AWS AWSCloudFormation high security documentation change
Summary
Updated Suricata rules documentation link to version 7.0.8, clarified ALERT action removes traffic permission, and refined REJECT action specification for TCP-only with FTP/IMAP exclusion.
Security assessment
The change modifies critical firewall rule actions: ALERT no longer permits traffic (only sends alerts), and REJECT explicitly drops traffic with TCP resets but excludes FTP/IMAP. This corrects potentially dangerous misconceptions where ALERT might have been assumed to allow traffic, and REJECT might have been incorrectly applied to non-TCP protocols. The updates prevent misconfigurations that could lead to unintended traffic allowance or protocol incompatibilities.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md index 988573b6d..f6aabcd84 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-networkfirewall-rulegroup-statefulrule.md @@ -11 +11 @@ This is the new _CloudFormation Template Reference Guide_. Please update your bo -A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://suricata.readthedocs.io/en/suricata-7.0.3/rules/intro.html). +A single Suricata rules specification, for use in a stateful rule group. Use this option to specify a simple Suricata rule with protocol, source and destination, ports, direction, and rule options. For information about the Suricata `Rules` format, see [Rules Format](https://suricata.readthedocs.io/en/suricata-7.0.8/rules/intro.html). @@ -50,3 +50 @@ The actions for a stateful rule are defined as follows: - * **REJECT** \- Drops traffic that matches the conditions of the stateful rule and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. `REJECT` is available only for TCP traffic. - - * **ALERT** \- Permits the packets to go to the intended destination and sends an alert log message, if alert logging is configured in the firewall logging configuration. + * **ALERT** \- Sends an alert log message, if alert logging is configured in the firewall logging configuration. @@ -56,3 +54 @@ You can use this action to test a rule that you intend to use to drop traffic. Y - * **REJECT** \- Drops TCP traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and a `RST` bit contained in the TCP header flags. Also sends an alert log mesage if alert logging is configured in the firewall logging configuration. - -`REJECT` isn't currently available for use with IMAP and FTP protocols. + * **REJECT** \- Drops traffic that matches the conditions of the stateful rule, and sends a TCP reset packet back to sender of the packet. A TCP reset packet is a packet with no payload and an RST bit contained in the TCP header flags. REJECT is available only for TCP traffic. This option doesn't support FTP or IMAP protocols.