AWS waf documentation change
Summary
Added references to 'protection pack' alongside web ACLs in SDK implementation requirements and evaluation contexts. Introduced new console experience announcement.
Security assessment
The changes expand documentation about existing security features (SDKs, rule groups) to include protection packs as an additional context. No vulnerabilities or security incidents are addressed. Updates reflect product terminology changes rather than security fixes.
Diff
diff --git a/waf/latest/developerguide/waf-managed-protections-comparison-table-token.md b/waf/latest/developerguide/waf-managed-protections-comparison-table-token.md index 25dcb91f2..390df5f49 100644 --- a//waf/latest/developerguide/waf-managed-protections-comparison-table-token.md +++ b//waf/latest/developerguide/waf-managed-protections-comparison-table-token.md @@ -4,0 +5,4 @@ +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -9 +13 @@ This section compares challenge and token management options. -You can provide challenges and acquire tokens using the AWS WAF application integration SDKs or the rule actions Challenge and CAPTCHA. Broadly speaking, the rule actions are easier to implement, but they incur added costs, intrude more on your customer experience, and require JavaScript. The SDKs require programming in your client applications, but they can provide a better customer experience, they're free to use, and they can be used with JavaScript or in Android or iOS applications. You can only use the application integration SDKs with web ACLs that use one of the paid intelligent threat mitigation managed rule groups, described in the following section. +You can provide challenges and acquire tokens using the AWS WAF application integration SDKs or the rule actions Challenge and CAPTCHA. Broadly speaking, the rule actions are easier to implement, but they incur added costs, intrude more on your customer experience, and require JavaScript. The SDKs require programming in your client applications, but they can provide a better customer experience, they're free to use, and they can be used with JavaScript or in Android or iOS applications. You can only use the application integration SDKs with protection pack or web ACLs that use one of the paid intelligent threat mitigation managed rule groups, described in the following section. @@ -15 +19 @@ Good choice for... | Silent validation against bot sessions and enforcement of t -Implementation considerations | Implemented as a rule action setting | Implemented as a rule action setting | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the web ACL. Requires coding in the client application. | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the web ACL. Requires coding in the client application. +Implementation considerations | Implemented as a rule action setting | Implemented as a rule action setting | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack or web ACL. Requires coding in the client application. | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack or web ACL. Requires coding in the client application. @@ -26 +30 @@ It can be simpler to run challenges and provide basic token enforcement by just -If you can implement the SDKs however, you can save costs and reduce latency in your web ACL evaluation of client web requests, compared to using the Challenge action: +If you can implement the SDKs however, you can save costs and reduce latency in your protection pack or web ACL evaluation of client web requests, compared to using the Challenge action: @@ -30 +34 @@ If you can implement the SDKs however, you can save costs and reduce latency in - * If instead you acquire tokens by implementing a rule with the Challenge action, the rule and action require additional web request evaluation and processing when the client first sends a request and anytime the token expires. The Challenge action blocks the request that doesn't have a valid, unexpired token, and sends the challenge interstitial back to the client. After the client successfully responds to the challenge, the interstitial resends the original web request with the valid token, which is then evaluated a second time by the web ACL. + * If instead you acquire tokens by implementing a rule with the Challenge action, the rule and action require additional web request evaluation and processing when the client first sends a request and anytime the token expires. The Challenge action blocks the request that doesn't have a valid, unexpired token, and sends the challenge interstitial back to the client. After the client successfully responds to the challenge, the interstitial resends the original web request with the valid token, which is then evaluated a second time by the protection pack or web ACL.