AWS waf high security documentation change
Summary
Added section on deploying Bot Control behind CDNs with automatic client IP detection for CloudFront/Cloudflare/Fastly
Security assessment
Documents critical configuration for accurate bot detection when behind CDNs, ensuring security features like rate limiting function correctly by using true client IPs.
Diff
diff --git a/waf/latest/developerguide/waf-bot-control-use-cases.md b/waf/latest/developerguide/waf-bot-control-use-cases.md index 1819e702c..3fbae82f8 100644 --- a//waf/latest/developerguide/waf-bot-control-use-cases.md +++ b//waf/latest/developerguide/waf-bot-control-use-cases.md @@ -153,0 +154,4 @@ Always deploy Bot Control in count mode first. In count mode, Bot Control labels +###### Deploying behind a CDN or reverse proxy + +If your application sits behind a third-party CDN, by default AWS WAF sees the CDN's IP address as the client. The Bot Control managed rule group recognizes traffic from Amazon CloudFront, Cloudflare, and Fastly automatically and uses the originating client IP from the CDN's standard client IP header instead. Both the common protection level and the targeted protection level use this detection, including session-level rate limiting and the targeted bot detection rules that depend on accurate client identity. You don't need additional forwarded IP configuration on the Bot Control rule group for these CDNs. For other rule statements in your protection pack (web ACL) that use IP addresses, such as your custom IP set match, geo match, ASN match, and rate-based rules, configure them with a forwarded IP configuration if you want them to evaluate the upstream client IP. For information about forwarded IP addresses, see [Using forwarded IP addresses in AWS WAF](./waf-rule-statement-forwarded-ip-address.html). If your application is behind a different reverse proxy or a CDN that Bot Control doesn't recognize automatically, configure your reverse proxy to forward the client IP in a header such as `X-Forwarded-For` and use a forwarded IP configuration on the rule statements that evaluate IP addresses. +