AWS prescriptive-guidance documentation change
Summary
Added acronym expansion for WAF and emphasized 'Rate-based rules' with italics
Security assessment
Clarification of WAF acronym and formatting change for rate-based rules. No security vulnerability addressed or new security features documented.
Diff
diff --git a/prescriptive-guidance/latest/bot-control/static-controls.md b/prescriptive-guidance/latest/bot-control/static-controls.md index 3c13bd117..b3338741a 100644 --- a//prescriptive-guidance/latest/bot-control/static-controls.md +++ b//prescriptive-guidance/latest/bot-control/static-controls.md @@ -21 +21 @@ Allow listing is a control that allows identified friendly traffic through exist -A commonly used tool to mitigate the impact of bots is to limit requests from a single requestor. The simplest example is to block the source IP address of the traffic if its requests are malicious or high in volume. This uses AWS WAF [IP set match rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html) to implement IP-based blocks. These rules match on IP addresses and apply an action of `Block`, `Challenge`, or `CAPTCHA`. You can determine when too many requests are coming in from an IP address by looking at Content Delivery Network (CDN), a web application firewall, or application and service logs. However, in most cases, this control is impractical without automation. +A commonly used tool to mitigate the impact of bots is to limit requests from a single requestor. The simplest example is to block the source IP address of the traffic if its requests are malicious or high in volume. This uses AWS WAF [IP set match rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html) to implement IP-based blocks. These rules match on IP addresses and apply an action of `Block`, `Challenge`, or `CAPTCHA`. You can determine when too many requests are coming in from an IP address by looking at Content Delivery Network (CDN), a web application firewall (WAF), or application and service logs. However, in most cases, this control is impractical without automation. @@ -23 +23 @@ A commonly used tool to mitigate the impact of bots is to limit requests from a -Automating IP address block lists in AWS WAF is commonly done with rate-based rules. For more information, see Rate-based rules in this guide. You can also implement the [Security Automations for AWS WAF](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/welcome.html) solution. This solution automatically updates a list of IP addresses to block, and an AWS WAF rule denies requests that match those IP addresses. +Automating IP address block lists in AWS WAF is commonly done with rate-based rules. For more information, see _Rate-based rules_ in this guide. You can also implement the [Security Automations for AWS WAF](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/welcome.html) solution. This solution automatically updates a list of IP addresses to block, and an AWS WAF rule denies requests that match those IP addresses.