AWS waf documentation change
Summary
Added new console experience notice and expanded configuration guidance to include protection packs alongside web ACLs for token domain validation
Security assessment
The change introduces 'protection packs' as a new configurable entity for token domain validation alongside web ACLs. While this documents security-related features (token validation configuration), there's no evidence of addressing a specific vulnerability. The update appears to document expanded functionality rather than fix a security issue.
Diff
diff --git a/waf/latest/developerguide/waf-tokens-with-alb-and-cf.md b/waf/latest/developerguide/waf-tokens-with-alb-and-cf.md index 05e584923..184284071 100644 --- a//waf/latest/developerguide/waf-tokens-with-alb-and-cf.md +++ b//waf/latest/developerguide/waf-tokens-with-alb-and-cf.md @@ -4,0 +5,4 @@ +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + @@ -7 +11 @@ -Read this section if you associate your web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution. +Read this section if you associate your protection pack or web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution. @@ -13 +17 @@ With this architecture, you need to provide the following additional configurati - * Configure AWS WAF so that it recognizes the domain of the CloudFront distribution as a valid token domain. By default, CloudFront sets the `Host` header to the Application Load Balancer origin, and AWS WAF uses that as the domain of the protected resource. The client browser, however, sees the CloudFront distribution as the host domain, and tokens that are generated for the client use the CloudFront domain as the token domain. Without any additional configuration, when AWS WAF checks the protected resource domain against the token domain, it will get a mismatch. To fix this, add the CloudFront distribution domain name to the token domain list in your web ACL configuration. For information about how to do this, see [AWS WAF web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). + * Configure AWS WAF so that it recognizes the domain of the CloudFront distribution as a valid token domain. By default, CloudFront sets the `Host` header to the Application Load Balancer origin, and AWS WAF uses that as the domain of the protected resource. The client browser, however, sees the CloudFront distribution as the host domain, and tokens that are generated for the client use the CloudFront domain as the token domain. Without any additional configuration, when AWS WAF checks the protected resource domain against the token domain, it will get a mismatch. To fix this, add the CloudFront distribution domain name to the token domain list in your protection pack or web ACL configuration. For information about how to do this, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists).