AWS waf documentation change
Summary
Added comprehensive documentation for creating 'protection packs' alongside web ACLs, including new security configurations like rate limits, IP blocking, and country-specific rules. Updated terminology and navigation to reflect new protection pack concept.
Security assessment
The changes introduce security-focused configurations like rate-based rules for DoS protection, IP blocking, and geographic controls, which are security features. However, there is no evidence of addressing a specific existing vulnerability. The updates primarily document new security capabilities rather than patching issues.
Diff
diff --git a/waf/latest/developerguide/web-acl-creating.md b/waf/latest/developerguide/web-acl-creating.md index e1aec7e5c..02b811f45 100644 --- a//waf/latest/developerguide/web-acl-creating.md +++ b//waf/latest/developerguide/web-acl-creating.md @@ -5 +5,120 @@ -# Creating a web ACL in AWS WAF +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + +# Creating a protection pack or web ACL in AWS WAF + +Creating a protection pack + + +This section provides procedures for creating protection packs through the AWS console. + +To create a new protection pack, use the protection pack creation wizard following the procedure on this page. + +###### Production traffic risk + +Before you deploy changes in your protection pack for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](./web-acl-testing.html). + +###### Note + +Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). + + 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). + + 2. In the navigation pane, choose **Resources & protections**. + + 3. On the **Resources & protections** page, choose **Add protection pack**. + + 4. Under **Tell us about your app** , for **App category** , select one or more app categories. + + 5. For **Traffic source** , choose the type of traffic the application engages with; **API** , **Web** , or **Both API and Web**. + + 6. Under **Resources to protect,** choose **Add resources**. + + 7. Choose the category of AWS resource that you want to associate with this protection pack, either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). + + 8. Under **Choose rule protections,** select your preferred protection level: **Recommended** , **Essentials** , or **You build it**. + + 9. (Optional) If you choose **You build it** , build your rules. + + 1. (Optional) If you want to add your own rule, on the **Add rules** page, choose **Custom rule** and then choose **Next**. + + 1. Choose the rule type. + + 2. For **Action** , select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in AWS WAF](./waf-rule-action.html) and [Using protection pack or web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). + +If you are using the **CAPTCHA** or **Challenge** action, adjust the **Immunity time** configuration as needed for the rule. If you don't specify the setting, the rule inherits it from the protection pack. To modify the protection pack immunity time settings, edit the protection pack after you create it. For more information about immunity times, see [Setting timestamp expiration and token immunity times in AWS WAF](./waf-tokens-immunity-times.html). + +###### Note + +You are charged additional fees when you use the CAPTCHA or Challenge rule action in one of your rules or as a rule action override in a rule group. For more information, see [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). + +If you want to customize the request or response, choose the options for that and fill in the details of your customization. For more information, see [Customized web requests and responses in AWS WAF](./waf-custom-request-response.html). + +If you want to have your rule add labels to matching web requests, choose the options for that and fill in your label details. For more information, see [Web request labeling in AWS WAF](./waf-labels.html). + + 3. For **Name** , enter the name that you want to use to identify this rule. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. + + 4. Enter your rule definition, according to your needs. You can combine rules inside logical `AND` and `OR` rule statements. The wizard guides you through the options for each rule, according to context. For information about your rules options, see [AWS WAF rules](./waf-rules.html). + + 5. Choose **Create rule**. + +###### Note + +If you add more than one rule to a protection pack, AWS WAF evaluates the rules in the order that they're listed for the protection pack. For more information, see [Using protection pack or web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). + + 2. (Optional) If you want to add managed rule groups, on the **Add rules** page, choose **AWS-managed rule group** or **AWS Marketplace rule group** and then choose **Next**. Do the following for each managed rule group that you want to add: + + 1. On the **Add rules** page, expand the listing for AWS managed rule groups or for the AWS Marketplace seller. + + 2. Choose the version of the rule group. + + 3. To customize how your protection pack uses the rule group, choose **Edit**. The following are common customization settings: + + * Reduce the scope of the web requests that the rule group inspects by adding a scope-down statement in the **Inspection** section. For information about this option, see [Using scope-down statements in AWS WAF](./waf-rule-scope-down-statements.html). + + * Override the rule actions for some or all rules in **Rule overrides**. If you don't define an override action for a rule, the evaluation uses the rule action that's defined inside the rule group. For information about this option, see [Overriding rule group actions in AWS WAF](./web-acl-rule-group-override-options.html). + + * Some managed rule groups require you to provide additional configuration. See the documentation from your managed rule group provider. For information specific to the AWS Managed Rules rule groups, see [AWS Managed Rules for AWS WAF](./aws-managed-rule-groups.html). + + 4. Choose **Next**. + + 3. (Optional) If you want to add your own rule group, on the **Add rules** page, choose **Custom rule group** and then choose **Next**. Do the following for each rule group that you want to add: + + 1. For **Name** , enter the name that you want to use for the rule group rule in this protection pack. Don't use names that start with `AWS`, `Shield`, `PreFM`, or `PostFM`. These strings are either reserved or could cause confusion with rule groups that are managed for you by other services. See [Recognizing rule groups provided by other services](./waf-service-owned-rule-groups.html). + + 2. Choose your rule group from the list. + + 3. (Optional) Under **Rule configuration** , choose a **Rule override**. You can override the rule actions to any valid action setting, the same as you can do for managed rule groups. + + 4. (Optional) Under **Add labels** , choose **Add label** and then enter any labels you want to add to requests that match the rule. Rules that are evaluated later in the same protection pack can reference the labels this rule adds. + + 5. Choose **Create rule**. + + 10. Under **Name and description** , enter a name for your protection pack. Optionally, enter a description. + +###### Note + +You can't change the name after you create the protection pack. + + 11. (Optional) Under **Customize protection pack** , configure default rule actions, configurations, and logging destination: + + 1. (Optional) Under **Default rule actions** , choose the default action for the protection pack. This is the action that AWS WAF takes on a request when the rules in the protection pack don't explicitly take an action. For more information, see [Customized web requests and responses in AWS WAF](./waf-custom-request-response.html). + + 2. (Optional) Under Rule configuration, customize settings for rules in the protection pack: + + * **Default rate limits** \- Set rate limits to block Denial of Service (DoS) attacts that can affect availability, compromise security, or consume excessive resources. This rule rate blocks requests per IP address that exceed the allowed rate for your application. For more information, see [Using rate-based rule statements in AWS WAF](./waf-rule-statement-type-rate-based.html) + + * **IP Addresses** \- Enter IP addresses to block or allow. This setting overrides other protection rules. + + * **Country specific origins** \- Block requests from specified countries or Count all traffic. + + 3. For **Logging destination** , configure the logging destination type and the place to store logs. For more information, see [AWS WAF logging destinations](./logging-destinations.html). + + 12. Review your settings and choose **Add protection pack**. + + + + +Creating a web ACL + @@ -17 +136 @@ Before you deploy changes in your web ACL for production traffic, test and tune -Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). +Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). @@ -23 +142 @@ Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL pr - 2. Choose **Web ACLs** in the navigation pane, and then choose **Create web ACL**. + 2. Choose **web ACLs** in the navigation pane, and then choose **Create web ACL**. @@ -39 +158 @@ You can't change the CloudWatch metric name after you create the web ACL. - 6. Under **Resource type** , choose the category of AWS resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating a web ACL with an AWS resource](./web-acl-associating-aws-resource.html). + 6. Under **Resource type** , choose the category of AWS resource that you want to associate with this web ACL, either Amazon CloudFront distributions or Regional resources. For more information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). @@ -75 +194 @@ Choose **Add rules** to finish adding managed rules and return to the **Add rule -If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see [Using web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). +If you add more than one rule to a web ACL, AWS WAF evaluates the rules in the order that they're listed for the web ACL. For more information, see [Using protection pack or web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). @@ -103 +222 @@ This procedure covers the **Rule visual editor**. - 3. For **Action** , select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in AWS WAF](./waf-rule-action.html) and [Using web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). + 3. For **Action** , select the action you want the rule to take when it matches a web request. For information on your choices, see [Using rule actions in AWS WAF](./waf-rule-action.html) and [Using protection pack or web ACLs with rules and rule groups in AWS WAF](./web-acl-processing.html). @@ -117 +236 @@ If you want to have your rule add labels to matching web requests, choose the op - 14. Choose the default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see [Setting the web ACL default action in AWS WAF](./web-acl-default-action.html). + 14. Choose the default action for the web ACL, either Block or Allow. This is the action that AWS WAF takes on a request when the rules in the web ACL don't explicitly allow or block it. For more information, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). @@ -125 +244 @@ Public suffixes aren't allowed. For example, you can't use `gov.au` or `co.uk` a -By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). +By default, AWS WAF accepts tokens only for the domain of the protected resource. If you add token domains in this list, AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). @@ -129 +248 @@ By default, AWS WAF accepts tokens only for the domain of the protected resource - 17. In the **Set rule priority** page, select and move your rules and rule groups to the order that you want AWS WAF to process them. AWS WAF processes rules starting from the top of the list. When you save the web ACL AWS WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see [Setting rule priority in a web ACL](./web-acl-processing-order.html). + 17. In the **Set rule priority** page, select and move your rules and rule groups to the order that you want AWS WAF to process them. AWS WAF processes rules starting from the top of the list. When you save the web ACL AWS WAF assigns numeric priority settings to the rules, in the order that you have them listed. For more information, see [Setting rule priority](./web-acl-processing-order.html). @@ -139 +258 @@ By default, AWS WAF accepts tokens only for the domain of the protected resource - 22. Choose **Create web ACL**. Your new web ACL is listed in the **Web ACLs** page. + 22. Choose **Create web ACL**. Your new web ACL is listed in the **web ACLs** page. @@ -150 +269 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Using web ACLs +Configuring protection @@ -152 +271 @@ Using web ACLs -Editing a web ACL +Editing a protection pack or web ACL