AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-08-22 · Documentation low

File: waf/latest/developerguide/web-acl-rule-actions.md

Summary

Updated terminology from 'protection pack or web ACL' to 'protection pack (web ACL)' throughout the document to clarify that protection packs are a type of web ACL.

Security assessment

The changes are purely terminological clarifications without introducing new security concepts, addressing vulnerabilities, or modifying security behaviors. No evidence of security incidents or weaknesses being resolved.

Diff

diff --git a/waf/latest/developerguide/web-acl-rule-actions.md b/waf/latest/developerguide/web-acl-rule-actions.md
index 4d1befffa..7f74f598a 100644
--- a//waf/latest/developerguide/web-acl-rule-actions.md
+++ b//waf/latest/developerguide/web-acl-rule-actions.md
@@ -15 +15 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t
-  * **Allow and Block are terminating actions** – Allow and Block actions stop all other processing of the protection pack or web ACL on the matching web request. If a rule in a protection pack or web ACL finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the protection pack or web ACL. AWS WAF doesn't process any other rules in the protection pack or web ACL that come after the matching one. This is true for rules that you add directly to the protection pack or web ACL and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request.
+  * **Allow and Block are terminating actions** – Allow and Block actions stop all other processing of the protection pack (web ACL) on the matching web request. If a rule in a protection pack (web ACL) finds a match for a request and the rule action is Allow or Block, that match determines the final disposition of the web request for the protection pack (web ACL). AWS WAF doesn't process any other rules in the protection pack (web ACL) that come after the matching one. This is true for rules that you add directly to the protection pack (web ACL) and rules that are inside an added rule group. With the Block action, the protected resource doesn't receive or process the web request.
@@ -17 +17 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t
-  * **Count is a non-terminating action** – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the protection pack or web ACL rule set. 
+  * **Count is a non-terminating action** – When a rule with a Count action matches a request, AWS WAF counts the request, then continues processing the rules that follow in the protection pack (web ACL) rule set. 
@@ -19 +19 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t
-  * **CAPTCHA and Challenge can be non-terminating or terminating actions** – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the protection pack or web ACL rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve. 
+  * **CAPTCHA and Challenge can be non-terminating or terminating actions** – When a rule with one of these actions matches a request, AWS WAF checks its token status. If the request has a valid token, AWS WAF treats the match similar to a Count match, and then continues processing the rules that follow in the protection pack (web ACL) rule set. If the request doesn't have a valid token, AWS WAF terminates the evaluation and sends the client a CAPTCHA puzzle or silent background client session challenge to solve. 
@@ -24 +24 @@ When you configure your rules and rule groups, you choose how you want AWS WAF t
-If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the protection pack or web ACL default action to the request. For information, see [Setting the protection pack or web ACL default action in AWS WAF](./web-acl-default-action.html).
+If the rule evaluation doesn't result in any terminating action, then AWS WAF applies the protection pack (web ACL) default action to the request. For information, see [Setting the protection pack (web ACL) default action in AWS WAF](./web-acl-default-action.html).
@@ -26 +26 @@ If the rule evaluation doesn't result in any terminating action, then AWS WAF ap
-In your protection pack or web ACL, you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see [Overriding rule group actions in AWS WAF](./web-acl-rule-group-override-options.html). 
+In your protection pack (web ACL), you can override the action settings for rules inside a rule group and you can override the action that's returned by a rule group. For information, see [Overriding rule group actions in AWS WAF](./web-acl-rule-group-override-options.html). 
@@ -30 +30 @@ In your protection pack or web ACL, you can override the action settings for rul
-The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the protection pack or web ACL. For example, say that your protection pack or web ACL has a rule with Allow action and a numeric priority of 50 and another rule with Count action and a numeric priority of 100. AWS WAF evaluates the rules in a protection pack or web ACL in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. A web request that matches both rules will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request against the count rule. 
+The actions that AWS WAF applies to a web request are affected by the numeric priority settings of the rules in the protection pack (web ACL). For example, say that your protection pack (web ACL) has a rule with Allow action and a numeric priority of 50 and another rule with Count action and a numeric priority of 100. AWS WAF evaluates the rules in a protection pack (web ACL) in the order of their priority, starting from the lowest setting, so it will evaluate the allow rule before the count rule. A web request that matches both rules will match the allow rule first. Since Allow is a terminating action, AWS WAF will stop the evaluation at this match and won't evaluate the request against the count rule.