AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2026-06-16 · Documentation low

File: AWSCloudFormation/latest/TemplateReference/aws-properties-route53resolver-firewallrulegroup-firewallrule.md

Summary

Added DICTIONARY_DGA threat type and expanded RuleType configuration documentation with examples and implementation guidance

Security assessment

The change documents new DNS firewall capabilities for detecting dictionary-based DGAs (more sophisticated malware domains) and clarifies security configuration options. This enhances security documentation but doesn't address a specific vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-route53resolver-firewallrulegroup-firewallrule.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-route53resolver-firewallrulegroup-firewallrule.md
index 69bc1bda2..d0b8754e3 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-route53resolver-firewallrulegroup-firewallrule.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-route53resolver-firewallrulegroup-firewallrule.md
@@ -180 +180 @@ The type of the DNS Firewall Advanced rule. Valid values are:
-  * `DGA`: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to to launch malware attacks.
+  * `DGA`: Domain generation algorithms detection. DGAs are used by attackers to generate a large number of domains to launch malware attacks.
@@ -183,0 +184,2 @@ The type of the DNS Firewall Advanced rule. Valid values are:
+  * `DICTIONARY_DGA`: Dictionary-based domain generation algorithms detection. Dictionary DGAs use wordlists to generate domains that appear more legitimate, making them harder to detect than traditional DGAs.
+
@@ -230 +232,14 @@ _Required_ : No
-The rule type configuration for the firewall rule. Exactly one member of this union should be set.
+The rule type configuration for the firewall rule. This is a tagged union — exactly one of its members will be populated. Possible members are:
+
+  * `FirewallAdvancedContentCategory` — an AWS-managed content category (for example, `VIOLENCE_AND_HATE_SPEECH`).
+
+  * `FirewallAdvancedThreatCategory` — an AWS-managed advanced threat category (for example, `PHISHING`).
+
+  * `DnsThreatProtection` — a built-in DNS Firewall Advanced threat detector (`DGA`, `DNS_TUNNELING`, or `DICTIONARY_DGA`).
+
+  * `PartnerThreatProtection` — a third-party threat feed delivered through AWS Marketplace.
+
+
+
+
+To enumerate the values supported in your account, call ListFirewallRuleTypes.