AWS Security ChangesHomeSearch

AWS waf medium security documentation change

Service: waf · 2025-06-19 · Security-related medium

File: waf/latest/developerguide/waf-managed-rule-groups-versioning-lifecycle.md

Summary

Added references to 'protection pack' alongside web ACL in version expiration logic and introduced new console experience documentation

Security assessment

The change enforces version management by expanding expiration rules to protection packs, ensuring outdated rule versions cannot be used. This prevents potential security gaps from using expired rule versions.

Diff

diff --git a/waf/latest/developerguide/waf-managed-rule-groups-versioning-lifecycle.md b/waf/latest/developerguide/waf-managed-rule-groups-versioning-lifecycle.md
index c67a6b18b..2b56d4557 100644
--- a//waf/latest/developerguide/waf-managed-rule-groups-versioning-lifecycle.md
+++ b//waf/latest/developerguide/waf-managed-rule-groups-versioning-lifecycle.md
@@ -4,0 +5,4 @@
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -13 +17 @@ You can subscribe to the rule group's topic and configure how you want to receiv
-  * **Expiration scheduling** – A managed rule group provider schedules older versions of a rule group for expiration. A version that's scheduled to expire cannot be added to your web ACL rules. After expiration is scheduled for a version, AWS WAF tracks the expiration with a countdown metric in Amazon CloudWatch. 
+  * **Expiration scheduling** – A managed rule group provider schedules older versions of a rule group for expiration. A version that's scheduled to expire cannot be added to your protection pack or web ACL rules. After expiration is scheduled for a version, AWS WAF tracks the expiration with a countdown metric in Amazon CloudWatch. 
@@ -15 +19 @@ You can subscribe to the rule group's topic and configure how you want to receiv
-  * **Version expiration** – If you have a web ACL configured to use an expired version of a managed rule group, then during web ACL evaluation, AWS WAF uses the rule group's default version. Additionally, AWS WAF blocks any updates to the web ACL that don't either remove the rule group or change its version to an unexpired one.
+  * **Version expiration** – If you have a protection pack or web ACL configured to use an expired version of a managed rule group, then during protection pack or web ACL evaluation, AWS WAF uses the rule group's default version. Additionally, AWS WAF blocks any updates to the protection pack or web ACL that don't either remove the rule group or change its version to an unexpired one.