AWS waf documentation change
Summary
Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout the document for consistency and clarity. No functional changes to procedures or security configurations.
Security assessment
The changes are purely terminological clarifications (parenthetical disambiguation of 'protection pack' as a web ACL). There is no evidence of addressing a security vulnerability, weakness, or incident. The documentation continues to describe existing security features (ACFP rule group) without adding new security guidance.
Diff
diff --git a/waf/latest/developerguide/waf-acfp-deploying.md b/waf/latest/developerguide/waf-acfp-deploying.md index bb5d6e6b4..67430734d 100644 --- a//waf/latest/developerguide/waf-acfp-deploying.md +++ b//waf/latest/developerguide/waf-acfp-deploying.md @@ -23 +23 @@ Before you deploy your ACFP implementation for production traffic, test and tune -AWS WAF provides test credentials that you can use to verify your ACFP configuration. In the following procedure, you'll configure a test protection pack or web ACL to use the ACFP managed rule group, configure a rule to capture the label added by the rule group, and then run an account creation attempt using these test credentials. You'll verify that your protection pack or web ACL has properly managed the attempt by checking the Amazon CloudWatch metrics for the account creation attempt. +AWS WAF provides test credentials that you can use to verify your ACFP configuration. In the following procedure, you'll configure a test protection pack (web ACL) to use the ACFP managed rule group, configure a rule to capture the label added by the rule group, and then run an account creation attempt using these test credentials. You'll verify that your protection pack (web ACL) has properly managed the attempt by checking the Amazon CloudWatch metrics for the account creation attempt. @@ -25 +25 @@ AWS WAF provides test credentials that you can use to verify your ACFP configura -This guidance is intended for users who know generally how to create and manage AWS WAF protection pack or web ACLs, rules, and rule groups. Those topics are covered in prior sections of this guide. +This guidance is intended for users who know generally how to create and manage AWS WAF protection packs (web ACLs), rules, and rule groups. Those topics are covered in prior sections of this guide. @@ -37 +37 @@ You are charged additional fees when you use this managed rule group. For more i -Add the AWS Managed Rules rule group `AWSManagedRulesACFPRuleSet` to a new or existing protection pack or web ACL and configure it so that it doesn't alter the current protection pack or web ACL behavior. For details about the rules and labels for this rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](./aws-managed-rule-groups-acfp.html). +Add the AWS Managed Rules rule group `AWSManagedRulesACFPRuleSet` to a new or existing protection pack (web ACL) and configure it so that it doesn't alter the current protection pack (web ACL) behavior. For details about the rules and labels for this rule group, see [AWS WAF Fraud Control account creation fraud prevention (ACFP) rule group](./aws-managed-rule-groups-acfp.html). @@ -47 +47 @@ With this override, you can monitor the potential impact of the ACFP managed rul - * Position the rule group so that it's evaluated after your existing rules in the protection pack or web ACL, with a priority setting that's numerically higher than any rules or rule groups that you're already using. For more information, see [Setting rule priority](./web-acl-processing-order.html). + * Position the rule group so that it's evaluated after your existing rules in the protection pack (web ACL), with a priority setting that's numerically higher than any rules or rule groups that you're already using. For more information, see [Setting rule priority](./web-acl-processing-order.html). @@ -57 +57 @@ Integrate the AWS WAF JavaScript SDK into your browser's account registration an -If you are unable to use the application integration SDKs, it's possible to test the ACFP rule group by editing it in your protection pack or web ACL and removing the override that you placed on the `AllRequests` rule. This enables the rule's Challenge action setting, to ensure that requests include a valid challenge token. +If you are unable to use the application integration SDKs, it's possible to test the ACFP rule group by editing it in your protection pack (web ACL) and removing the override that you placed on the `AllRequests` rule. This enables the rule's Challenge action setting, to ensure that requests include a valid challenge token. @@ -61 +61 @@ _Do this first in a test environment and then with great care in your production - 3. ###### Enable logging and metrics for the protection pack or web ACL + 3. ###### Enable logging and metrics for the protection pack (web ACL) @@ -63 +63 @@ _Do this first in a test environment and then with great care in your production -As needed, configure logging, Amazon Security Lake data collection, request sampling, and Amazon CloudWatch metrics for the protection pack or web ACL. You can use these visibility tools to monitor the interaction of the ACFP managed rule group with your traffic. +As needed, configure logging, Amazon Security Lake data collection, request sampling, and Amazon CloudWatch metrics for the protection pack (web ACL). You can use these visibility tools to monitor the interaction of the ACFP managed rule group with your traffic. @@ -65 +65 @@ As needed, configure logging, Amazon Security Lake data collection, request samp - * For information about logging, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). + * For information about logging, see [Logging AWS WAF protection pack (web ACL) traffic](./logging.html). @@ -73 +73 @@ As needed, configure logging, Amazon Security Lake data collection, request samp - 4. ###### Associate the protection pack or web ACL with a resource + 4. ###### Associate the protection pack (web ACL) with a resource @@ -75 +75 @@ As needed, configure logging, Amazon Security Lake data collection, request samp -If the protection pack or web ACL isn't already associated with a test resource, associate it. For information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). +If the protection pack (web ACL) isn't already associated with a test resource, associate it. For information, see [Associating or disassociating protection with an AWS resource](./web-acl-associating-aws-resource.html). @@ -93 +93 @@ These test credentials are categorized as compromised credentials, and the ACFP - 2. In your protection pack or web ACL logs, look for the `awswaf:managed:aws:acfp:signal:credential_compromised` label in the `labels` field on the log entries for your test account creation request. For information about logging, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). + 2. In your protection pack (web ACL) logs, look for the `awswaf:managed:aws:acfp:signal:credential_compromised` label in the `labels` field on the log entries for your test account creation request. For information about logging, see [Logging AWS WAF protection pack (web ACL) traffic](./logging.html). @@ -105 +105 @@ After the first successful account creation, the `VolumetricSessionSuccessfulRes - 2. In your protection pack or web ACL logs, look for the `awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:high` label in the `labels` field on the log entries for your test account creation web requests. For information about logging, see [Logging AWS WAF protection pack or web ACL traffic](./logging.html). + 2. In your protection pack (web ACL) logs, look for the `awswaf:managed:aws:acfp:aggregate:volumetric:session:successful_creation_response:high` label in the `labels` field on the log entries for your test account creation web requests. For information about logging, see [Logging AWS WAF protection pack (web ACL) traffic](./logging.html). @@ -117 +117 @@ For example, you can use ACFP labels to allow or block requests or to customize -Depending on your situation, you might have decided that you want to leave some ACFP rules in count mode. For the rules that you want to run as configured inside the rule group, disable count mode in the protection pack or web ACL rule group configuration. When you're finished testing, you can also remove your test label match rules. +Depending on your situation, you might have decided that you want to leave some ACFP rules in count mode. For the rules that you want to run as configured inside the rule group, disable count mode in the protection pack (web ACL) rule group configuration. When you're finished testing, you can also remove your test label match rules. @@ -134 +134 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Adding the ACFP managed rule group to your protection pack or web ACL +Adding the ACFP managed rule group to your protection pack (web ACL)