AWS waf documentation change
Summary
Clarified web ACL management interactions between AWS WAF policies and Shield policies
Security assessment
The change documents policy enforcement behavior but does not address a specific vulnerability. It clarifies security feature interactions between services.
Diff
diff --git a/waf/latest/developerguide/how-fms-manages-web-acls.md b/waf/latest/developerguide/how-fms-manages-web-acls.md index 8ca7587df..ea33faccf 100644 --- a//waf/latest/developerguide/how-fms-manages-web-acls.md +++ b//waf/latest/developerguide/how-fms-manages-web-acls.md @@ -15 +15,3 @@ Firewall Manager creates and manages web ACLs for in-scope resources according t -If a resource that's configured with [advanced automatic application layer DDoS mitigation](./ddos-automatic-app-layer-response.html) comes into scope of an AWS WAF policy, Firewall Manager will be unable to apply the policy protections to the resource and will mark the resource noncompliant. +If a resource that's configured with [advanced automatic application layer DDoS mitigation](./ddos-automatic-app-layer-response.html) by another Firewall Manager Shield policy comes into scope of an AWS WAF policy, where the web ACL on the resource was created by that Firewall Manager Shield policy, Firewall Manager will be unable to apply the AWS WAF policy protections to the resource and will mark the resource noncompliant. + +If a customer manually associates a customer-owned web ACL with the resource, the Firewall Manager AWS WAF policy will still override that customer web ACL with the Firewall Manager AWS WAF policy web ACL.