AWS AWSCloudFormation documentation change
Summary
Expanded rule action options to include reject/alert/drop behaviors and added note about alert logging behavior
Security assessment
The change clarifies security-related traffic handling behaviors (alerting/rejecting/dropping) and logging implications, but does not indicate a specific security vulnerability being addressed.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-rulessourcelist.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-rulessourcelist.md index 0559862f2..f20327693 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-rulessourcelist.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-rulessourcelist.md @@ -44 +44,5 @@ To declare this entity in your AWS CloudFormation template, use the following sy -Whether you want to allow or deny access to the domains in your target list. +Whether you want to apply allow, reject, alert, or drop behavior to the domains in your target list. + +###### Note + +When logging is enabled and you choose Alert, traffic that matches the domain specifications generates an alert in the firewall's logs. Then, traffic either passes, is rejected, or drops based on other rules in the firewall policy.