AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-08-25 · Security-related medium

File: cli/latest/reference/wafv2/update-web-acl.md

Summary

Clarified behavior differences between managed/customer-owned rule groups when invalid rule names are used in overrides

Security assessment

Explicitly documents that invalid rule names in managed rule group overrides are silently ignored, which could lead to unintended security configurations if administrators are unaware. This addresses a potential misconfiguration risk where security controls might not be applied as expected.

Diff

diff --git a/cli/latest/reference/wafv2/update-web-acl.md b/cli/latest/reference/wafv2/update-web-acl.md
index 72f9fd24b..865fa0379 100644
--- a//cli/latest/reference/wafv2/update-web-acl.md
+++ b//cli/latest/reference/wafv2/update-web-acl.md
@@ -15 +15 @@
-  * [AWS CLI 2.28.15 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.16 Command Reference](../../index.html) »
@@ -109,0 +110 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/wafv2-
+    [--application-config <value>]
@@ -1933 +1934 @@ JSON Syntax:
->>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -1943 +1944 @@ JSON Syntax:
->>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -4262 +4263 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -4272 +4273 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -5866 +5867 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -5876 +5877 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -8349 +8350 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -8359 +8360 @@ JSON Syntax:
->>>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -9953 +9954 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -9963 +9964 @@ JSON Syntax:
->>>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -12215 +12216 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -12225 +12226 @@ JSON Syntax:
->>>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -13819 +13820 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -13829 +13830 @@ JSON Syntax:
->>>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -16075 +16076 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -16085 +16086 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -17679 +17680 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -17689 +17690 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -19973 +19974 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -19983 +19984 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -21577 +21578 @@ JSON Syntax:
->>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -21587 +21588 @@ JSON Syntax:
->>>>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -22815 +22816 @@ JSON Syntax:
->>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -22825 +22826 @@ JSON Syntax:
->>>>>>> Take care to verify the rule names in your overrides. If you provide a rule name that doesn’t match the name of any rule in the rule group, WAF doesn’t return an error and doesn’t apply the override setting.
+>>>>>>> Verify the rule names in your overrides carefully. With managed rule groups, WAF silently ignores any override that uses an invalid rule name. With customer-owned rule groups, invalid rule names in your overrides will cause web ACL updates to fail. An invalid rule name is any name that doesn’t exactly match the case-sensitive name of an existing rule in the rule group.
@@ -29308,0 +29310,43 @@ JSON Syntax:
+`--application-config` (structure)
+
+> Configures the ability for the WAF console to store and retrieve application attributes. Application attributes help WAF give recommendations for protection packs.
+> 
+> When using `UpdateWebACL` , `ApplicationConfig` follows these rules:
+> 
+>   * If you omit `ApplicationConfig` from the request, all existing entries in the web ACL are retained.
+>   * If you include `ApplicationConfig` , entries must match the existing values exactly. Any attempt to modify existing entries will result in an error.
+> 
+
+> 
+> Attributes -> (list)
+>
+>> Contains the attribute name and a list of values for that attribute.
+>> 
+>> (structure)
+>>
+>>> Application details defined during the web ACL creation process. Application attributes help WAF give recommendations for protection packs.
+>>> 
+>>> Name -> (string)
+>>>
+>>>> Specifies the attribute name.
+>>> 
+>>> Values -> (list)
+>>>
+>>>> Specifies the attribute value.
+>>>> 
+>>>> (string)
+
+JSON Syntax:
+    
+    
+    {
+      "Attributes": [
+        {
+          "Name": "string",
+          "Values": ["string", ...]
+        }
+        ...
+      ]
+    }
+    
+
@@ -29456 +29500 @@ NextLockToken -> (string)
-  * [AWS CLI 2.28.15 Command Reference](../../index.html) »
+  * [AWS CLI 2.28.16 Command Reference](../../index.html) »