AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/bot-control/static-controls.md

Summary

Added acronym expansion for WAF and emphasized 'Rate-based rules' with italics

Security assessment

Clarification of WAF acronym and formatting change for rate-based rules. No security vulnerability addressed or new security features documented.

Diff

diff --git a/prescriptive-guidance/latest/bot-control/static-controls.md b/prescriptive-guidance/latest/bot-control/static-controls.md
index 3c13bd117..b3338741a 100644
--- a//prescriptive-guidance/latest/bot-control/static-controls.md
+++ b//prescriptive-guidance/latest/bot-control/static-controls.md
@@ -21 +21 @@ Allow listing is a control that allows identified friendly traffic through exist
-A commonly used tool to mitigate the impact of bots is to limit requests from a single requestor. The simplest example is to block the source IP address of the traffic if its requests are malicious or high in volume. This uses AWS WAF [IP set match rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html) to implement IP-based blocks. These rules match on IP addresses and apply an action of `Block`, `Challenge`, or `CAPTCHA`. You can determine when too many requests are coming in from an IP address by looking at Content Delivery Network (CDN), a web application firewall, or application and service logs. However, in most cases, this control is impractical without automation.
+A commonly used tool to mitigate the impact of bots is to limit requests from a single requestor. The simplest example is to block the source IP address of the traffic if its requests are malicious or high in volume. This uses AWS WAF [IP set match rules](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-type-ipset-match.html) to implement IP-based blocks. These rules match on IP addresses and apply an action of `Block`, `Challenge`, or `CAPTCHA`. You can determine when too many requests are coming in from an IP address by looking at Content Delivery Network (CDN), a web application firewall (WAF), or application and service logs. However, in most cases, this control is impractical without automation.
@@ -23 +23 @@ A commonly used tool to mitigate the impact of bots is to limit requests from a
-Automating IP address block lists in AWS WAF is commonly done with rate-based rules. For more information, see Rate-based rules in this guide. You can also implement the [Security Automations for AWS WAF](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/welcome.html) solution. This solution automatically updates a list of IP addresses to block, and an AWS WAF rule denies requests that match those IP addresses.
+Automating IP address block lists in AWS WAF is commonly done with rate-based rules. For more information, see _Rate-based rules_ in this guide. You can also implement the [Security Automations for AWS WAF](https://docs.aws.amazon.com/solutions/latest/security-automations-for-aws-waf/welcome.html) solution. This solution automatically updates a list of IP addresses to block, and an AWS WAF rule denies requests that match those IP addresses.