AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2026-03-19 · Documentation low

File: waf/latest/developerguide/waf-metrics.md

Summary

Clarified that CaptchaRequests and ChallengeRequests metrics represent terminating rules and don't include requests with valid tokens

Security assessment

This change provides clarification on WAF metric definitions for better understanding of security monitoring. While WAF is a security service, this is a documentation clarification rather than addressing a security issue or adding new security feature documentation.

Diff

diff --git a/waf/latest/developerguide/waf-metrics.md b/waf/latest/developerguide/waf-metrics.md
index cf174eeb9..c5316031d 100644
--- a//waf/latest/developerguide/waf-metrics.md
+++ b//waf/latest/developerguide/waf-metrics.md
@@ -56 +56 @@ AWS WAF core metrics Metric | Description
-`CaptchaRequests` |  The number of web requests that had CAPTCHA controls applied. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether the CAPTCHA token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum  
+`CaptchaRequests` |  The number of web requests that had CAPTCHA controls applied. It represents a terminating rule and does not include `RequestsWithValidCaptchaToken`. Reporting criteria: There is a nonzero value. A CAPTCHA web request is one that matches a rule that has a CAPTCHA action setting. This metric records all requests that match, regardless of whether the CAPTCHA token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum  
@@ -60 +60 @@ AWS WAF core metrics Metric | Description
-`ChallengeRequests` |  The number of web requests that had challenge controls applied. Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether the challenge token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum  
+`ChallengeRequests` |  The number of web requests that had challenge controls applied. It represents a terminating rule and does not include `RequestsWithValidChallengeToken`.  Reporting criteria: There is a nonzero value. A challenge web request is one that matches a rule that has a Challenge action setting. This metric records all requests that match, regardless of whether the challenge token is expired, invalid, absent, or has a domain mismatch. Valid statistics: Sum