AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2025-11-01 · Documentation low

File: waf/latest/developerguide/waf-anti-ddos-alb.md

Summary

Added guidance for optimizing web ACL costs while maintaining observability features for ALB protection

Security assessment

Documentation update explains how to enable security monitoring features (logging/metrics) while managing costs, but doesn't address specific vulnerabilities

Diff

diff --git a/waf/latest/developerguide/waf-anti-ddos-alb.md b/waf/latest/developerguide/waf-anti-ddos-alb.md
index 295b59d44..b5dca1b16 100644
--- a//waf/latest/developerguide/waf-anti-ddos-alb.md
+++ b//waf/latest/developerguide/waf-anti-ddos-alb.md
@@ -13 +13 @@ You can now use the updated experience to access AWS WAF functionality anywhere
-**Resource level DDoS protection** adds immediate defense to Application Load Balancers without the pricing considerations of a AWS WAF managed rule group. This standard tier of Anti-DDoS protection uses AWS threat intelligence and traffic pattern analysis to protect Application Load Balancers. To identify known malicous sources, Anti-DDoS protection performs on-host filtering of both direct client IP addresses and X-Forwarded-For (XFF) headers. After a known malicious source is identified, protection is activated through one of two modes:
+**Resource level DDoS protection** adds immediate defense to Application Load Balancers without incurring charges of deploying AWS WAF managed rule groups. This standard tier of Anti-DDoS protection uses AWS threat intelligence and traffic pattern analysis to protect Application Load Balancers. To identify known malicous sources, Anti-DDoS protection performs on-host filtering of both direct client IP addresses and X-Forwarded-For (XFF) headers. After a known malicious source is identified, protection is activated through one of two modes:
@@ -77,0 +78,17 @@ For information about creating a web ACL, see [Creating a protection pack (web A
+###### To optimize web ACL request costs for your Application Load Balancer
+
+You must associate a web ACL with your Application Load Balancer to enable resource-level protection. If your Application Load Balancer is associated with a web ACL that has no configuration, you will not incur charges from AWS WAF requests, however, AWS WAF will not provide sampled requests or report on the Application Load Balancer in CloudWatch metrics. You can take the following actions to enable observability features for the Application Load Balancer:
+
+  * Use the `Block` action or `Allow` action with custom request headers in the `DefaultAction`. For information, see [Inserting custom request headers for non-blocking actions](./customizing-the-incoming-request.html).
+
+  * Add any rules to the web ACL. For information, see [AWS WAF rules](./waf-rules.html).
+
+  * Enable a logging destination. For information, see [Configuring logging for a protection pack (web ACL)](./logging-management-configure.html).
+
+  * Associate the web ACL with an AWS Firewall Manager policy. For information, see [Creating an AWS Firewall Manager policy for AWS WAF](./create-policy.html#creating-firewall-manager-policy-for-waf).
+
+
+
+
+AWS WAF will not provide sampled requests or publish CloudWatch metrics without these configurations.
+