AWS waf documentation change
Summary
Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' in multiple sections to clarify relationship between protection packs and web ACLs
Security assessment
The changes are documentation clarifications about terminology rather than addressing security vulnerabilities. While the content relates to DDoS protection features, there's no evidence of a security flaw being fixed. The updates improve clarity but don't introduce new security information or mitigate disclosed risks.
Diff
diff --git a/waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.md b/waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.md index 39481b361..2c3c2bd61 100644 --- a//waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.md +++ b//waf/latest/developerguide/aws-managed-rule-groups-anti-ddos.md @@ -50 +50 @@ To minimize costs and optimize traffic management, use this rule group in accord -This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack or web ACL. AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). +This managed rule group adds labels to the web requests that it evaluates, which are available to rules that run after this rule group in your protection pack (web ACL). AWS WAF also records the labels to Amazon CloudWatch metrics. For general information about labels and label metrics, see [Web request labeling](./waf-labels.html) and [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). @@ -99 +99 @@ Following the prefix, the rest of the label provides detailed token status infor - * A domain specification that's valid for the protection pack or web ACL. + * A domain specification that's valid for the protection pack (web ACL). @@ -109 +109 @@ Along with the rejected label, token management adds a custom label namespace an - * `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack or web ACL's configured token immunity times. + * `rejected:expired` – The token's challenge or CAPTCHA timestamp has expired, according to your protection pack (web ACL)'s configured token immunity times. @@ -111 +111 @@ Along with the rejected label, token management adds a custom label namespace an - * `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack or web ACL's token domain configuration. + * `rejected:domain_mismatch` – The token's domain isn't a match for your protection pack (web ACL)'s token domain configuration. @@ -115 +115 @@ Along with the rejected label, token management adds a custom label namespace an -Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack or web ACL. +Example: The labels `awswaf:managed:captcha:rejected` and `awswaf:managed:captcha:rejected:expired` together indicate that the request didn't have a valid CAPTCHA solve because the CAPTCHA timestamp in the token has exceeded the CAPTCHA token immunity time that's configured in the protection pack (web ACL).