Data protection limitations - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
QueryString and SingleQueryArgCookies
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Data protection limitations

The following are limitations to consider when using data protection.

QueryString and SingleQueryArg

QueryString Protection

  • Data protection on QueryString applies to all query arguments, substituting/hashing both keys and values according to the specified settings.

QueryString in RuleMatch details and RateBased rule lists

  • If data protection is applied to a single-query argument, then the entire query string will be substituted/hashed in the RuleMatchDetails and RateBasedRule section in full logs.

  • If different protection methods are specified (substitution and hashing) in multiple single-query arguments, the stricter method, substitution, will be applied to the entire query string in the RuleMatchDetails and RateBasedRule section in full logs.

Cookies

Note

Data protection is only applied to the values of the cookie when the single header cookie is protected.

Single cookie in RuleMatchDetails and RateBasedRule lists

  • If data protection is applied to a single cookie, then the entire cookie header will be substituted/hashed in the RuleMatchDetails and RateBasedRule section in full logs.

  • If different protection methods are specified (substitution and hashing), the stricter method, substitution, will be applied to the entire cookie in the RuleMatchDetails and RateBasedRule section in full logs.