AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/web-acl-associating-aws-resource.md

Summary

Updated documentation to introduce protection packs alongside web ACLs, modified association terminology, and added references to new console experience

Security assessment

The changes introduce 'protection packs' as a new association option alongside web ACLs, which appears to be a new security feature. While this adds documentation about security capabilities, there's no evidence of addressing existing vulnerabilities.

Diff

diff --git a/waf/latest/developerguide/web-acl-associating-aws-resource.md b/waf/latest/developerguide/web-acl-associating-aws-resource.md
index 23d24ad6a..d8d93f8c4 100644
--- a//waf/latest/developerguide/web-acl-associating-aws-resource.md
+++ b//waf/latest/developerguide/web-acl-associating-aws-resource.md
@@ -5 +5 @@
-# Associating or disassociating a web ACL with an AWS resource
+**Introducing a new console experience for AWS WAF**
@@ -7 +7 @@
-You can use AWS WAF to create the following associations between web ACLS and your resources: 
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
@@ -9 +9,5 @@ You can use AWS WAF to create the following associations between web ACLS and yo
-  * Associate a regional web ACL with any of the regional resources listed below. For this option, the web ACL must be in the same region as your resource. 
+# Associating or disassociating protection with an AWS resource
+
+You can use AWS WAF to create the following associations between protection pack or web ACLs and your resources: 
+
+  * Associate a regional protection pack or web ACL with any of the regional resources listed below. For this option, the protection pack or web ACL must be in the same region as your resource. 
@@ -25 +29 @@ You can use AWS WAF to create the following associations between web ACLS and yo
-  * Associate a global web ACL with a Amazon CloudFront distribution. The global web ACL will have a hard-coded Region of US East (N. Virginia) Region.
+  * Associate a global protection pack or web ACL with a Amazon CloudFront distribution. The global protection pack or web ACL will have a hard-coded Region of US East (N. Virginia) Region.
@@ -30 +34 @@ You can use AWS WAF to create the following associations between web ACLS and yo
-You can also associate a web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the _Amazon CloudFront Developer Guide_.
+You can also associate a protection pack or web ACL with a CloudFront distribution when you create or update the distribution itself. For information, see [Using AWS WAF to Control Access to Your Content](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/distribution-web-awswaf.html) in the _Amazon CloudFront Developer Guide_.
@@ -34 +38 @@ You can also associate a web ACL with a CloudFront distribution when you create
-You can associate a single web ACL with one or more AWS resources, according to the following restrictions:
+You can associate a single protection pack or web ACL with one or more AWS resources, according to the following restrictions:
@@ -36 +40 @@ You can associate a single web ACL with one or more AWS resources, according to
-  * You can associate each AWS resource with only one web ACL. The relationship between web ACL and AWS resources is one-to-many. 
+  * You can associate each AWS resource with only one protection pack or web ACL. The relationship between protection pack or web ACL and AWS resources is one-to-many. 
@@ -38 +42 @@ You can associate a single web ACL with one or more AWS resources, according to
-  * You can associate a web ACL with one or more CloudFront distributions. You cannot associate a web ACL that you have associated with a CloudFront distribution with any other AWS resource type.
+  * You can associate a protection pack or web ACL with one or more CloudFront distributions. You cannot associate a protection pack or web ACL that you have associated with a CloudFront distribution with any other AWS resource type.
@@ -45 +49 @@ You can associate a single web ACL with one or more AWS resources, according to
-The following additional restrictions apply to web ACL associations: 
+The following additional restrictions apply to protection pack or web ACL associations: 
@@ -47 +51 @@ The following additional restrictions apply to web ACL associations:
-  * You can only associate a web ACL to an Application Load Balancer within AWS Regions. For example, you cannot associate a web ACL to an Application Load Balancer that is on AWS Outposts.
+  * You can only associate a protection pack or web ACL to an Application Load Balancer within AWS Regions. For example, you cannot associate a protection pack or web ACL to an Application Load Balancer that is on AWS Outposts.
@@ -49 +53 @@ The following additional restrictions apply to web ACL associations:
-  * You can't associate an Amazon Cognito user pool with a web ACL that uses the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group ``AWSManagedRulesACFPRuleSet`` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group ``AWSManagedRulesATPRuleSet``. For information about account creation fraud prevention, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](./waf-acfp.html). For information about account takeover prevention, see [AWS WAF Fraud Control account takeover prevention (ATP)](./waf-atp.html). 
+  * You can't associate an Amazon Cognito user pool with a protection pack or web ACL that uses the AWS WAF Fraud Control account creation fraud prevention (ACFP) managed rule group ``AWSManagedRulesACFPRuleSet`` or the AWS WAF Fraud Control account takeover prevention (ATP) managed rule group ``AWSManagedRulesATPRuleSet``. For information about account creation fraud prevention, see [AWS WAF Fraud Control account creation fraud prevention (ACFP)](./waf-acfp.html). For information about account takeover prevention, see [AWS WAF Fraud Control account takeover prevention (ATP)](./waf-atp.html). 
@@ -56 +60 @@ The following additional restrictions apply to web ACL associations:
-Before you deploy your web ACL for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](./web-acl-testing.html).
+Before you deploy your protection pack or web ACL for production traffic, test and tune it in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](./web-acl-testing.html).
@@ -64 +68 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Managing rule group behavior in a web ACL
+Managing rule group behavior
@@ -66 +70 @@ Managing rule group behavior in a web ACL
-Associating a web ACL with an AWS resource
+Associating protection with an AWS resource