AWS waf documentation change
Summary
Added documentation for 'AI traffic monetization with CloudFront' feature including considerations for CloudFront Functions/Lambda@Edge, cache behavior recommendations, latency characteristics, and configuration requirements.
Security assessment
The change introduces documentation for a new monetization feature with security implications around payment verification and cache isolation. It explicitly warns about security risks of misconfigured caching ('Always include agent identity in the cache key for monetized paths') which could lead to unauthorized access to paid content if not implemented properly. However, it's not fixing an existing vulnerability but documenting a new capability.
Diff
diff --git a/waf/latest/developerguide/cloudfront-features.md b/waf/latest/developerguide/cloudfront-features.md index a2cee0229..1fd3b219c 100644 --- a//waf/latest/developerguide/cloudfront-features.md +++ b//waf/latest/developerguide/cloudfront-features.md @@ -7 +7 @@ -How AWS WAF works with different distribution typesUsing AWS WAF with CloudFront Pricing Plans +How AWS WAF works with different distribution typesUsing AWS WAF with CloudFront Pricing PlansAI traffic monetizationAI traffic monetization with CloudFront @@ -24,0 +25,2 @@ When you create a protection pack (web ACL), you can specify one or more CloudFr + * AI traffic monetization with CloudFront + @@ -26,0 +29,2 @@ When you create a protection pack (web ACL), you can specify one or more CloudFr + * AI traffic monetization with CloudFront + @@ -124,0 +129,93 @@ While a AWS WAF web ACL must remain associated with your distribution, you maint +## AI traffic monetization with CloudFront + +AI traffic monetization is available exclusively for AWS WAF web ACL resources associated with Amazon CloudFront distributions. Payment verification and settlement occur at CloudFront edge locations, minimizing latency for agents worldwide. + +### Considerations when using AI Traffic Monetization with CloudFront Functions and Lambda@Edge + +When you use CloudFront Functions or Lambda@Edge with distributions that have Monetize rules in AWS WAF, note the following behavior for AWS WAF-generated responses. + +###### AWS WAF-generated responses (402 Payment Required Challenge) + +Viewer-response function (CloudFront Functions and Lambda@Edge) does not run on AWS WAF-generated 402 response. You cannot use these functions to customize the Payment Required Challenge. You also cannot add headers to it or modify it. If you need to add custom headers to 402 responses (for example, CORS or analytics headers), use a Response Headers Policy instead. Response Headers Policies apply to AWS WAF-generated responses. + +For more information about CloudFront Functions and response header policies, see the following: + + * Viewer-response functions don't run on HTTP status codes 400 and higher. For more information about edge function restrictions, see [HTTP status codes](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/edge-function-restrictions-all.html#function-restrictions-status-codes). + + * For more information about response header policies, see [Understanding response headers policies](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/understanding-response-headers-policies.html). + + + + +###### Paid responses (200 after settlement) + +After a successful payment settlement, the origin response passes through the normal CloudFront response pipeline, including viewer-response function. A viewer-response function can modify the response that the agent receives after paying. For example, it can change the status code or remove headers. + +## AI traffic monetization with CloudFront + +AI traffic monetization is available exclusively for web ACLs associated with Amazon CloudFront distributions. Payment verification and access token issuance occur at CloudFront edge locations, minimizing latency for agents worldwide. + +### Why CloudFront only + +Monetization requires: + + * **Edge-native payment verification** – Payment proofs are verified at the edge without round trips to origin. + + * **Global token issuance** – Scoped access tokens are issued at the edge and honored by all edge locations serving the same distribution. + + * **Price manifest generation** – The 402 response with pricing details is generated at the edge, keeping the flow below the latency target for machine-to-machine payment protocols. + + + + +Regional web ACLs (Application Load Balancer, , , Cognito, App Runner, Verified Access) do not support the Monetize action. If a Monetize rule is configured on a regional web ACL, the rule is skipped and the request continues to the next rule. + +### Cache behavior with monetized content + +Monetized resources require special cache configuration to prevent one agent's paid access from serving cached content to another agent. + +**Recommended cache settings for monetized paths:** + +Setting| Value| Reason +---|---|--- +Cache policy| CachingDisabled or custom| Prevents cross-agent cache sharing +Origin request policy| Include `X-Agent-Id` and `X-Access-Token` headers| Allows origin to validate agent-specific tokens +TTL| 0 (or short, per content freshness needs)| Ensures each agent request is evaluated by AWS WAF + +If you require caching for performance, configure a per-agent cache key: + + * Add `X-Agent-Id` to the cache key using a custom cache policy. + + * This ensures each agent receives its own cached copy after payment, without serving paid content to other agents. + + + + +###### Important + +If you enable caching without per-agent cache keys, a paid response might be served from cache to subsequent agents without payment verification. Always include agent identity in the cache key for monetized paths. + +### Latency characteristics + +Phase| Typical latency| Notes +---|---|--- +Classification + 402 generation| <10 ms| Runs inline at edge +Payment verification| <30 ms| Proof validation is cryptographic, no external call +Token issuance + origin fetch| Standard CloudFront latency| Same as a normal request +**Total additional overhead**| **< 50 ms**| Above standard request latency + +### CloudFront distribution configuration + +No changes to your CloudFront distribution settings are required to enable monetization. The feature is controlled entirely through the AWS WAF web ACL and protection pack configuration. + +Ensure the following: + + * **Web ACL association** – Your distribution must have an associated AWS WAF web ACL with Bot Control and a Monetize rule. + + * **Origin response headers** – If your origin sets `Cache-Control` headers, verify they do not conflict with the per-agent caching strategy for monetized paths. + + * **Custom error pages** – CloudFront custom error pages for 4xx responses do not apply to AWS WAF-generated 402 responses. The price manifest is served directly by AWS WAF. + + + +