AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/security_iam_service-with-iam.md

Summary

Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout IAM permissions documentation, clarifying the relationship between protection packs and web ACLs in authorization contexts

Security assessment

The changes appear to be terminology clarifications rather than addressing a specific security vulnerability. The updates standardize references to web ACLs as part of protection packs in permission requirements, which improves documentation accuracy but doesn't directly mitigate a security weakness or introduce new security features.

Diff

diff --git a/waf/latest/developerguide/security_iam_service-with-iam.md b/waf/latest/developerguide/security_iam_service-with-iam.md
index ef8135871..bdb5a5be9 100644
--- a//waf/latest/developerguide/security_iam_service-with-iam.md
+++ b//waf/latest/developerguide/security_iam_service-with-iam.md
@@ -104 +104 @@ Some actions require permissions that can't be completely described in [Actions
-This section lists the permissions required to associate a protection pack or web ACL to a resource using the AWS WAF action `AssociateWebACL`. 
+This section lists the permissions required to associate a protection pack (web ACL) to a resource using the AWS WAF action `AssociateWebACL`. 
@@ -110 +110 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront
-Requires permission to call API Gateway `SetWebACL` on the REST API resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. 
+Requires permission to call API Gateway `SetWebACL` on the REST API resource type and to call AWS WAF `AssociateWebACL` on a protection pack (web ACL). 
@@ -136 +136 @@ Requires permission to call API Gateway `SetWebACL` on the REST API resource typ
-Requires permission to call `elasticloadbalancing:SetWebACL` action on the Application Load Balancer resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. 
+Requires permission to call `elasticloadbalancing:SetWebACL` action on the Application Load Balancer resource type and to call AWS WAF `AssociateWebACL` on a protection pack (web ACL). 
@@ -162 +162 @@ Requires permission to call `elasticloadbalancing:SetWebACL` action on the Appli
-Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. 
+Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource type and to call AWS WAF `AssociateWebACL` on a protection pack (web ACL). 
@@ -188 +188 @@ Requires permission to call AWS AppSync `SetWebACL` on the GraphQL API resource
-Requires permission to call the Amazon Cognito `AssociateWebACL` action on the user pool resource type and to call AWS WAF `AssociateWebACL` on a protection pack or web ACL. 
+Requires permission to call the Amazon Cognito `AssociateWebACL` action on the user pool resource type and to call AWS WAF `AssociateWebACL` on a protection pack (web ACL). 
@@ -266 +266 @@ Requires permission to call the `ec2:AssociateVerifiedAccessInstanceWebAcl` acti
-This section lists the permissions required to disassociate a protection pack or web ACL from a resource using the AWS WAF action `DisassociateWebACL`. 
+This section lists the permissions required to disassociate a protection pack (web ACL) from a resource using the AWS WAF action `DisassociateWebACL`. 
@@ -268 +268 @@ This section lists the permissions required to disassociate a protection pack or
-For Amazon CloudFront distributions, instead of this action, use the CloudFront action `UpdateDistribution` with an empty protection pack or web ACL ID. For information, see [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) in the _Amazon CloudFront API Reference_. 
+For Amazon CloudFront distributions, instead of this action, use the CloudFront action `UpdateDistribution` with an empty protection pack (web ACL) ID. For information, see [UpdateDistribution](https://docs.aws.amazon.com/cloudfront/latest/APIReference/API_UpdateDistribution.html) in the _Amazon CloudFront API Reference_. 
@@ -386 +386 @@ Requires permission to call the `ec2:DisassociateVerifiedAccessInstanceWebAcl` a
-This section lists the permissions required to get the protection pack or web ACL for a protected resource using the AWS WAF action `GetWebACLForResource`. 
+This section lists the permissions required to get the protection pack (web ACL) for a protected resource using the AWS WAF action `GetWebACLForResource`. 
@@ -392 +392 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront
-`GetWebACLForResource` requires the permission to call `GetWebACL`. In this context, AWS WAF uses `GetWebACL` only to verify that your account has the permission it needs to access the protection pack or web ACL that `GetWebACLForResource` returns. When you call `GetWebACLForResource`, you might get an error indicating that your account is not authorized to perform `wafv2:GetWebACL` on the resource. AWS WAF doesn't add this type of error to the AWS CloudTrail event history. 
+`GetWebACLForResource` requires the permission to call `GetWebACL`. In this context, AWS WAF uses `GetWebACL` only to verify that your account has the permission it needs to access the protection pack (web ACL) that `GetWebACLForResource` returns. When you call `GetWebACLForResource`, you might get an error indicating that your account is not authorized to perform `wafv2:GetWebACL` on the resource. AWS WAF doesn't add this type of error to the AWS CloudTrail event history. 
@@ -396 +396 @@ For Amazon CloudFront distributions, instead of this action, use the CloudFront
-Require permission to call AWS WAF `GetWebACLForResource` and `GetWebACL` for a protection pack or web ACL. 
+Require permission to call AWS WAF `GetWebACLForResource` and `GetWebACL` for a protection pack (web ACL). 
@@ -494 +494 @@ Requires permission to call the `ec2:GetVerifiedAccessInstanceWebAcl` action on
-This section lists the permissions required to retrieve the list of protected resources for a protection pack or web ACL using the AWS WAF action `ListResourcesForWebACL`. 
+This section lists the permissions required to retrieve the list of protected resources for a protection pack (web ACL) using the AWS WAF action `ListResourcesForWebACL`. 
@@ -629 +629 @@ The following lists requirements that are specific to the ARNs of `wafv2` resour
-For example, the following ARN specifies all protection pack or web ACLs with regional scope for the account `111122223333` in Region `us-west-1`:
+For example, the following ARN specifies all protection packs (web ACLs) with regional scope for the account `111122223333` in Region `us-west-1`: