AWS Security ChangesHomeSearch

AWS waf medium security documentation change

Service: waf · 2025-07-19 · Security-related medium

File: waf/latest/developerguide/logging-s3.md

Summary

Modified S3 bucket ARN patterns and added JSON formatting

Security assessment

Changed resource ARNs from 'aws-waf-logs-LOGGING-BUCKET-SUFFIX' to 'aws-waf-logs-' which removes the required bucket suffix placeholder. This could lead to misconfigured bucket policies if users copy the examples, potentially exposing logs or causing access issues.

Diff

diff --git a/waf/latest/developerguide/logging-s3.md b/waf/latest/developerguide/logging-s3.md
index c68e19b9e..8a55577c0 100644
--- a//waf/latest/developerguide/logging-s3.md
+++ b//waf/latest/developerguide/logging-s3.md
@@ -100,0 +101,6 @@ When you set the permissions listed below, you might see errors in your AWS Clou
+JSON
+    
+
+****
+    
+    
@@ -132 +138 @@ When you set the permissions listed below, you might see errors in your AWS Clou
-                    "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX"
+                    "arn:aws:s3:::aws-waf-logs-"
@@ -145,0 +153,6 @@ If the user creating the log owns the bucket, the service automatically attaches
+JSON
+    
+
+****
+    
+    
@@ -157 +170 @@ If the user creating the log owns the bucket, the service automatically attaches
-          "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX/AWSLogs/account-id/*",
+          "Resource": "arn:aws:s3:::aws-waf-logs-/AWSLogs/account-id/*",
@@ -175 +188 @@ If the user creating the log owns the bucket, the service automatically attaches
-          "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX",
+          "Resource": "arn:aws:s3:::aws-waf-logs-",
@@ -195,0 +210,6 @@ For example, the following bucket policy allows AWS account `111122223333` to pu
+JSON
+    
+
+****
+    
+    
@@ -208 +228 @@ For example, the following bucket policy allows AWS account `111122223333` to pu
-                    "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX/AWSLogs/111122223333/*",
+                    "Resource": "arn:aws:s3:::aws-waf-logs-/AWSLogs/111122223333/*",
@@ -226 +246 @@ For example, the following bucket policy allows AWS account `111122223333` to pu
-                "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX",
+                "Resource": "arn:aws:s3:::aws-waf-logs-",