rule a lower numeric priority setting than your original rules so that it runs first. Then, in your original rules, replace the shared logic with a check for the presence of the label. For information about priority settings, see [Setting rule priority](./web-acl-processing-order.html). @@ -27 +31 @@ For example, say you have multiple rules that you want to only apply to your log - * **Using label metrics to monitor traffic patterns** – You can access metrics for labels that you add through your rules and for metrics added by any managed rule groups that you use in your web ACL. All of the AWS Managed Rules rule groups add labels to the web requests that they evaluate. For a list of label metrics and dimensions, see [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). You can access metrics and metric summaries through CloudWatch and through the web ACL page in the AWS WAF console. For information, see [Monitoring and tuning your AWS WAF protections](./web-acl-testing-activities.html). + * **Using label metrics to monitor traffic patterns** – You can access metrics for labels that you add through your rules and for metrics added by any managed rule groups that you use in your protection pack or web ACL. All of the AWS Managed Rules rule groups add labels to the web requests that they evaluate. For a list of label metrics and dimensions, see [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). You can access metrics and metric summaries through CloudWatch and through the protection pack or web ACL page in the AWS WAF console. For information, see [Monitoring and tuning your AWS WAF protections](./web-acl-testing-activities.html).