AWS Security ChangesHomeSearch

AWS waf documentation change

Service: waf · 2026-07-01 · Documentation medium

File: waf/latest/developerguide/security-group-policies-common.md

Summary

Added clarification that Firewall Manager maintains replica security groups using last valid rule set when primary groups become empty

Security assessment

Documents security feature behavior to prevent accidental exposure when rules are removed. Clarifies management of security groups but doesn't address specific vulnerabilities.

Diff

diff --git a/waf/latest/developerguide/security-group-policies-common.md b/waf/latest/developerguide/security-group-policies-common.md
index f48161f04..bc2469605 100644
--- a//waf/latest/developerguide/security-group-policies-common.md
+++ b//waf/latest/developerguide/security-group-policies-common.md
@@ -56,0 +57,2 @@ For each common security group policy, you provide AWS Firewall Manager with one
+  * Primary security groups must contain at least one ingress or egress rule. If you remove all rules from a primary security group, Firewall Manager continues to manage replica security groups based on the last version of the primary security groups that had rules.
+