AWS Security ChangesHomeSearch

AWS AWSCloudFormation high security documentation change

Service: AWSCloudFormation · 2026-05-01 · Security-related high

File: AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md

Summary

Updated Suricata rules documentation link to version 7.0.8, clarified ALERT action removes traffic permission, and refined REJECT action specification for TCP-only with FTP/IMAP exclusion.

Security assessment

The change modifies critical firewall rule actions: ALERT no longer permits traffic (only sends alerts), and REJECT explicitly drops traffic with TCP resets but excludes FTP/IMAP. This corrects potentially dangerous misconceptions where ALERT might have been assumed to allow traffic, and REJECT might have been incorrectly applied to non-TCP protocols. The updates prevent misconfigurations that could lead to unintended traffic allowance or protocol incompatibilities.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md
index 988573b6d..f6aabcd84 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md
@@ -11 +11 @@ This is the new _CloudFormation Template Reference Guide_. Please update your bo
-A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://suricata.readthedocs.io/en/suricata-7.0.3/rules/intro.html). 
+A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://suricata.readthedocs.io/en/suricata-7.0.8/rules/intro.html). 
@@ -50,3 +50 @@ The actions for a stateful rule are defined as follows:
-  * **REJECT** \- Drops traffic that matches the conditions of the stateful rule and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. `REJECT` is available only for TCP traffic.
-
-  * **ALERT** \- Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the firewall logging configuration. 
+  * **ALERT** \- Sends an alert log message, if alert logging is configured in the firewall logging configuration. 
@@ -56,3 +54 @@ You can use this action to test a rule that you intend to use to drop traffic. Y
-  * **REJECT** \- Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the firewall logging configuration.
-
-`REJECT` isn't currently available for use with IMAP and FTP protocols.
+  * **REJECT** \- Drops traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and an RST bit contained in the TCP header flags. REJECT is available only for TCP traffic. This option doesn't support FTP or IMAP protocols.