AWS Security ChangesHomeSearch

AWS waf high security documentation change

Service: waf · 2026-06-04 · Security-related high

File: waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.md

Summary

Added section on automatic client IP detection behind supported CDNs for Bot Control and Anti-DDoS rule groups

Security assessment

Documents security-critical behavior where managed rule groups automatically use true client IPs from CDN headers, ensuring accurate IP-based security protections without manual configuration.

Diff

diff --git a/waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.md b/waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.md
index 70ee40f90..18111e18e 100644
--- a//waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.md
+++ b//waf/latest/developerguide/waf-rule-statement-forwarded-ip-address.md
@@ -50,0 +51,4 @@ The Bot Control managed rule group verifies bots using the IP addresses from AWS
+###### Detecting client IP behind supported CDNs
+
+For requests that arrive at AWS WAF through a third-party CDN, the Bot Control managed rule group and the Anti-DDoS managed rule group automatically recognize traffic that originates from the IP ranges of Amazon CloudFront, Cloudflare, and Fastly. When the rule groups detect a request from one of these CDNs, they transparently use the originating client IP from the upstream CDN's standard client IP header (for example, the `Fastly-Client-IP` header for Fastly). You don't need to configure forwarded IP addresses on these rule groups for these CDNs to work correctly. For other rule statements that use IP addresses, such as your custom IP set match, geo match, ASN match, and rate-based rules, you still need to specify a forwarded IP configuration if you want them to evaluate the upstream client IP instead of the CDN's IP.
+