AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/how-aws-waf-works.md

Summary

Updated documentation to clarify relationship between protection packs and web ACLs in the new console interface. Added explanations that protection packs simplify web ACL management but don't change underlying functionality. Updated terminology consistency between protection packs and web ACLs.

Security assessment

The changes focus on UI/UX improvements (new console experience) and terminology unification between protection packs and web ACLs. While WAF is a security product, these documentation updates describe interface changes rather than addressing specific vulnerabilities or introducing new security features. No mention of CVE, exploits, or security incident mitigation.

Diff

diff --git a/waf/latest/developerguide/how-aws-waf-works.md b/waf/latest/developerguide/how-aws-waf-works.md
index ce92947e4..4d65a74cc 100644
--- a//waf/latest/developerguide/how-aws-waf-works.md
+++ b//waf/latest/developerguide/how-aws-waf-works.md
@@ -13 +13 @@ You can now use the updated experience to access AWS WAF functionality anywhere
-You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (web ACL) or protection pack and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the protection pack or web ACL. 
+You use AWS WAF to control how your protected resources respond to HTTP(S) web requests. You do this by defining a web access control list (web ACL) and then associating it with one or more web application resources that you want to protect. The associated resources forward incoming requests to AWS WAF for inspection by the web ACL. 
@@ -15 +15,5 @@ You use AWS WAF to control how your protected resources respond to HTTP(S) web r
-In your protection pack or web ACL, you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following: 
+The **new console** simplifies the web ACL configuration process. It introduces protection packs to streamline setup while maintaining full control over your security rules. 
+
+Protection packs are the new location for web ACLs and simplify web ACL management in the console, but they don't change the underlying web ACL functionality. When using the standard console or the API, you'll still work directly with web ACLs.
+
+In your protection pack (web ACL), you create rules to define traffic patterns to look for in requests and to specify the actions to take on matching requests. The action choices include the following: 
@@ -36 +40 @@ A web ACL is an AWS WAF resource.
-  * **Protection packs** – You use a protection pack to protect a set of AWS resources. Protection packs perform essentially the same function in the new console as web ACLs. You create a protection pack and define its protection strategy by adding rules. Rules define criteria for inspecting web requests and they specify the action to take on requests that match their criteria. You also set a default action for the protection pack that indicates whether to block or allow through any requests that the rules haven't already blocked or allowed. For more information about protection packs, see [Configuring protection in AWS WAF](./web-acl.html).
+  * **Protection pack (Web ACL)s** – In the new console, protection packs are the new location for your web ACLs. During setup, you provide information about your apps and resources. AWS WAF reccomends a protection pack tailored to your scenario, and then creates a web ACL that contains rules, rule groups, and actions defined by the protection pack (web ACL) you choose. For more information about protection packs (web ACLs), see [Configuring protection in AWS WAF](./web-acl.html).
@@ -38 +42 @@ A web ACL is an AWS WAF resource.
-A protection pack is an AWS WAF resource.
+A protection pack (web ACL) is an AWS WAF resource.
@@ -42 +46 @@ A protection pack is an AWS WAF resource.
-A rule is not an AWS WAF resource. It only exists in the context of a protection pack or web ACL or rule group.
+A rule is not an AWS WAF resource. It only exists in the context of a protection pack (web ACL) or rule group.
@@ -44 +48 @@ A rule is not an AWS WAF resource. It only exists in the context of a protection
-  * **Rule groups** – You can define rules directly inside a protection pack or web ACL or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see [AWS WAF rule groups](./waf-rule-groups.html). 
+  * **Rule groups** – You can define rules directly inside a protection pack (web ACL) or in reusable rule groups. AWS Managed Rules and AWS Marketplace sellers provide managed rule groups for your use. You can also define your own rule groups. For more information about rule groups, see [AWS WAF rule groups](./waf-rule-groups.html). 
@@ -48 +52 @@ A rule group is an AWS WAF resource.
-  * **web ACL capacity units (WCUs)** – AWS WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, protection packs, or web ACLs. 
+  * **web ACL capacity units (WCUs)** – AWS WAF uses WCUs to calculate and control the operating resources that are required to run your rules, rule groups, protection packs (web ACLs), or web ACLs. 
@@ -50 +54 @@ A rule group is an AWS WAF resource.
-A WCU is not an AWS WAF resource. It only exists in the context of a protection pack or web ACL, rule, or rule group.
+A WCU is not an AWS WAF resource. It only exists in the context of a protection pack (web ACL), rule, or rule group.
@@ -57 +61 @@ A WCU is not an AWS WAF resource. It only exists in the context of a protection
-Dashboards available through updated provide unified visibility into your security posture through these visualizations:
+Dashboards available through new provide unified visibility into your security posture through these visualizations: