AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/waf-rule-label-overview.md

Summary

Updated documentation to include references to 'protection pack' alongside existing 'web ACL' terminology throughout the label handling explanation. Added section about new console experience.

Security assessment

Changes primarily introduce terminology for 'protection packs' as a new organizational component alongside web ACLs, but there's no mention of vulnerabilities or security incidents. Updates focus on label persistence and evaluation flow between components without indicating security fixes.

Diff

diff --git a/waf/latest/developerguide/waf-rule-label-overview.md b/waf/latest/developerguide/waf-rule-label-overview.md
index ff651b1fa..e0fb4ac11 100644
--- a//waf/latest/developerguide/waf-rule-label-overview.md
+++ b//waf/latest/developerguide/waf-rule-label-overview.md
@@ -4,0 +5,4 @@
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -9 +13 @@ This section explains how AWS WAF labels work.
-When a rule matches a web request, if the rule has labels defined, AWS WAF adds the labels to the request at the end of the rule evaluation. Rules that are evaluated after the matching rule in the web ACL can match against the labels that the rule has added. 
+When a rule matches a web request, if the rule has labels defined, AWS WAF adds the labels to the request at the end of the rule evaluation. Rules that are evaluated after the matching rule in the protection pack or web ACL can match against the labels that the rule has added. 
@@ -13 +17 @@ When a rule matches a web request, if the rule has labels defined, AWS WAF adds
-The web ACL components that evaluate requests can add labels to the requests. 
+The protection pack or web ACL components that evaluate requests can add labels to the requests. 
@@ -28 +32 @@ AWS WAF adds the rule's labels to the request at the end of the rule's inspectio
-Labels don't persist with the web request after the web ACL evaluation ends. In order for other rules to match against a label that your rule adds, your rule action must not terminate the evaluation of the web request by the web ACL. The rule action must be set to Count, CAPTCHA, or Challenge. When the web ACL evaluation doesn't terminate, subsequent rules in the web ACL can run their label matching criteria against the request. For more information about rule actions, see [Using rule actions in AWS WAF](./waf-rule-action.html). 
+Labels don't persist with the web request after the protection pack or web ACL evaluation ends. In order for other rules to match against a label that your rule adds, your rule action must not terminate the evaluation of the web request by the protection pack or web ACL. The rule action must be set to Count, CAPTCHA, or Challenge. When the protection pack or web ACL evaluation doesn't terminate, subsequent rules in the protection pack or web ACL can run their label matching criteria against the request. For more information about rule actions, see [Using rule actions in AWS WAF](./waf-rule-action.html). 
@@ -30 +34 @@ Labels don't persist with the web request after the web ACL evaluation ends. In
-###### Access to labels during web ACL evaluation
+###### Access to labels during protection pack or web ACL evaluation
@@ -32 +36 @@ Labels don't persist with the web request after the web ACL evaluation ends. In
-Once added, labels remain available on the request as long as AWS WAF is evaluating the request against the web ACL. Any rule in a web ACL can access labels that have been added by the rules that have already run in the same web ACL. This includes rules that are defined directly inside the web ACL and rules defined inside rule groups that are used in the web ACL. 
+Once added, labels remain available on the request as long as AWS WAF is evaluating the request against the protection pack or web ACL. Any rule in a protection pack or web ACL can access labels that have been added by the rules that have already run in the same protection pack or web ACL. This includes rules that are defined directly inside the protection pack or web ACL and rules defined inside rule groups that are used in the protection pack or web ACL. 
@@ -36 +40 @@ Once added, labels remain available on the request as long as AWS WAF is evaluat
-  * The geographic match statement adds labels with or without a match, but they're only available after the statement's containing web ACL rule has completed the request evaluation. 
+  * The geographic match statement adds labels with or without a match, but they're only available after the statement's containing protection pack or web ACL rule has completed the request evaluation. 
@@ -45 +49 @@ Once added, labels remain available on the request as long as AWS WAF is evaluat
-###### Access to label information outside of web ACL evaluation
+###### Access to label information outside of protection pack or web ACL evaluation
@@ -47 +51 @@ Once added, labels remain available on the request as long as AWS WAF is evaluat
-Labels don't persist with the web request after the web ACL evaluation ends, but AWS WAF records label information in the logs and in metrics. 
+Labels don't persist with the web request after the protection pack or web ACL evaluation ends, but AWS WAF records label information in the logs and in metrics. 
@@ -51 +55 @@ Labels don't persist with the web request after the web ACL evaluation ends, but
-  * AWS WAF summarizes CloudWatch label metrics in the web ACL traffic overview dashboards in the AWS WAF console. You can access the dashboards on any web ACL page. For more information, see [Web ACL traffic overview dashboards](./web-acl-dashboards.html).
+  * AWS WAF summarizes CloudWatch label metrics in the protection pack or web ACL traffic overview dashboards in the AWS WAF console. You can access the dashboards on any protection pack or web ACL page. For more information, see [Traffic overview dashboards for protection pack or web ACLs](./web-acl-dashboards.html).
@@ -53 +57 @@ Labels don't persist with the web request after the web ACL evaluation ends, but
-  * AWS WAF records labels in the logs for the first 100 labels on a request. You can use labels, along with the rule action, to filter the logs that AWS WAF records. For information, see [Logging AWS WAF web ACL traffic](./logging.html).
+  * AWS WAF records labels in the logs for the first 100 labels on a request. You can use labels, along with the rule action, to filter the logs that AWS WAF records. For information, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html).
@@ -58 +62 @@ Labels don't persist with the web request after the web ACL evaluation ends, but
-Your web ACL evaluation can apply more than 100 labels to a web request and match against more than 100 labels, but AWS WAF only records the first 100 in the logs and metrics. 
+Your protection pack or web ACL evaluation can apply more than 100 labels to a web request and match against more than 100 labels, but AWS WAF only records the first 100 in the logs and metrics.