AWS waf documentation change
Summary
Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout the document to clarify relationship between components
Security assessment
The changes are purely terminological clarifications without addressing vulnerabilities or security mechanisms. No security flaws or mitigations are mentioned. The updates improve documentation consistency but don't alter security functionality.
Diff
diff --git a/waf/latest/developerguide/waf-labels.md b/waf/latest/developerguide/waf-labels.md index a7d75f292..095271b57 100644 --- a//waf/latest/developerguide/waf-labels.md +++ b//waf/latest/developerguide/waf-labels.md @@ -13 +13 @@ This section explains what AWS WAF labels are. -A label is metadata added to a web request by a rule when the rule matches the request. Once added, a label remains available on the request until the protection pack or web ACL evaluation ends. You can access labels in rules that run later in the protection pack or web ACL evaluation by using a label match statement. For details, see [Label match rule statement](./waf-rule-statement-type-label-match.html). +A label is metadata added to a web request by a rule when the rule matches the request. Once added, a label remains available on the request until the protection pack (web ACL) evaluation ends. You can access labels in rules that run later in the protection pack (web ACL) evaluation by using a label match statement. For details, see [Label match rule statement](./waf-rule-statement-type-label-match.html). @@ -21 +21 @@ Common use cases for AWS WAF labels include the following: - * **Evaluating a web request against multiple rule statements before taking action on the request** – After a match is found with a rule in a protection pack or web ACL, AWS WAF continues evaluating the request against the protection pack or web ACL if the rule action doesn't terminate the protection pack or web ACL evaluation. You can use labels to evaluate and collect information from multiple rules before you decide to allow or block the request. To do this, change the actions for your existing rules to Count and configure them to add labels to matching requests. Then, add one or more new rules to run after your other rules, and configure them to evaluate the labels and manage the requests according to the label match combinations. + * **Evaluating a web request against multiple rule statements before taking action on the request** – After a match is found with a rule in a protection pack (web ACL), AWS WAF continues evaluating the request against the protection pack (web ACL) if the rule action doesn't terminate the protection pack (web ACL) evaluation. You can use labels to evaluate and collect information from multiple rules before you decide to allow or block the request. To do this, change the actions for your existing rules to Count and configure them to add labels to matching requests. Then, add one or more new rules to run after your other rules, and configure them to evaluate the labels and manage the requests according to the label match combinations. @@ -25 +25 @@ Common use cases for AWS WAF labels include the following: - * **Reusing logic across multiple rules** – If you need to reuse the same logic across multiple rules, you can use labels to single-source the logic and just test for the results. When you have multiple complex rules that use a common subset of nested rule statements, duplicating the common rule set across your complex rules can be time consuming and error prone. With labels, you can create a new rule with the common rule subset that counts matching requests and adds a label to them. You add the new rule to your protection pack or web ACL so that it runs before your original complex rules. Then, in your original rules, you replace the shared rule subset with a single rule that checks for the label. + * **Reusing logic across multiple rules** – If you need to reuse the same logic across multiple rules, you can use labels to single-source the logic and just test for the results. When you have multiple complex rules that use a common subset of nested rule statements, duplicating the common rule set across your complex rules can be time consuming and error prone. With labels, you can create a new rule with the common rule subset that counts matching requests and adds a label to them. You add the new rule to your protection pack (web ACL) so that it runs before your original complex rules. Then, in your original rules, you replace the shared rule subset with a single rule that checks for the label. @@ -27 +27 @@ Common use cases for AWS WAF labels include the following: -For example, say you have multiple rules that you want to only apply to your login paths. Rather than have each rule specify the same logic to match potential login paths, you can implement a single new rule that contains that logic. Have the new rule add a label to matching requests to indicate that the request is on a login path. In your protection pack or web ACL, give this new rule a lower numeric priority setting than your original rules so that it runs first. Then, in your original rules, replace the shared logic with a check for the presence of the label. For information about priority settings, see [Setting rule priority](./web-acl-processing-order.html). +For example, say you have multiple rules that you want to only apply to your login paths. Rather than have each rule specify the same logic to match potential login paths, you can implement a single new rule that contains that logic. Have the new rule add a label to matching requests to indicate that the request is on a login path. In your protection pack (web ACL), give this new rule a lower numeric priority setting than your original rules so that it runs first. Then, in your original rules, replace the shared logic with a check for the presence of the label. For information about priority settings, see [Setting rule priority](./web-acl-processing-order.html). @@ -31 +31 @@ For example, say you have multiple rules that you want to only apply to your log - * **Using label metrics to monitor traffic patterns** – You can access metrics for labels that you add through your rules and for metrics added by any managed rule groups that you use in your protection pack or web ACL. All of the AWS Managed Rules rule groups add labels to the web requests that they evaluate. For a list of label metrics and dimensions, see [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). You can access metrics and metric summaries through CloudWatch and through the protection pack or web ACL page in the AWS WAF console. For information, see [Monitoring and tuning your AWS WAF protections](./web-acl-testing-activities.html). + * **Using label metrics to monitor traffic patterns** – You can access metrics for labels that you add through your rules and for metrics added by any managed rule groups that you use in your protection pack (web ACL). All of the AWS Managed Rules rule groups add labels to the web requests that they evaluate. For a list of label metrics and dimensions, see [Label metrics and dimensions](./waf-metrics.html#waf-metrics-label). You can access metrics and metric summaries through CloudWatch and through the protection pack (web ACL) page in the AWS WAF console. For information, see [Monitoring and tuning your AWS WAF protections](./web-acl-testing-activities.html).