AWS AWSCloudFormation documentation change
Summary
Added new stateful default actions and clarified UDP fragment handling behavior
Security assessment
Adds documentation for new application-layer security controls (aws:drop_established_app_layer, aws:alert_established_app_layer) and clarifies UDP fragment inspection behavior. While security-related, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-firewallpolicy-firewallpolicy.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-firewallpolicy-firewallpolicy.md index 254d32428..a302b110e 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-firewallpolicy-firewallpolicy.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-firewallpolicy-firewallpolicy.md @@ -95,0 +96,4 @@ Valid values of the stateful default action: + * aws:drop_established_app_layer + + * aws:alert_established_app_layer + @@ -158 +162 @@ _Required_ : Yes -The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify `aws:forward_to_sfe`. +The actions to take on a fragmented UDP packet if it doesn't match any of the stateless rules in the policy. Network Firewall only manages UDP packet fragments and silently drops packet fragments for other protocols. If you want non-matching fragmented UDP packets to be forwarded for stateful inspection, specify `aws:forward_to_sfe`.