AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/waf-tokens-with-alb-and-cf.md

Summary

Updated phrasing from 'protection pack or web ACL' to 'protection pack (web ACL)' in CloudFront/ALB integration documentation

Security assessment

Changes focus on terminology consistency rather than security improvements. The configuration guidance remains functionally equivalent with updated nomenclature.

Diff

diff --git a/waf/latest/developerguide/waf-tokens-with-alb-and-cf.md b/waf/latest/developerguide/waf-tokens-with-alb-and-cf.md
index 184284071..64987aac9 100644
--- a//waf/latest/developerguide/waf-tokens-with-alb-and-cf.md
+++ b//waf/latest/developerguide/waf-tokens-with-alb-and-cf.md
@@ -11 +11 @@ You can now use the updated experience to access AWS WAF functionality anywhere
-Read this section if you associate your protection pack or web ACL to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution.
+Read this section if you associate your protection pack (web ACL) to an Application Load Balancer and you deploy the Application Load Balancer as the origin for a CloudFront distribution.
@@ -17 +17 @@ With this architecture, you need to provide the following additional configurati
-  * Configure AWS WAF so that it recognizes the domain of the CloudFront distribution as a valid token domain. By default, CloudFront sets the `Host` header to the Application Load Balancer origin, and AWS WAF uses that as the domain of the protected resource. The client browser, however, sees the CloudFront distribution as the host domain, and tokens that are generated for the client use the CloudFront domain as the token domain. Without any additional configuration, when AWS WAF checks the protected resource domain against the token domain, it will get a mismatch. To fix this, add the CloudFront distribution domain name to the token domain list in your protection pack or web ACL configuration. For information about how to do this, see [AWS WAF protection pack or web ACL token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists).
+  * Configure AWS WAF so that it recognizes the domain of the CloudFront distribution as a valid token domain. By default, CloudFront sets the `Host` header to the Application Load Balancer origin, and AWS WAF uses that as the domain of the protected resource. The client browser, however, sees the CloudFront distribution as the host domain, and tokens that are generated for the client use the CloudFront domain as the token domain. Without any additional configuration, when AWS WAF checks the protected resource domain against the token domain, it will get a mismatch. To fix this, add the CloudFront distribution domain name to the token domain list in your protection pack (web ACL) configuration. For information about how to do this, see [AWS WAF protection pack (web ACL) token domain list configuration](./waf-tokens-domains.html#waf-tokens-domain-lists).