AWS waf medium security documentation change
Summary
Modified S3 bucket ARN patterns and added JSON formatting
Security assessment
Changed resource ARNs from 'aws-waf-logs-LOGGING-BUCKET-SUFFIX' to 'aws-waf-logs-' in multiple locations, removing required placeholder. This could lead to bucket policy misconfigurations affecting log storage security if followed literally.
Diff
diff --git a/waf/latest/developerguide/waf-policies-logging-destinations.md b/waf/latest/developerguide/waf-policies-logging-destinations.md index 6b4f35f4a..f33ba14ed 100644 --- a//waf/latest/developerguide/waf-policies-logging-destinations.md +++ b//waf/latest/developerguide/waf-policies-logging-destinations.md @@ -75,0 +76,6 @@ Configuring web ACL traffic logging for an Amazon S3 bucket in an AWS WAF policy +JSON + + +**** + + @@ -88 +94 @@ Configuring web ACL traffic logging for an Amazon S3 bucket in an AWS WAF policy - "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX" + "Resource": "arn:aws:s3:::aws-waf-logs-" @@ -97 +103 @@ Configuring web ACL traffic logging for an Amazon S3 bucket in an AWS WAF policy - "Resource": "arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX/policy-id/AWSLogs/*", + "Resource": "arn:aws:s3:::aws-waf-logs-/policy-id/AWSLogs/*", @@ -112,0 +120,6 @@ The following example shows how to prevent the confused deputy problem by using +JSON + + +**** + + @@ -125 +138 @@ The following example shows how to prevent the confused deputy problem by using - "Resource":"arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX", + "Resource":"arn:aws:s3:::aws-waf-logs-", @@ -148 +161 @@ The following example shows how to prevent the confused deputy problem by using - "Resource":"arn:aws:s3:::aws-waf-logs-LOGGING-BUCKET-SUFFIX/policy-id/AWSLogs/*", + "Resource":"arn:aws:s3:::aws-waf-logs-/policy-id/AWSLogs/*",