AWS waf documentation change
Summary
Added comprehensive documentation for new 'protection pack' functionality alongside existing web ACL editing instructions. Introduced procedures for editing protection packs, logging configurations, data protection settings, and integration with Amazon Security Lake.
Security assessment
The changes introduce documentation for security-adjacent features like data protection settings, token domain configurations, and Security Lake integration, but there is no evidence of addressing a specific vulnerability. The updates primarily document new protection pack functionality and associated security best practices rather than patching a security issue.
Diff
diff --git a/waf/latest/developerguide/web-acl-editing.md b/waf/latest/developerguide/web-acl-editing.md index 91c829284..59ffa8149 100644 --- a//waf/latest/developerguide/web-acl-editing.md +++ b//waf/latest/developerguide/web-acl-editing.md @@ -5 +5,95 @@ -# Editing a web ACL in AWS WAF +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + +# Editing a protection pack or web ACL in AWS WAF + +Editing a protection pack + + +This section provides procedures for editing protection packs through the AWS console. + +To add or remove rules from a protection pack or change configuration settings, access the protection pack using the procedure on this page. While updating a protection pack, AWS WAF provides continuous coverage to the resources that you have associated with the protection pack. + +###### Production traffic risk + +Before you deploy changes in your protection pack for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](./web-acl-testing.html). + +###### Note + +Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). + +###### To edit a protection pack + + 1. Sign in to the AWS Management Console and open the AWS WAF console at [https://console.aws.amazon.com/wafv2/homev2](https://console.aws.amazon.com/wafv2/homev2). + + 2. In the navigation pane, choose **Resources & protections**. + + 3. Choose the protection pack that you want to edit. The console makes the main protection pack card editable, and also opens a side pane with details you can edit. + + 4. Edit the protection pack as needed. + +The following lists the editable protection pack configuration components. + + * **Resources** – The list of resources that the protection pack is currently associated with and protecting. You can locate resources that are within the same Region as the protection pack and associate them to the protection pack. For more information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). + + * **Rules** – You can edit and manage the rules that you have defined in the protection pack, similar to how you did during protection pack creation. + +###### Note + +Don't change the names of any rules that you didn't add by hand to your protection pack. If you are using other services to manage rules for you, changing their names could remove or lessen their ability to provide the intended protections. AWS Shield Advanced and AWS Firewall Manager both can create rules in your protection pack. For information, see [Recognizing rule groups provided by other services](./waf-service-owned-rule-groups.html). + +###### Note + +If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack or web ACL or rule group. + +For information about rules and rule group settings, see [AWS WAF rules](./waf-rules.html) and [AWS WAF rule groups](./waf-rule-groups.html). + + * **Logging** – Logging for the traffic that the protection pack evaluates. Enable, disable, or edit traffic logging settings. For information, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). + + * **Logging destination** – Change the location where AWS WAF stores logs. + + * **Sampled requests** – Information about the rules that match web requests. For information about viewing sampled requests, see [Viewing a sample of web requests](./web-acl-testing-view-sample.html). + + * **Security Lake integration** – The status of any data collection that you've configured for the protection pack in Amazon Security Lake. For information, see [Collecting data from AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) in the _Amazon Security Lake user guide_. + + * **Data protection settings** – You can configure web traffic data redaction and filtering for all data that's available for the protection pack and for just the data that the AWS WAF sends to the configured protection pack logging destination. For information about data protection, see [Data protection and logging for AWS WAF protection pack or web ACL traffic](./waf-data-protection-and-logging.html). + + * **CloudWatch metrics** – Metrics for the rules in your protection pack. For information about Amazon CloudWatch metrics, see [Monitoring with Amazon CloudWatch](./monitoring-cloudwatch.html). + + * **Description** – Change the description of the protection pack. + + * **Scope** – Regional or Global. This is view only. + + * **Capacity** – The current capacity usage for your protection pack. This is view only. + + * **Protection behavior** – Default protection pack action for requests that don't match any rules For information about this setting, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). + + * **Default immunity time** – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the protection pack. For information about these settings, see [Setting timestamp expiration and token immunity times in AWS WAF](./waf-tokens-immunity-times.html). + + * **Token domains** – AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). + + * **Custom response bodies** – Custom response bodies that are available for use by your protection pack rules that have the action set to Block. For more information, see [Sending custom responses for Block actions](./customizing-the-response-for-blocked-requests.html). + + + + +###### Temporary inconsistencies during updates + +When you create or change a protection pack or web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. + +The following are examples of the temporary inconsistencies that you might notice during change propagation: + + * After you create a protection pack or web ACL, if you try to associate it with a resource, you might get an exception indicating that the protection pack or web ACL is unavailable. + + * After you add a rule group to a protection pack or web ACL, the new rule group rules might be in effect in one area where the protection pack or web ACL is used and not in another. + + * After you change a rule action setting, you might see the old action in some places and the new action in others. + + * After you add an IP address to an IP set that is in use in a blocking rule, the new address might be blocked in one area while still allowed in another. + + + + +Editing a web ACL + @@ -17 +111 @@ Before you deploy changes in your web ACL for production traffic, test and tune -Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). +Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/). @@ -23 +117 @@ Using more than 1,500 WCUs in a web ACL incurs costs beyond the basic web ACL pr - 2. In the navigation pane, choose **Web ACLs**. + 2. In the navigation pane, choose **web ACLs**. @@ -41 +135 @@ Don't change the names of any rules that you didn't add by hand to your web ACL. -If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your web ACL or rule group. +If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack or web ACL or rule group. @@ -45 +139 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Web ACL rule capacity units used** – The current capacity usage for your web ACL. This is view only. + * **web ACL rule capacity units used** – The current capacity usage for your web ACL. This is view only. @@ -47 +141 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Default web ACL action for requests that don't match any rules** – For information about this setting, see [Setting the web ACL default action in AWS WAF](./web-acl-default-action.html). + * **Default web ACL action for requests that don't match any rules** – For information about this setting, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). @@ -49 +143 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Web ACL CAPTCHA and challenge configurations** – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the web ACL. For information about these settings, see [Setting timestamp expiration and token immunity times in AWS WAF](./waf-tokens-immunity-times.html). + * **web ACL CAPTCHA and challenge configurations** – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the web ACL. For information about these settings, see [Setting timestamp expiration and token immunity times in AWS WAF](./waf-tokens-immunity-times.html). @@ -51 +145 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Token domain list** – AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). + * **Token domain list** – AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists). @@ -57 +151 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Associated AWS resources** – The list of resources that the web ACL is currently associated with and protecting. You can locate resources that are within the same Region as the web ACL and associate them to the web ACL. For more information, see [Associating or disassociating a web ACL with an AWS resource](./web-acl-associating-aws-resource.html). + * **Associated AWS resources** – The list of resources that the web ACL is currently associated with and protecting. You can locate resources that are within the same Region as the web ACL and associate them to the web ACL. For more information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). @@ -65 +159 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Logging** – Logging for the traffic that the web ACL evaluates. For information, see [Logging AWS WAF web ACL traffic](./logging.html). + * **Logging** – Logging for the traffic that the web ACL evaluates. For information, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). @@ -71 +165 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r - * **Data protection settings** – You can configure web traffic data redaction and filtering for all data that's available for the web ACL and for just the data that the AWS WAF sends to the configured web ACL logging destination. For information about data protection, see [Data protection and logging for AWS WAF web ACL traffic](./waf-data-protection-and-logging.html). + * **Data protection settings** – You can configure web traffic data redaction and filtering for all data that's available for the web ACL and for just the data that the AWS WAF sends to the configured web ACL logging destination. For information about data protection, see [Data protection and logging for AWS WAF protection pack or web ACL traffic](./waf-data-protection-and-logging.html). @@ -80 +174 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r -When you create or change a web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. +When you create or change a protection pack or web ACL or other AWS WAF resources, the changes take a small amount of time to propagate to all areas where the resources are stored. The propagation time can be from a few seconds to a number of minutes. @@ -84 +178 @@ The following are examples of the temporary inconsistencies that you might notic - * After you create a web ACL, if you try to associate it with a resource, you might get an exception indicating that the web ACL is unavailable. + * After you create a protection pack or web ACL, if you try to associate it with a resource, you might get an exception indicating that the protection pack or web ACL is unavailable. @@ -86 +180 @@ The following are examples of the temporary inconsistencies that you might notic - * After you add a rule group to a web ACL, the new rule group rules might be in effect in one area where the web ACL is used and not in another. + * After you add a rule group to a protection pack or web ACL, the new rule group rules might be in effect in one area where the protection pack or web ACL is used and not in another. @@ -101 +195 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Creating a web ACL +Creating a protection pack or web ACL @@ -103 +197 @@ Creating a web ACL -Managing rule group behavior in a web ACL +Managing rule group behavior