AWS online-register documentation change
Summary
Updated DescribeAttack action documentation to clarify that it calls wafv2:DescribeTopContributorsByEvent for AWS WAF anti-DDoS managed rule group attacks, requiring additional IAM permission
Security assessment
This change adds important security documentation about required IAM permissions for the DescribeAttack action when used with AWS WAF anti-DDoS managed rule groups. It clarifies permission requirements but doesn't indicate a specific security issue was addressed.
Diff
diff --git a/online-register/latest/data-formats/awsshield.md b/online-register/latest/data-formats/awsshield.md index e28a6c14f..7995660c6 100644 --- a//online-register/latest/data-formats/awsshield.md +++ b//online-register/latest/data-formats/awsshield.md @@ -9 +9 @@ Actions | Description | Access level -[DescribeAttack](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeAttack.html)| Get attack details| Read +[DescribeAttack](https://docs.aws.amazon.com/waf/latest/DDOSAPIReference/API_DescribeAttack.html)| Get attack details. For getting attack details protected by AWS WAF anti-DDoS managed rule group, this action additionally calls wafv2:DescribeTopContributorsByEvent to retrieve application layer attack contributors, which requires to have wafv2:DescribeTopContributorsByEvent permission in IAM policy| Read