AWS waf documentation change
Summary
Updated documentation to include 'protection pack' terminology alongside web ACL references, added section about new console experience, and adjusted action processing descriptions
Security assessment
Changes primarily introduce new terminology ('protection pack') and console navigation updates without addressing specific vulnerabilities. The core security concepts (Allow/Block actions, CAPTCHA handling) remain unchanged but are now described in the context of both protection packs and web ACLs. No evidence of patching vulnerabilities or addressing security incidents.
Diff
diff --git a/waf/latest/developerguide/web-acl-rule-actions.md b/waf/latest/developerguide/web-acl-rule-actions.md index 8772ba43e..4d1befffa 100644 --- a//waf/latest/developerguide/web-acl-rule-actions.md +++ b//waf/latest/developerguide/web-acl-rule-actions.md @@ -5 +5,5 @@ -# How AWS WAF handles rule and rule group actions in a web ACL +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). + +# How AWS WAF handles rule and rule group actions @@ -11 +15 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t - * **Allow and Block are terminating actions** – Allow and Block actions stop all other processing of the web ACL on the matching web request. If a rule in a web ACL finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the web ACL. AWS WAF doesn't process any other rules in the web ACL that come after the matching one. This is true for rules that you add directly to the web ACL and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request. + * **Allow and Block are terminating actions** – Allow and Block actions stop all other processing of the protection pack or web ACL on the matching web request. If a rule in a protection pack or web ACL finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the protection pack or web ACL. AWS WAF doesn't process any other rules in the protection pack or web ACL that come after the matching one. This is true for rules that you add directly to the protection pack or web ACL and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request. @@ -13 +17 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t - * **Count is a non-terminating action** – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the web ACL rule set. + * **Count is a non-terminating action** – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the protection pack or web ACL rule set. @@ -15 +19 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t - * **CAPTCHA and Challenge can be non-terminating or terminating actions** – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve. + * **CAPTCHA and Challenge can be non-terminating or terminating actions** – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the protection pack or web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve. @@ -20 +24 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t -If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the web ACL default action to the request. For information, see [Setting the web ACL default action in AWS WAF](./web-acl-default-action.html). +If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the protection pack or web ACL default action to the request. For information, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). @@ -22 +26 @@ If the rule evaluation doesn't result in any terminating action, then AWS WAF ap -In your web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see [Overriding rule group actions in AWS WAF](./web-acl-rule-group-override-options.html). +In your protection pack or web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see [Overriding rule group actions in AWS WAF](./web-acl-rule-group-override-options.html). @@ -26 +30 @@ In your web ACL, you can override the action settings for rules inside a rule gr -The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the web ACL. For example, say that your web ACL has a rule with Allow action and a numeric priority of 50 and another rule with Count action and a numeric priority of 100. AWS WAF evaluates the rules in a web ACL in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. A web request that matches both rules will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request against the count rule. +The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the protection pack or web ACL. For example, say that your protection pack or web ACL has a rule with Allow action and a numeric priority of 50 and another rule with Count action and a numeric priority of 100. AWS WAF evaluates the rules in a protection pack or web ACL in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. A web request that matches both rules will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request against the count rule. @@ -35 +39 @@ The actions that AWS WAF applies to a web request are affected by the numeric pr -For more information about priority settings, see [Setting rule priority in a web ACL](./web-acl-processing-order.html). +For more information about priority settings, see [Setting rule priority](./web-acl-processing-order.html). @@ -43 +47 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Setting rule priority in a web ACL +Setting rule priority