AWS waf documentation change
Summary
Updated documentation for AWS WAF Bot Control rule group: Added new bot identification labels (RFC name, account hash, vendor), documented Web Bot Authentication verification statuses, and clarified behavior for verified bots.
Security assessment
The changes enhance documentation of security features (bot identification and verification) without indicating any vulnerability fix. New labels like account hash improve security by allowing account-based bot control without exposing account IDs. The Web Bot Authentication status documentation helps implement verification workflows, but no evidence suggests this addresses a specific vulnerability.
Diff
diff --git a/waf/latest/developerguide/aws-managed-rule-groups-bot.md b/waf/latest/developerguide/aws-managed-rule-groups-bot.md index 5cea8f7c9..3735ff5a3 100644 --- a//waf/latest/developerguide/aws-managed-rule-groups-bot.md +++ b//waf/latest/developerguide/aws-managed-rule-groups-bot.md @@ -9 +9 @@ Protection levelsUsing this rule groupLabels added by this rule groupRules listi -You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). @@ -141,0 +142,2 @@ Each label reflects the Bot Control rule findings: + * `awswaf:managed:aws:bot-control:bot:name:`<rfc_name>`` – Identifies the specific bot using the RFC product token from the WBA signature. This is used to create granular custom rules for specific bots. For example, allow `GoogleBot` but rate-limit other crawlers. + @@ -143,0 +146,16 @@ Each label reflects the Bot Control rule findings: + * `awswaf:managed:aws:bot-control:bot:account:`<hash>`` –For bots using Amazon Bedrock Agent Core only. This label contains an opaque hash uniquely identifying the AWS account that owns the agent. Use this label to create custom rules that allow, block, or rate-limit bots from specific AWS accounts without exposing account IDs in logs. + + * `awswaf:managed:aws:bot-control:bot:web_bot_auth:`<status>`` – Applied when Web Bot Authentication (WBA) validation is performed on a request. The status suffix indicates the verification outcome: + + * `web_bot_auth:verified` – Signature successfully validated against public key directory + + * `web_bot_auth:invalid` – Signature present but cryptograpic validation failed + + * `web_bot_auth:expired` – Signature used an expired cryptograpic key + + * `web_bot_auth:unrecognized` – Key ID not found in the key directory + +###### Note + +When the `web_bot_auth:verified` label is present, the `CategoryAI` and `TGT_TokenAbsent` rules do not match, allowing verified WBA hosts to proceed. + @@ -151,0 +170,2 @@ Bot Control uses the IP address from the web request origin to help determine wh + * `awswaf:managed:aws:bot-control:bot:vendor:`<vendor_name>`` – Identifies the vendor or operator of a verified bot. Currently available only for Agentcore. Use to create custom rules that allow or block specific bot vendors regardless of individual bot names. +