AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-19 · Documentation low

File: waf/latest/developerguide/web-acl-rule-group-override-options.md

Summary

Updated documentation to include 'protection pack' terminology alongside web ACL references throughout, added note about new console experience

Security assessment

Changes primarily expand documentation scope to include 'protection packs' as a new security-related component, but do not address specific vulnerabilities or security incidents. The updates clarify security configuration options rather than patching weaknesses.

Diff

diff --git a/waf/latest/developerguide/web-acl-rule-group-override-options.md b/waf/latest/developerguide/web-acl-rule-group-override-options.md
index af7ee10f3..b51974983 100644
--- a//waf/latest/developerguide/web-acl-rule-group-override-options.md
+++ b//waf/latest/developerguide/web-acl-rule-group-override-options.md
@@ -6,0 +7,4 @@ Rule group rule action overridesRule group return action override to Count
+**Introducing a new console experience for AWS WAF**
+
+You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). 
+
@@ -11 +15 @@ This section explains how to override rule group actions.
-When you add a rule group to your web ACL, you can override the actions it takes on matching web requests. Overriding the actions for a rule group inside your web ACL configuration doesn't alter the rule group itself. It only alters how AWS WAF uses the rule group in the context of the web ACL. 
+When you add a rule group to your protection pack or web ACL, you can override the actions it takes on matching web requests. Overriding the actions for a rule group inside your protection pack or web ACL configuration doesn't alter the rule group itself. It only alters how AWS WAF uses the rule group in the context of the protection pack or web ACL. 
@@ -19 +23 @@ You can override the actions of the rules inside a rule group to any valid rule
-Rule actions can be terminating or non-terminating. A terminating action stops the web ACL evaluation of the request and either lets it continue to your protected application or blocks it. 
+Rule actions can be terminating or non-terminating. A terminating action stops the protection pack or web ACL evaluation of the request and either lets it continue to your protected application or blocks it. 
@@ -27 +31 @@ Here are the rule action options:
-  * **Count** – AWS WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. AWS WAF continues processing the remaining rules in the web ACL. In rules that you define, you can insert custom headers into the request and you can add labels that other rules can match against.
+  * **Count** – AWS WAF counts the request but does not determine whether to allow it or block it. This is a non-terminating action. AWS WAF continues processing the remaining rules in the protection pack or web ACL. In rules that you define, you can insert custom headers into the request and you can add labels that other rules can match against.
@@ -39 +43 @@ These rule actions can be terminating or non-terminating, depending on the state
-    * **Non-terminating for valid, unexpired token** – If the token is valid and unexpired according to the configured CAPTCHA or challenge immunity time, AWS WAF handles the request similar to the Count action. AWS WAF continues to inspect the web request based on the remaining rules in the web ACL. Similar to the Count configuration, in rules that you define, you can optionally configure these actions with custom headers to insert into the request, and you can add labels that other rules can match against. 
+    * **Non-terminating for valid, unexpired token** – If the token is valid and unexpired according to the configured CAPTCHA or challenge immunity time, AWS WAF handles the request similar to the Count action. AWS WAF continues to inspect the web request based on the remaining rules in the protection pack or web ACL. Similar to the Count configuration, in rules that you define, you can optionally configure these actions with custom headers to insert into the request, and you can add labels that other rules can match against. 
@@ -60 +64 @@ For more information about using the rule action override in testing, see [Testi
-If you set rule group rule actions to Count in your web ACL configuration before October 27, 2022, AWS WAF saved your overrides in the web ACL JSON as `ExcludedRules`. Now, the JSON setting for overriding a rule to Count is in the `RuleActionOverrides` settings. 
+If you set rule group rule actions to Count in your protection pack or web ACL configuration before October 27, 2022, AWS WAF saved your overrides in the protection pack or web ACL JSON as `ExcludedRules`. Now, the JSON setting for overriding a rule to Count is in the `RuleActionOverrides` settings. 
@@ -66 +70 @@ We recommend that you update all of your `ExcludedRules` settings in your JSON l
-In the AWS WAF console, the web ACL **Sampled requests** tab doesn't show samples for rules with the old setting. For more information, see [Viewing a sample of web requests](./web-acl-testing-view-sample.html). 
+In the AWS WAF console, the protection pack or web ACL **Sampled requests** tab doesn't show samples for rules with the old setting. For more information, see [Viewing a sample of web requests](./web-acl-testing-view-sample.html). 
@@ -106 +110 @@ You can override the action that the rule group returns, setting it to Count.
-This is not a good option for testing the rules in a rule group, because it doesn't alter how AWS WAF evaluates the rule group itself. It only affects how AWS WAF handles results that are returned to the web ACL from the rule group evaluation. If you want to test the rules in a rule group, use the option described in the preceding section, Rule group rule action overrides.
+This is not a good option for testing the rules in a rule group, because it doesn't alter how AWS WAF evaluates the rule group itself. It only affects how AWS WAF handles results that are returned to the protection pack or web ACL from the rule group evaluation. If you want to test the rules in a rule group, use the option described in the preceding section, Rule group rule action overrides.
@@ -110 +114 @@ When you override the rule group action to Count, AWS WAF processes the rule gro
-If no rules in the rule group match or if all matching rules have a Count action, then this override has no effect on the processing of the rule group or the web ACL.
+If no rules in the rule group match or if all matching rules have a Count action, then this override has no effect on the processing of the rule group or the protection pack or web ACL.
@@ -112 +116 @@ If no rules in the rule group match or if all matching rules have a Count action
-The first rule in the rule group that matches a web request and that has a terminating rule action causes AWS WAF to stop evaluating the rule group and return the terminating action result to the web ACL evaluation level. At this point, in the web ACL evaluation, this override takes effect. AWS WAF overrides the terminating action so that the result of the rule group evaluation is only a Count action. AWS WAF then continues processing the rest of the rules in the web ACL.
+The first rule in the rule group that matches a web request and that has a terminating rule action causes AWS WAF to stop evaluating the rule group and return the terminating action result to the protection pack or web ACL evaluation level. At this point, in the protection pack or web ACL evaluation, this override takes effect. AWS WAF overrides the terminating action so that the result of the rule group evaluation is only a Count action. AWS WAF then continues processing the rest of the rules in the protection pack or web ACL.
@@ -122 +126 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Rule and rule group actions in a web ACL
+Rule and rule group actions
@@ -124 +128 @@ Rule and rule group actions in a web ACL
-Setting the web ACL default action
+Setting the protection pack or web ACL default action