AWS waf documentation change
Summary
Added information about protection packs alongside web ACLs, updated references to console experience, and emphasized proper management of Shield Advanced rule groups
Security assessment
The changes primarily document proper management practices for Shield Advanced/Firewall Manager rule groups and introduce 'protection pack' terminology. While it reinforces security best practices (like not manually deleting mitigation rules), there's no evidence of addressing a specific vulnerability. The updates expand documentation for existing security features rather than responding to new vulnerabilities.
Diff
diff --git a/waf/latest/developerguide/waf-service-owned-rule-groups.md b/waf/latest/developerguide/waf-service-owned-rule-groups.md index 5199b0ab9..2b495ea57 100644 --- a//waf/latest/developerguide/waf-service-owned-rule-groups.md +++ b//waf/latest/developerguide/waf-service-owned-rule-groups.md @@ -4,0 +5,4 @@ +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -7 +11 @@ -If you or an administrator in your organization uses AWS Firewall Manager or AWS Shield Advanced to manage resource protections using AWS WAF, you might see rule group reference statements added to web ACLs in your account. +If you or an administrator in your organization uses AWS Firewall Manager or AWS Shield Advanced to manage resource protections using AWS WAF, you might see rule group reference statements added to protection pack or web ACLs in your account. @@ -13 +17 @@ The names of these rule groups begin with the following strings: -When you enable automatic application layer DDoS mitigation for a protected resource, Shield Advanced adds one of these rule groups to the web ACL that you have associated with the resource. Shield Advanced assigns the rule group reference statement a priority setting of 10,000,000, so that it runs after the rules that you have configured in the web ACL. For more information about these rule groups, see [Automating application layer DDoS mitigation with Shield Advanced ](./ddos-automatic-app-layer-response.html). +When you enable automatic application layer DDoS mitigation for a protected resource, Shield Advanced adds one of these rule groups to the protection pack or web ACL that you have associated with the resource. Shield Advanced assigns the rule group reference statement a priority setting of 10,000,000, so that it runs after the rules that you have configured in the protection pack or web ACL. For more information about these rule groups, see [Automating application layer DDoS mitigation with Shield Advanced ](./ddos-automatic-app-layer-response.html). @@ -17 +21 @@ When you enable automatic application layer DDoS mitigation for a protected reso -Don't try to manually manage this rule group in your web ACL. In particular, don't manually delete the `ShieldMitigationRuleGroup` rule group reference statement from your web ACL. Doing this could have unintended consequences for all resources that are associated with the web ACL. Instead, use Shield Advanced to disable automatic mitigation for the resources that are associated with the web ACL. Shield Advanced will remove the rule group for you when it's not needed for automatic mitigation. +Don't try to manually manage this rule group in your protection pack or web ACL. In particular, don't manually delete the `ShieldMitigationRuleGroup` rule group reference statement from your protection pack or web ACL. Doing this could have unintended consequences for all resources that are associated with the protection pack or web ACL. Instead, use Shield Advanced to disable automatic mitigation for the resources that are associated with the protection pack or web ACL. Shield Advanced will remove the rule group for you when it's not needed for automatic mitigation. @@ -19 +23 @@ Don't try to manually manage this rule group in your web ACL. In particular, don - * **`PREFMManaged` and `POSTFMManaged`** – These rule groups are managed by AWS Firewall Manager based on Firewall Manager AWS WAF policy configurations. Firewall Manager provides these rule groups inside web ACLs that Firewall Manager manages. + * **`PREFMManaged` and `POSTFMManaged`** – These rule groups are managed by AWS Firewall Manager based on Firewall Manager AWS WAF policy configurations. Firewall Manager provides these rule groups inside protection pack or web ACLs that Firewall Manager manages. @@ -21 +25 @@ Don't try to manually manage this rule group in your web ACL. In particular, don -Firewall Manager creates web ACLs for you with names that begin with `FMManagedWebACLV2`. You can configure Firewall Manager to retrofit your existing web ACLs as well. For these, the web ACL name is the one that you specified when you created it. In either case, Firewall Manager will add these rule groups to the web ACL. For more information, see [Using AWS WAF policies with Firewall Manager](./waf-policies.html). +Firewall Manager creates protection pack or web ACLs for you with names that begin with `FMManagedWebACLV2`. You can configure Firewall Manager to retrofit your existing protection pack or web ACLs as well. For these, the protection pack or web ACL name is the one that you specified when you created it. In either case, Firewall Manager will add these rule groups to the protection pack or web ACL. For more information, see [Using AWS WAF policies with Firewall Manager](./waf-policies.html).