AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/waf-managed-protections-comparison-table-token.md

Summary

Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout the document to clarify relationship between protection packs and web ACLs

Security assessment

Changes are purely terminological clarifications about product component relationships. No security vulnerabilities, mitigations, or new security features are mentioned. Updates focus on documentation accuracy rather than security implications.

Diff

diff --git a/waf/latest/developerguide/waf-managed-protections-comparison-table-token.md b/waf/latest/developerguide/waf-managed-protections-comparison-table-token.md
index 390df5f49..063b7a4f9 100644
--- a//waf/latest/developerguide/waf-managed-protections-comparison-table-token.md
+++ b//waf/latest/developerguide/waf-managed-protections-comparison-table-token.md
@@ -13 +13 @@ This section compares challenge and token management options.
-You can provide challenges and acquire tokens using the AWS WAF application integration SDKs or the rule actions Challenge and CAPTCHA. Broadly speaking, the rule actions are easier to implement, but they incur added costs, intrude more on your customer experience, and require JavaScript. The SDKs require programming in your client applications, but they can provide a better customer experience, they're free to use, and they can be used with JavaScript or in Android or iOS applications. You can only use the application integration SDKs with protection pack or web ACLs that use one of the paid intelligent threat mitigation managed rule groups, described in the following section. 
+You can provide challenges and acquire tokens using the AWS WAF application integration SDKs or the rule actions Challenge and CAPTCHA. Broadly speaking, the rule actions are easier to implement, but they incur added costs, intrude more on your customer experience, and require JavaScript. The SDKs require programming in your client applications, but they can provide a better customer experience, they're free to use, and they can be used with JavaScript or in Android or iOS applications. You can only use the application integration SDKs with protection packs (web ACLs) that use one of the paid intelligent threat mitigation managed rule groups, described in the following section. 
@@ -19 +19 @@ Good choice for... | Silent validation against bot sessions and enforcement of t
-Implementation considerations | Implemented as a rule action setting | Implemented as a rule action setting | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack or web ACL. Requires coding in the client application. | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack or web ACL. Requires coding in the client application.  
+Implementation considerations | Implemented as a rule action setting | Implemented as a rule action setting | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack (web ACL). Requires coding in the client application. | Requires one of the ACFP, ATP, or Bot Control paid rule groups in the protection pack (web ACL). Requires coding in the client application.  
@@ -30 +30 @@ It can be simpler to run challenges and provide basic token enforcement by just
-If you can implement the SDKs however, you can save costs and reduce latency in your protection pack or web ACL evaluation of client web requests, compared to using the Challenge action: 
+If you can implement the SDKs however, you can save costs and reduce latency in your protection pack (web ACL) evaluation of client web requests, compared to using the Challenge action: 
@@ -34 +34 @@ If you can implement the SDKs however, you can save costs and reduce latency in
-  * If instead you acquire tokens by implementing a rule with the Challenge action, the rule and action require additional web request evaluation and processing when the client first sends a request and anytime the token expires. The Challenge action blocks the request that doesn't have a valid, unexpired token, and sends the challenge interstitial back to the client. After the client successfully responds to the challenge, the interstitial resends the original web request with the valid token, which is then evaluated a second time by the protection pack or web ACL. 
+  * If instead you acquire tokens by implementing a rule with the Challenge action, the rule and action require additional web request evaluation and processing when the client first sends a request and anytime the token expires. The Challenge action blocks the request that doesn't have a valid, unexpired token, and sends the challenge interstitial back to the client. After the client successfully responds to the challenge, the interstitial resends the original web request with the valid token, which is then evaluated a second time by the protection pack (web ACL).