AWS waf high security documentation change
Summary
Removed documentation section about 'AI traffic monetization with CloudFront' feature including configuration details, cache behavior recommendations, and latency characteristics
Security assessment
The removed section contained security-critical guidance about preventing cross-agent cache sharing vulnerabilities. Specifically, it warned that improper caching configurations could allow paid content to be served to unauthorized users without payment verification. Removal eliminates warnings about this security risk.
Diff
diff --git a/waf/latest/developerguide/cloudfront-features.md b/waf/latest/developerguide/cloudfront-features.md index 1fd3b219c..889f63b65 100644 --- a//waf/latest/developerguide/cloudfront-features.md +++ b//waf/latest/developerguide/cloudfront-features.md @@ -7 +7 @@ -How AWS WAF works with different distribution typesUsing AWS WAF with CloudFront Pricing PlansAI traffic monetizationAI traffic monetization with CloudFront +How AWS WAF works with different distribution typesUsing AWS WAF with CloudFront Pricing PlansAI traffic monetization @@ -29,2 +28,0 @@ When you create a protection pack (web ACL), you can specify one or more CloudFr - * AI traffic monetization with CloudFront - @@ -154,68 +151,0 @@ After a successful payment settlement, the origin response passes through the no -## AI traffic monetization with CloudFront - -AI traffic monetization is available exclusively for web ACLs associated with Amazon CloudFront distributions. Payment verification and access token issuance occur at CloudFront edge locations, minimizing latency for agents worldwide. - -### Why CloudFront only - -Monetization requires: - - * **Edge-native payment verification** – Payment proofs are verified at the edge without round trips to origin. - - * **Global token issuance** – Scoped access tokens are issued at the edge and honored by all edge locations serving the same distribution. - - * **Price manifest generation** – The 402 response with pricing details is generated at the edge, keeping the flow below the latency target for machine-to-machine payment protocols. - - - - -Regional web ACLs (Application Load Balancer, , , Cognito, App Runner, Verified Access) do not support the Monetize action. If a Monetize rule is configured on a regional web ACL, the rule is skipped and the request continues to the next rule. - -### Cache behavior with monetized content - -Monetized resources require special cache configuration to prevent one agent's paid access from serving cached content to another agent. - -**Recommended cache settings for monetized paths:** - -Setting| Value| Reason ----|---|--- -Cache policy| CachingDisabled or custom| Prevents cross-agent cache sharing -Origin request policy| Include `X-Agent-Id` and `X-Access-Token` headers| Allows origin to validate agent-specific tokens -TTL| 0 (or short, per content freshness needs)| Ensures each agent request is evaluated by AWS WAF - -If you require caching for performance, configure a per-agent cache key: - - * Add `X-Agent-Id` to the cache key using a custom cache policy. - - * This ensures each agent receives its own cached copy after payment, without serving paid content to other agents. - - - - -###### Important - -If you enable caching without per-agent cache keys, a paid response might be served from cache to subsequent agents without payment verification. Always include agent identity in the cache key for monetized paths. - -### Latency characteristics - -Phase| Typical latency| Notes ----|---|--- -Classification + 402 generation| <10 ms| Runs inline at edge -Payment verification| <30 ms| Proof validation is cryptographic, no external call -Token issuance + origin fetch| Standard CloudFront latency| Same as a normal request -**Total additional overhead**| **< 50 ms**| Above standard request latency - -### CloudFront distribution configuration - -No changes to your CloudFront distribution settings are required to enable monetization. The feature is controlled entirely through the AWS WAF web ACL and protection pack configuration. - -Ensure the following: - - * **Web ACL association** – Your distribution must have an associated AWS WAF web ACL with Bot Control and a Monetize rule. - - * **Origin response headers** – If your origin sets `Cache-Control` headers, verify they do not conflict with the per-agent caching strategy for monetized paths. - - * **Custom error pages** – CloudFront custom error pages for 4xx responses do not apply to AWS WAF-generated 402 responses. The price manifest is served directly by AWS WAF. - - - -