AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-06-25 · Documentation low

File: waf/latest/developerguide/web-acl-editing.md

Summary

Significant restructuring of web ACL editing documentation: Removed detailed configuration components for protection packs and replaced with console-focused procedures. Added production traffic risk warnings and WCU cost notes.

Security assessment

The change adds a 'Production traffic risk' section emphasizing safe deployment practices through testing environments and count mode, which helps prevent security misconfigurations. However, there's no evidence of addressing a specific vulnerability. The WCU cost note relates to billing rather than security.

Diff

diff --git a/waf/latest/developerguide/web-acl-editing.md b/waf/latest/developerguide/web-acl-editing.md
index 59ffa8149..6f0644898 100644
--- a//waf/latest/developerguide/web-acl-editing.md
+++ b//waf/latest/developerguide/web-acl-editing.md
@@ -38 +38 @@ The following lists the editable protection pack configuration components.
-     * **Resources** – The list of resources that the protection pack is currently associated with and protecting. You can locate resources that are within the same Region as the protection pack and associate them to the protection pack. For more information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html).
+This section provides procedures for editing web ACLs through the AWS console. 
@@ -40 +40 @@ The following lists the editable protection pack configuration components.
-     * **Rules** – You can edit and manage the rules that you have defined in the protection pack, similar to how you did during protection pack creation. 
+To add or remove rules from a web ACL or change configuration settings, access the web ACL using the procedure on this page. While updating a web ACL, AWS WAF provides continuous coverage to the resources that you have associated with the web ACL. 
@@ -42,17 +41,0 @@ The following lists the editable protection pack configuration components.
-###### Note
-
-Don't change the names of any rules that you didn't add by hand to your protection pack. If you are using other services to manage rules for you, changing their names could remove or lessen their ability to provide the intended protections. AWS Shield Advanced and AWS Firewall Manager both can create rules in your protection pack. For information, see [Recognizing rule groups provided by other services](./waf-service-owned-rule-groups.html).
-
-###### Note
-
-If you change the name of a rule and you want the rule's metric name to reflect the change, you must update the metric name as well. AWS WAF doesn't automatically update the metric name for a rule when you change the rule name. You can change the metric name when you edit the rule in the console, by using the rule JSON editor. You can also change both names through the APIs and in any JSON listing that you use to define your protection pack or web ACL or rule group.
-
-For information about rules and rule group settings, see [AWS WAF rules](./waf-rules.html) and [AWS WAF rule groups](./waf-rule-groups.html).
-
-       * **Logging** – Logging for the traffic that the protection pack evaluates. Enable, disable, or edit traffic logging settings. For information, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html).
-
-         * **Logging destination** – Change the location where AWS WAF stores logs.
-
-         * **Sampled requests** – Information about the rules that match web requests. For information about viewing sampled requests, see [Viewing a sample of web requests](./web-acl-testing-view-sample.html).
-
-         * **Security Lake integration** – The status of any data collection that you've configured for the protection pack in Amazon Security Lake. For information, see [Collecting data from AWS services](https://docs.aws.amazon.com/security-lake/latest/userguide/internal-sources.html) in the _Amazon Security Lake user guide_. 
@@ -60 +42,0 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
-         * **Data protection settings** – You can configure web traffic data redaction and filtering for all data that's available for the protection pack and for just the data that the AWS WAF sends to the configured protection pack logging destination. For information about data protection, see [Data protection and logging for AWS WAF protection pack or web ACL traffic](./waf-data-protection-and-logging.html). 
@@ -62 +43,0 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
-         * **CloudWatch metrics** – Metrics for the rules in your protection pack. For information about Amazon CloudWatch metrics, see [Monitoring with Amazon CloudWatch](./monitoring-cloudwatch.html). 
@@ -64,13 +45 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
-       * **Description** – Change the description of the protection pack.
-
-       * **Scope** – Regional or Global. This is view only.
-
-       * **Capacity** – The current capacity usage for your protection pack. This is view only. 
-
-       * **Protection behavior** – Default protection pack action for requests that don't match any rules For information about this setting, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html). 
-
-       * **Default immunity time** – These immunity times determine how long a CAPTCHA or challenge token remains valid after it's acquired. You can only modify this setting here, after you create the protection pack. For information about these settings, see [Setting timestamp expiration and token immunity times in AWS WAF](./waf-tokens-immunity-times.html).
-
-       * **Token domains** – AWS WAF accepts tokens for all domains in the list and for the domain of the associated resource. For more information, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists).
-
-       * **Custom response bodies** – Custom response bodies that are available for use by your protection pack rules that have the action set to Block. For more information, see [Sending custom responses for Block actions](./customizing-the-response-for-blocked-requests.html).
+###### Production traffic risk
@@ -77,0 +47 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
+Before you deploy changes in your web ACL for production traffic, test and tune them in a staging or testing environment until you are comfortable with the potential impact to your traffic. Then test and tune your updated rules in count mode with your production traffic before enabling them. For guidance, see [Testing and tuning your AWS WAF protections](./web-acl-testing.html).
@@ -78,0 +49 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
+###### Note
@@ -79,0 +51 @@ For information about rules and rule group settings, see [AWS WAF rules](./waf-r
+Using more than 1,500 WCUs in a protection pack or web ACL incurs costs beyond the basic protection pack or web ACL price. For more information, see [Web ACL capacity units (WCUs) in AWS WAF](./aws-waf-capacity-units.html) and [AWS WAF Pricing](https://aws.amazon.com/waf/pricing/).