AWS Security ChangesHomeSearch

AWS waf medium security documentation change

Service: waf · 2025-10-22 · Security-related medium

File: waf/latest/developerguide/classic-infrastructure-security.md

Summary

Removed content about requiring signed API requests using IAM access keys or AWS STS temporary credentials

Security assessment

The removed lines specifically described fundamental security requirements for authenticating AWS WAF Classic API calls. Deleting this information could lead to misconfigurations where users might omit request signing, increasing risk of unauthorized access. However, there's no explicit mention of addressing a specific vulnerability.

Diff

diff --git a/waf/latest/developerguide/classic-infrastructure-security.md b/waf/latest/developerguide/classic-infrastructure-security.md
index eb702e777..2bec9ed31 100644
--- a//waf/latest/developerguide/classic-infrastructure-security.md
+++ b//waf/latest/developerguide/classic-infrastructure-security.md
@@ -32,2 +31,0 @@ You use AWS published API calls to access AWS WAF Classic through the network. C
-Additionally, requests must be signed by using an access key ID and a secret access key that is associated with an IAM principal. Or you can use the [AWS Security Token Service](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html) (AWS STS) to generate temporary security credentials to sign requests.
-