AWS waf documentation change
Summary
Updated console experience link, added new Bot Control features (WBA verification, labels for AI/Advertising/Social Media bots), improved detection for ReactJS/POSIX rules, and removed outdated entries.
Security assessment
The changes document new security features like cryptographic bot verification (WBA), enhanced bot detection labels, and rule improvements. While these improve security capabilities, there's no evidence of addressing a specific vulnerability (e.g., the CVE reference was removed without explanation).
Diff
diff --git a/waf/latest/developerguide/aws-managed-rule-groups-changelog.md b/waf/latest/developerguide/aws-managed-rule-groups-changelog.md index 27e7e1749..dcf011a52 100644 --- a//waf/latest/developerguide/aws-managed-rule-groups-changelog.md +++ b//waf/latest/developerguide/aws-managed-rule-groups-changelog.md @@ -7 +7 @@ -You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the console](https://docs.aws.amazon.com/waf/latest/developerguide/working-with-console.html). @@ -25 +25,73 @@ Rule group and rules | Description | Date -| Updated the `ReactJSRCE_BODY` to add detection for requests matching CVE-2025-55182 - A remote code execution vulnerability in React and Next.js. | 2025-12-04 +| Released static version 1.25 of this rule group. Updated the `ReactJSRCE_BODY` to improve detection. | 2025-12-08 +[POSIX operating system managed rule group](./aws-managed-rule-groups-use-case.html#aws-managed-rule-groups-use-case-posix-os) | Released static version 3.1 of this rule group. Improved detection signatures for all the rules. | 2025-12-08 +[Known bad inputs managed rule group](./aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs) + + * `ReactJSRCE_BODY` + +| Released static version 1.24 of this rule group. Updated the `ReactJSRCE_BODY` to improve detection. | 2025-12-04 +[AWS WAF Bot Control rule group](./aws-managed-rule-groups-bot.html) New labels: + + * `awswaf:managed:aws:bot-control:bot:web_bot_auth<status>` + * `verified` – Successful verifictaion + * `invalid` – Failed verifictaion attempt + * `expired` –Expired key usage + * `unrecognized` – Unrecognized key usage + * `awswaf:managed:aws:bot-control:bot:vendor<vendor_name>` – Bot vendor or operator + * `awswaf:managed:aws:bot-control:bot:name<rfc_name>` – Bot name (RFC token from WBA) + * `awswaf:managed:aws:bot-control:bot:account<hash>` – AWS account identifier. (Amazon Bedrock Agent Core agents only) + +Scope: CloudFront | Deployed new static version `AWSManagedRulesBotControlRuleSet` Version_4.0 with Web Bot Authentication (WBA) support for cryptographic bot verification. This version must be explicitly selected and does not automatically update existing deployments using the default version. New capabilities: + + * Web Bot Authentication (WBA) cryptographic verification for AI bots and agents + * Automatic allowlisting of verified WBA bots in Category AI rule + * Enhanced bot identification with vendor, name, and account labels + * Support for Amazon Bedrock Agent Core bot detection + +Rule updates: + + * `Category AI `(Action: Block) + * Update to not match requests with `web_bot_auth:verified `label. + * Verified WBA bots are automatically allowed + * `TGT_TokenAbsent` (Action: Count) + * Updated to not match requests with `web_bot_auth:verified` label + + + +###### Important + +Version_4.0 is a static version only – it does not change the default version behavior. To use WBA features, explicitly select Version _4.0 when configuring your web ACL. | 2025-11-20 +[AWS WAF Bot Control rule group](./aws-managed-rule-groups-bot.html) New verified bot labels:Advertising: + + * `awswaf:managed:aws:bot-control:bot:name:meta-externalads`– Meta advertising bot + * `awswaf:managed:aws:bot-control:bot:organization:facebook`– Meta organization + +AI: + + * `awswaf:managed:aws:bot-control:bot:name:meta-webindexer`– Meta web indexer + * `awswaf:managed:aws:bot-control:bot:name:perplexity-user`– Perplexity user bot + * `awswaf:managed:aws:bot-control:bot:name:perplexitybot` – Perplexity bot + * `awswaf:managed:aws:bot-control:bot:name:bytespider` – Bytespider bot + * `awswaf:managed:aws:bot-control:bot:name:duckassisbot` – DuckDuckGo assistant bot + * `awswaf:managed:aws:bot-control:bot:organization:facebook` – Meta organization + +Content Fetcher: + + * `awswaf:managed:aws:bot-control:bot:name:meta-externalfetcher` – Meta content fetcher + * `awswaf:managed:aws:bot-control:bot:organization:facebook-externalfetcher` – Meta organization + +Social Media: + + * `awswaf:managed:aws:bot-control:bot:name:tiktok` – TikTok bot + +| Key improvements: + + * Expanded verified bot detection across multiple categories (Advertising, AI, Content Fetcher and Social Media) + * Added organization-level labels for Meta, Facebook bots + * Enhanced AI bot detection including Perplexity, Bytespider, and DuckDuckGo bots + * Added TikTok social media bot detection + + + +###### Important + +Bot category rules in Bot Control trigger only on unverified bots, except for CategoryAI which also triggers on verified bots. Version_3.3 is a static version only – it doesn't change the default version behavior. | 2025-11-17 @@ -50,28 +121,0 @@ Rule group and rules | Description | Date -[AWS WAF Bot Control rule group](./aws-managed-rule-groups-bot.html) New labels: - - * Search engine bots: - * `awswaf:managed:aws:bot-control:bot:name:evensi` - * `awswaf:managed:aws:bot-control:bot:name:yisouspider` - * AI bots: - * `awswaf:managed:aws:bot-control:bot:name:searchbot` - * `awswaf:managed:aws:bot-control:bot:name:nova_act` - * Organization labels for AI bots: - * `awswaf:managed:aws:bot-control:bot:organization:openai` - * `awswaf:managed:aws:bot-control:bot:organization:marfeel` - * `awswaf:managed:aws:bot-control:bot:organization:facebook` - * `awswaf:managed:aws:bot-control:bot:organization:metaexternalagent` - * `awswaf:managed:aws:bot-control:bot:organization:amazon` - * Content fetcher bots: - * `awswaf:managed:aws:bot-control:bot:name:google_cloud_vertex_bot` - * Cloud service provider signals: - * `awswaf:managed:aws:bot-control:signal:cloud_service_provider:alibaba` - -| Released static version 3.2 of this rule group. Added the listed new labels. | 2025-05-29 -[Core rule set (CRS) managed rule group](./aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) - - * `CrossSiteScripting_BODY` - * `CrossSiteScripting_COOKIE` - * `CrossSiteScripting_QUERYARGUMENTS` - * `CrossSiteScripting_URIPATH` - -| Released static version 1.17 of this rule group. Improved detection signatures for the cross site scripting rules. | 2025-03-03