Document history - Amazon WAF, Amazon Firewall Manager, and Amazon Shield Advanced
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Document history

This page lists significant changes to this documentation.

Service features are sometimes rolled out incrementally to the Amazon Regions where a service is available. We update this documentation for the first release only. We don't provide information about Region availability or announce subsequent Region rollouts. For information about Region availability of service features and to subscribe to notifications about updates, see What's New with Amazon?.

ChangeDescriptionDate

Update to the Amazon WAF mobile SDK specification

Added the loadTokenIntoProvider operation to WAFTokenProvider.

November 19, 2024

Application integration SDKs add TV apps

You can use the Android and iOS integration SDKs for TV apps as well as mobile apps.

November 19, 2024

Amazon WAF token labeling adds browser fingerprint

Token management now adds a label for the browser fingerprint.

November 13, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Bot Control rule group.

November 7, 2024

Firewall Manager Amazon WAF policy can use existing web ACLs

Firewall Manager Amazon WAF policies can now retrofit existing account-owned web ACLs, and create new web ACLs only where needed.

October 22, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

October 16, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Bot Control, ATP, and ACFP managed rule groups.

September 13, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule group.

September 2, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

August 30, 2024

Lower rate-based rule threshold

The minimum request rate for a rate-based rule is now 10. Before this, it was 100.

August 30, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Windows operating system rule group.

August 28, 2024

Amazon WAF metrics added new metrics for CAPTCHA JavaScript API

Amazon WAF added two new metrics, CaptchasAttemptedSdk and CaptchasSolvedSdk, to show account-wide CAPTCHA puzzle attempts using the CAPTCHA JavaScript API.

August 28, 2024

Add quotas on calls per organization for ListResourcesForWebACL

Amazon WAF now limits the number of calls to ListResourcesForWebACL by the accounts in an organization for any single Region.

July 26, 2024

Amazon Firewall Manager security policy updates

Updates to FMSServiceRolePolicy to add permissions for reading Network Firewall TLS configuration information.

July 22, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the WordPress application rule group.

July 15, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule group.

July 12, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

July 9, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the PHP application and Windows operating system rule groups.

July 3, 2024

Clarify how JSON body parsing works

Updated coverage for JSON body inspection to clarify how Amazon WAF handles parsing and the body parsing fallback behavior.

June 25, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule group.

June 6, 2024

Amazon WAF managed policy changes

Updated WAFV2LoggingServiceRolePolicy and AWSServiceRoleForWAFV2Logging to add Statement IDs (Sids) to the permissions settings.

June 3, 2024

Amazon WAF managed policy change tracking

Amazon WAF started tracking changes for the managed policy WAFV2LoggingServiceRolePolicy and the service-linked role AWSServiceRoleForWAFV2Logging.

June 3, 2024

Updated Amazon Managed Rules for Amazon WAF

The Bot Control, ATP, and ACFP managed rule groups are now versioned and will provide SNS notifications for version updates, the same as other versioned Amazon Managed Rules.

May 29, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the POSIX operating system rule group, AWSManagedRulesUnixRuleSet.

May 28, 2024

CAPTCHA and Challenge actions

Added clarification that browser clients require HTTPS to run CAPTCHA puzzles and silent challenges.

May 24, 2024

Integration with Amazon Security Lake

You can now use Security Lake to collect web ACL traffic data. For information, see Collecting data from Amazon services in the Amazon Security Lake user guide.

May 22, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

May 21, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the SQLi database rule group.

May 14, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the known bad inputs and POSIX operating system rule groups.

May 8, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the Windows operating system rule group.

May 3, 2024

Amazon WAF mobile SDK Android Kotlin code samples

Added example code for Kotlin-based Android integrations.

May 2, 2024

Amazon WAF metrics added dimensions and new metrics

Amazon WAF added new dimension for ManagedRuleSetRule in rule metrics and new metrics for the matched rule action for label metrics.

May 2, 2024

Amazon Firewall Manager supports network ACL policies

Firewall Manager now supports the management of Amazon VPC network access control lists (ACLs) through Firewall Manager network ACL policies.

April 25, 2024

Amazon Firewall Manager security policy updates

Updates to FMSServiceRolePolicy to add permissions for managing network ACLs.

April 22, 2024

Updated health check metrics list

We removed some metrics from the list of those that are commonly used in health checks.

April 16, 2024

Updates for Firewall Manager security group policies

We've updated our usage audit security group policies and improved the documentation. See the usage audit policy section and the sections on best practices and limitations.

April 2, 2024

Updated Bot Control examples

Added examples depicting the targeted inspection level and updated existing examples to reflect best practices.

March 27, 2024

Updated ATP examples

Added example depicting response inspection configuration and updated existing examples to reflect best practices.

March 27, 2024

Updated ACFP examples

Added example depicting response inspection configuration.

March 27, 2024

Update Amazon CloudWatch Logs log stream limits

Amazon WAF no longer has per-web ACL limits on publishing logs to CloudWatch Logs log streams.

March 27, 2024

Amazon Shield Advanced application layer (layer 7) protections

Updated general and best practice guidance for application layer detection and mitigation, web ACL use, rate-based rules, and automatic application layer DDoS mitigation.

March 14, 2024

Updated Amazon Managed Rules for Amazon WAF

Updated the IP reputation rule group.

March 13, 2024

Changes to body inspection size limits

Amazon WAF now supports larger body inspection size limits for some regional resources.

March 7, 2024

Configurable evaluation window for Amazon WAF rate-based rules

You can now configure the time window that rate-based rules use to count requests, to 1, 2, 5, or 10 minutes. The default is 5, which was the only option before this release.

February 28, 2024

Expanded logging information for CAPTCHA and Challenge

The top level captchaResponse and challengeResponse fields are now populated with the last of these actions to be applied to a request, whether terminating or non-terminating. Prior to this, these fields were populated only for terminating actions.

February 22, 2024

JavaScript CAPTCHA API key management

You can now delete CAPTCHA JS API keys through the Amazon WAF APIs.

February 6, 2024

Amazon WAF CAPTCHA puzzles audio

The audio version of the CAPTCHA puzzle now supports multiple languages.

February 6, 2024

Amazon WAF challenge and CAPTCHA token labeling

Token management now adds labels for the CAPTCHA token and has enhanced the token labeling for the challenge token.

December 20, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the known bad inputs rule group.

December 16, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the known bad inputs rule group.

December 14, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

December 6, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Amazon WAF Bot Control.

December 5, 2023

Updated Firewall Manager Amazon Config prerequisites

If you use a custom IAM role instead of the Firewall Manager managed role for Amazon Config, you must ensure that your permission policy allows Amazon Config recorder to record Firewall Manager resources.

November 17, 2023

Amazon WAF console dashboards

We corrected the guidance for viewing all rules and sampled requests for a web ACL in the Amazon WAF console.

November 17, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the Bot Control rule group.

November 14, 2023

Amazon WAF console has new web ACL dashboards

The web ACL page in the Amazon WAF console has new web traffic overview dashboards.

November 14, 2023

Updated ATP managed rule group

Corrected label information for the rules VolumetricIpFailedLoginResponseHigh and VolumetricSessionFailedLoginResponseHigh.

November 13, 2023

Updated ACFP managed rule group

Corrected label information for the rules VolumetricIPSuccessfulResponse and VolumetricSessionSuccessfulResponse.

November 13, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

November 2, 2023

Shield Advanced automatic application layer DDoS mitigation

Shield Advanced now maintains a rate-based rule in the automatic mitigation rule group that limits the volume of requests from IP addresses known to be sources of DDoS attacks.

October 31, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

October 30, 2023

Bot Control managed rule group removed signal label for the request CSP

The Bot Control managed rule group removed the signal label that indicates the cloud service provider (CSP).

October 28, 2023

Bot Control managed rule group signal label for the request CSP

The Bot Control managed rule group signal labels include a label that indicates the cloud service provider (CSP).

October 27, 2023

Updated Amazon WAF IAM permissions information

For the Amazon WAF actions that manage web ACL associations, the policy actions section now lists the permissions requirements for each web application resource type.

October 25, 2023

Firewall Manager management of modified web ACLs

When you enable management of unassociated web ACLs, Firewall Manager doesn't include the modified web ACLs in the one-time cleanup of unused resources.

October 19, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the POSIX operating system rule group, AWSManagedRulesUnixRuleSet.

October 12, 2023

Amazon WAF metrics added dimensions

Amazon WAF added new dimensions for viewing web ACL metrics.

October 12, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

October 11, 2023

Update to the Amazon WAF mobile SDK specification

Added the storeTokenInCookieStorage operation to WAFTokenProvider.

October 11, 2023

Exception deployments Amazon Managed Rules for Amazon WAF

Updated two static versions of the known bad inputs rule group and updated the default version to point to the most recent static version.

October 4, 2023

Amazon WAF HTML entity decode text transformation

Expanded the functionality of the HTML entity decode text transformation.

October 4, 2023

Added new option to Firewall Manager security group common policy

Firewall Manager now can distribute security group references to replica security groups.

October 3, 2023

Amazon WAF adds inspection of JA3 fingerprint

You can now perform an exact match against the web request's JA3 fingerprint, for Amazon CloudFront distributions and Application Load Balancers.

September 26, 2023

Updates to Firewall Manager security group policy rules settings

Firewall Manager now supports security group referencing from primary security groups to replica security groups.

September 25, 2023

Updated Shield Advanced automatic application layer DDoS mitigation

Firewall Manager now supports Application Load Balancer resources for Shield Advanced policies configured with automatic application layer DDoS mitigation.

September 14, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Amazon WAF Bot Control.

September 6, 2023

Amazon WAF Bot Control

The targeted protection level of the Bot Control managed rule group now inspects for token reuse between IP addresses. It also now provides optional, machine-learning analysis of traffic statistics to detect some bot-related activity.

September 6, 2023

Update to the Amazon WAF mobile SDK specification

Lowered the min, max, and default values for tokenRefreshDelaySec from min 300, max 600, and default 300 to min 88, max 300, and default 88.

September 5, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the Amazon WAF Bot Control rule group.

August 30, 2023

Shield Advanced automatic application layer DDoS mitigation

Added guidance for using Amazon CloudFormation to manage the web ACLs that you use with automatic application layer DDoS mitigation.

August 30, 2023

New Firewall Manager content audit security group policy option

Added new option for auditing overly permissive rule groups, and improved console procedure descriptions.

August 29, 2023

New Firewall Manager Shield and Amazon WAF policy option

If you enable management of unassociated web ACLs in Amazon WAF and Shield, Firewall Manager only creates web ACLs in the accounts within policy scope only if the web ACLs will be used by at least one resource.

August 9, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

July 26, 2023

Rate-based rule aggregation on URI path

You can now specify the URI path in your custom aggregation keys for rate-based rules.

July 19, 2023

New Amazon WAF​ policy rule option in Amazon Firewall Manager

Amazon Firewall Manager adds support for configuring Amazon WAF web request body inspection size limits.

July 18, 2023

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy, AWSWAFConsoleFullAccess, AWSWAFReadOnlyAccess, and AWSWAFConsoleReadOnlyAccess to add Amazon Verified Access to the resource types that you can protect with Amazon WAF.

June 17, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the rule group AWSManagedRulesACFPRuleSet.

June 13, 2023

Update to Amazon WAF Fraud Control account takeover prevention (ATP)

You can now specify the login endpoint for the ATP managed rule group using a regular expression.

June 13, 2023

New information for the CAPTCHA JavaScript API

New section describes how to serve a custom CAPTCHA puzzle when Amazon WAF responds to a request with a CAPTCHA.

June 13, 2023

New ACFP managed rule group

Use the new rule group AWSManagedRulesACFPRuleSet to detect and block fraudulent account creation attempts.

June 13, 2023

New Amazon WAF Fraud Control account creation fraud prevention (ACFP)

You can detect and block fraudulent account creation attempts with the new Amazon WAF Fraud Control account creation fraud prevention (ACFP) managed rule group AWSManagedRulesACFPRuleSet. With protected CloudFront distributions, you can also use ACFP to block new account creation attempts from clients that have recently submitted too many failed account creation attempts.

June 13, 2023

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy, AWSWAFConsoleFullAccess, AWSWAFReadOnlyAccess, and AWSWAFConsoleReadOnlyAccess to correct the access settings for Amazon App Runner services.

June 6, 2023

Added limitation for Firewall Manager security group policies

If a shared VPC is later unshared, Firewall Manager won't delete the replica security groups in the associated account.

June 2, 2023

New Amazon WAF request component: Header order

You can now match against an ordered list of the names of the headers in the request.

May 30, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule set.

May 22, 2023

Updated the organization of the Amazon WAF rules section

The rules statement listings are now grouped by statement type.

May 16, 2023

Moved topic: Listing IP addresses that are being rate limited

The topic for listing IP addresses that are being rate limited by a rate-based rule is now under the rate-based rules topic.

May 16, 2023

Expanded options for rate-based rules

You can now rate limit web requests based on aggregation keys other than IP addresses, and you can aggregate using combinations of keys. You can also rate limit all requests that match a scope-down statement, without further aggregation.

May 16, 2023

Firewall Manager quota increases

Increased the number of Firewall Manager policies per organization in Amazon Organizations from 20 to 50. Increased maximum number of primary security groups per policy from one to three. Changed the maximum number of WCUs from a soft quota to a hard quota.

May 5, 2023

Increased maximum WCUs per rule group

You can now use up to 5,000 web ACL capacity units (WCUs) per rule group without requesting an increase from support. This new limit can't be increased.

May 1, 2023

Amazon WAF Amazon S3 log bucket locations with prefixes

Amazon WAF now allows prefixes in Amazon S3 log bucket names.

May 1, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

April 28, 2023

Added support for Amazon Verified Access instances to Amazon WAF

You can now associate an Amazon WAF web ACL with a Verified Access instance. This change is only available in the latest version of Amazon WAF and not in Amazon WAF Classic.

April 28, 2023

Revised chapter on working with multiple Firewall Manager administrators

You can now designate multiple Firewall Manager administrators to create and manage the firewall resources of your organization.

April 24, 2023

Amazon Firewall Manager managed policy update

Updated FMSServiceRolePolicy.

April 21, 2023

New JavaScript client application integration for CAPTCHA

You can now customize the placement and characteristics of the CAPTCHA puzzle in your JavaScript client applications.

April 20, 2023

Application integration renamed to intelligent threat integration

We renamed the existing functionality for client application integrations to intelligent threat integrations, to help distinguish between that and the new CAPTCHA application integration for JavaScript.

April 20, 2023

Variable pricing for web ACL WCUs beyond 1,500

Using more than 1,500 web ACL capacity units (WCUs) in your web ACL incurs additional costs, which are adjusted automatically as your web ACL WCU usage increases and decreases. The web ACL maximum is 5,000 WCUs.

April 11, 2023

Increased maximum WCUs per web ACL

You can now use up to 5,000 web ACL capacity units (WCUs) per web ACL without requesting an increase from support. This new limit can't be increased.

April 11, 2023

Body inspection size limits for CloudFront web ACLs

For web ACLs that protect Amazon CloudFront distributions, you can increase the body inspection size limit up to 64 KB in your web ACL configuration.

April 11, 2023

Body inspection size increase for CloudFront

The maximum Amazon WAF body inspection size limit for Amazon CloudFront distributions is increased from 8 KB to 64 KB. The default inspection size limit for CloudFront is 16 KB.

April 11, 2023

New Amazon WAF​ policy rule options in Amazon Firewall Manager

Amazon Firewall Manager adds support for Amazon WAF Fraud Control account takeover prevention (ATP) and Amazon WAF Bot Control Amazon Managed Rules rule groups, Amazon S3 logging destinations, rule action overrides, CAPTCHA and Challenge rule actions, and token domain lists.

April 7, 2023

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy, AWSWAFConsoleFullAccess, AWSWAFReadOnlyAccess, and AWSWAFConsoleReadOnlyAccess to add Amazon App Runner services to the resource types that you can protect with Amazon WAF.

March 30, 2023

Added warning about the usage of tags within security group policies

Firewall Manager won't update the tags of existing security groups or create new security groups if the policy has tags that conflict with the organization's tag policy.

March 28, 2023

Updating service role information

Updated how to use a service role with Firewall Manager.

March 8, 2023

Corrected information about how rate-based rules perform rate limiting

Rate based rules with scope-down statements only rate limit requests that match the rule's scope-down statement. We were stating that the limiting applied to all requests for any rate limited IP address.

March 1, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the PHP application rule group.

February 27, 2023

Added support for Amazon App Runner to Amazon WAF

You can now associate an Amazon WAF web ACL with an Amazon App Runner service. This change is only available in the latest version of Amazon WAF and not in Amazon WAF Classic.

February 23, 2023

Updated the IAM guidance for Amazon Firewall Manager

Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM.

February 16, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the rule group AWSManagedRulesATPRuleSet to add login response inspection in web ACLs that protect Amazon CloudFront distributions.

February 15, 2023

Amazon WAF Fraud Control account takeover prevention (ATP) login response inspection

For protected CloudFront distributions, you can now use ATP to block new login attempts from clients that have recently submitted too many failed login attempts.

February 15, 2023

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set.

January 25, 2023

Best practices for intelligent threat mitigation

Added a section with best practices for implementing Bot Control, ATP, and other intelligent threat mitigation features.

January 22, 2023

How to inspect HTTP/2 pseudo headers

Added a section that maps HTTP/2 pseudo headers to their corresponding web request components.

January 20, 2023

Updated the IAM guidance for Amazon WAF Classic

Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM.

January 3, 2023

Updated the IAM guidance for Amazon WAF

Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM.

January 3, 2023

Updated the IAM guidance for Amazon Shield

Updated guide to align with the IAM best practices. For more information, see Security best practices in IAM.

January 3, 2023

Updating Amazon Route 53 Resolver DNS Firewall policies

Added information about deleting Amazon Route 53 Resolver DNS Firewall rule groups.

December 29, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule set.

December 15, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set.

December 5, 2022

Firewall Manager adds support for Fortigate Cloud Native Firewall (CNF) as a Service policies

Firewall Manager now supports the Fortigate CNF policies.

December 2, 2022

Removed Amazon Config requirement for DNS Firewall policies

For DNS Firewall policies, you now only need to enable Config for the resource type EC2 VPC.

November 17, 2022

Amazon Firewall Manager managed policy update

Updated FMSServiceRolePolicy.

November 15, 2022

Expansion of language options for the Amazon WAF CAPTCHA puzzle

The CAPTCHA puzzle now offers its written instructions in multiple languages. The instructions inside each audio puzzle are still provided in English only.

November 11, 2022

New Firewall Manager quotas for resource sets

Added new quotas for resource sets.

November 8, 2022

Add support for resource sets

You can create resource sets to group resources to manage in an Firewall Manager policy.

November 8, 2022

Add support for importing firewalls from Network Firewall

You can now import and manage existing firewalls in Network Firewall policies using resource sets.

November 8, 2022

Amazon Firewall Manager managed policy update

Updated AWSFMAdminReadOnlyAccess.

November 2, 2022

Geo match statement now adds labels to requests for country and region

You can now manage geographical request origins at the region level by combining geo matching with label matching.

October 31, 2022

Renamed the top-level section: Managed protections

The section is now named Amazon WAF intelligent threat mitigation, which aligns with our marketing pages.

October 27, 2022

New targeted protection level in the Bot Control managed rule group

The Bot Control managed rule group now offers additional, targeted rules for the detection and mitigation of sophisticated bots. This protection level is available for additional fees.

October 27, 2022

New section on Amazon WAF tokens

Understand how Amazon WAF uses tokens for intelligent threat mitigation.

October 27, 2022

Added important note about updating Firewall Manager Network Firewall policies

When you update a Firewall Manager policy, all Network Firewall policies that were created by the policy will be updated with the Firewall Manager policy's Network Firewall policy configuration.

October 27, 2022

Action overrides in rule groups

You can now override the actions of the rules in a rule group to any rule action setting. As with the prior Count action override, you can apply your overrides to all rules in a rule group and to individual rules.

October 27, 2022

Amazon WAF new Challenge rule action option

You can configure rules to use a Challenge, to verify that requests are being sent by browsers.

October 27, 2022

Amazon WAF allows token sharing across multiple protected applications

You can enable the use of tokens across multiple protected applications by configuring a token domain list for your web ACL.

October 27, 2022

All headers specification is not case sensitive

Changed the all headers specification to be case insensitive. This matches the single header behavior.

October 26, 2022

Amazon Firewall Manager managed policy changes

Corrections to AWSFMAdminFullAccess.

October 21, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the known bad inputs rule group.

October 20, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the known bad inputs rule group.

October 5, 2022

Update to the Amazon WAF mobile SDK specification

Lowered the default value for tokenRefreshDelaySec from 600 (10 minutes) to 300 (5 minutes).

September 30, 2022

Updated Amazon Managed Rules for Amazon WAF

Corrected the label names provided in this documentation for the following rule groups: POSIX operating system, PHP application, WordPress application.

September 19, 2022

New Amazon WAF​ policy rule option in Amazon Firewall Manager

Amazon Firewall Manager now supports customized web requests and responses for default web actions in Amazon WAF policies.

September 9, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: IP reputation.

August 30, 2022

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy, AWSWAFConsoleFullAccess, AWSWAFReadOnlyAccess, and AWSWAFConsoleReadOnlyAccess to add Amazon Cognito user pools to the resource types that you can protect with Amazon WAF.

August 25, 2022

Amazon WAF Fraud Control account takeover prevention (ATP)

You can now use the Amazon WAF Fraud Control account takeover prevention (ATP) functionality with Amazon CloudFront distributions.

August 24, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

August 22, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: AWSManagedRulesATPRuleSet.

August 11, 2022

Added support for Amazon Cognito user pools to Amazon WAF

You can now associate an Amazon WAF web ACL with an Amazon Cognito user pool. This change is only available in the latest version of Amazon WAF and not in Amazon WAF Classic.

August 11, 2022

Added a section on deployments for versioned Amazon Managed Rules rule groups

Added a new section documenting deployments for versioned Amazon Managed Rules rule groups. The section includes information about how default versions are named during release candidate deployments.

July 29, 2022

Updated requirements for configuring logging for Network Firewall policies

Added requirements for Network Firewall policies that use an encrypted Amazon S3 bucket as the log destination.

July 26, 2022

Sensitivity level option for SQLi rule statement

You can now raise the sensitivity of your SQL injection rule statements. This doesn't change the behavior of existing statements, whose sensitivity level at the default of LOW.

July 15, 2022

Added Network Firewall policy configuration option

Firewall Manager now supports stateful evaluation order and default actions in Network Firewall firewall policy configurations.

July 14, 2022

Updates to Firewall Manager security group policy rules settings

Firewall Manager now supports tag distribution from primary security groups to replica security groups.

July 7, 2022

Updates to the Amazon Shield guide

Expanded the information in the Shield guide to describe how Shield performs event mitigation.

June 24, 2022

Updated guidance for testing and tuning Amazon WAF protections

The general guidance for testing and tuning Amazon WAF is updated and is now a top-level topic.

June 20, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Core rule set (CRS).

June 9, 2022

New Firewall Manager confused deputy guidance

Added guidance on how to prevent the confused deputy problem for Firewall Manager.

June 1, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Core rule set (CRS).

May 24, 2022

New Amazon WAF request components: Headers and Cookies

You can now inspect the cookies in a web request and you can inspect all headers in a web request, in addition to just a single header.

April 29, 2022

Amazon WAF handling for oversize body, headers, and cookies request components

You can now specify how Amazon WAF should handle oversize request bodies, headers, and cookies inside your rules that inspect these components. Rules that you already created that inspect these components have behavior that matches the new Continue option for oversize handling.

April 29, 2022

Amazon WAF Amazon S3 log policy changes

Updated the Amazon S3 log permission policy and example.

April 12, 2022

Automatic application layer DDoS mitigation option now available with Amazon Shield Advanced for Application Load Balancer

Shield Advanced now supports automatic application layer DDoS mitigation for Application Load Balancers, making it available for all application layer protections. You can configure Shield Advanced to automatically count or block the web requests that are part of an application layer DDoS attack on a protected resource.

April 8, 2022

Added an indicator of the current default version setting for managed rule groups

Managed rule group version lists now indicate which version is the current default.

April 8, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Amazon WAF Bot Control.

April 6, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

March 31, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

March 30, 2022

Firewall Manager adds support for the Palo Alto Networks Cloud Next Generation Firewall (NGFW)

Firewall Manager now supports the Palo Alto Networks Cloud Next Generation Firewall (NGFW).

March 30, 2022

Add support for Palo Alto Networks Cloud NGFW to Amazon Firewall Manager

Amazon Firewall Manager now supports Palo Alto Networks Cloud Next Generation Firewall (NGFW) policies.

March 30, 2022

Updates to the Amazon Shield guide

Expanded the information in the Shield guide to describe how Shield performs event detection and to provide examples of DDoS resilient architectures.

March 16, 2022

Updates to the Amazon Shield guide

Expanded the information in the Shield guide and improved the organization of various sections. The main changes are in the following Shield guide sections: Shield Response Team (SRT) support, Resource protections in Amazon Shield Advanced, and Visibility into DDoS events.

February 28, 2022

Firewall Manager now supports the Network Firewall centralized deployment model

Added a new procedure that explains how to configure policies that use distributed and centralized deployment models.

February 24, 2022

Firewall Manager adds support for the Amazon Network Firewall centralized deployment model

You can now configure your Amazon Network Firewall policies to use either the distributed or centralized deployment model. With the distributed deployment model, Firewall Manager creates and maintains firewall endpoints in each VPC that's within the policy scope. With the centralized deployment model, Firewall Manager creates and maintains firewall endpoints in a single inspection VPC.

February 24, 2022

Add support for Amazon WAF managed rule group versioning to Amazon Firewall Manager

Amazon Firewall Manager now supports Amazon WAF managed rule group versioning in Firewall Manager Amazon WAF policies.

February 18, 2022

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

February 16, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: IP reputation lists.

February 15, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the Amazon WAF Fraud Control account takeover prevention (ATP) rule group AWSManagedRulesATPRuleSet.

February 11, 2022

Changes to the organization of the Amazon WAF guide

Added a new top-level section for managed protections. Moved the CAPTCHA section from under rules to under the new managed protections section. Moved the labels section from under rules to its own top-level section.

February 11, 2022

Amazon WAF client application integrations

Use the Amazon WAF JavaScript and mobile client APIs to integrate your client applications with the intelligent threat mitigation Amazon Managed Rules rule groups for enhanced detection.

February 11, 2022

Amazon WAF Fraud Control account takeover prevention (ATP)

You can detect and block account takeover attempts with the new Amazon WAF Fraud Control account takeover prevention (ATP) managed rule group AWSManagedRulesATPRuleSet.

February 11, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

January 28, 2022

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy and AWSWAFConsoleFullAccess to correct logging permissions.

January 11, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: core rule set (CRS), SQLi database.

January 10, 2022

Firewall Manager supports Shield Advanced automatic application layer DDoS mitigation

Firewall Manager Shield Advanced policies for Amazon CloudFront resources now include support for automatic application layer DDoS mitigation.

January 7, 2022

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

January 7, 2022

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

December 17, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

December 11, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: Known bad inputs.

December 10, 2021

New Amazon Shield Advanced service-linked role

Added AWSServiceRoleForAWSShield to support the automatic application layer DDoS mitigation functionality.

December 1, 2021

New Amazon Shield managed policy

Added AWSShieldServiceRolePolicy to support the automatic application layer DDoS mitigation functionality.

December 1, 2021

Automatic application layer DDoS mitigation option now available with Amazon Shield Advanced for CloudFront

Shield Advanced now supports automatic application layer DDoS mitigation for Amazon CloudFront distributions. You can configure Shield Advanced to automatically count or block the web requests that are part of an application layer DDoS attack on a CloudFront distribution.

December 1, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: core rule set (CRS), Windows operating system, Linux operating system, and IP reputation lists.

November 23, 2021

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

November 18, 2021

Expanded logging options for Amazon WAF

You can now log web ACL traffic to an Amazon CloudWatch Logs log group or an Amazon Simple Storage Service (Amazon S3) bucket. These options are in addition to the existing option of logging to an Amazon Data Firehose delivery stream.

November 15, 2021

Amazon WAF managed policy changes

Updated AWSWAFFullAccessPolicy and AWSWAFConsoleFullAccess to support additional logging destinations.

November 15, 2021

Amazon WAF new CAPTCHA rule action option

You can configure rules to run a CAPTCHA against web requests and, as needed, send a CAPTCHA problem to the client.

November 8, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set (CRS) rule group.

October 27, 2021

Updated Amazon Managed Rules for Amazon WAF

All Amazon Managed Rules rule groups now support labeling. The rule descriptions include the label specifications.

October 25, 2021

Firewall Manager supports Network Firewall log filtering

Amazon Firewall Manager now supports log filtering for Network Firewall policies.

October 4, 2021

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

September 29, 2021

Added regex match statement

You can now match web requests against a single regular expression.

September 22, 2021

Rate-based rules inside Amazon WAF rule groups

You can now define rate-based rules inside Amazon WAF rule groups. In Amazon Firewall Manager, this capability is fully supported for Amazon WAF policies.

September 13, 2021

Automatically remove out-of-scope resource protections in Amazon Firewall Manager

Amazon Firewall Manager allows you to automatically remove protections from resources that leave policy scope.

August 25, 2021

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

August 12, 2021

Added versioning to managed rule groups

Managed rule group providers can now version their rule groups.

August 9, 2021

Modify Amazon Firewall Manager administrator requirements

You can use the organization's management account as the Firewall Manager administrator account. This had been disallowed.

August 2, 2021

Firewall Manager quota increase

Increased the number of Amazon VPC instances that you can have in scope of a Firewall Manager policy from 10 to 100.

July 28, 2021

Amazon Firewall Manager support for Amazon Network Firewall route table monitoring

Amazon Firewall Manager now supports route table monitoring, and provides remediation action recommendations to security administrators for Amazon Network Firewall policies with misconfigured routes.

July 8, 2021

Amazon WAF additional text transformation options

Expanded options for text transformations, which you can apply to web request components before inspecting them.

June 24, 2021

Modified naming for Firewall Manager Amazon WAF policy resources

The naming for the web ACLs, rule groups, and logging that Firewall Manager manages for your Amazon WAF policies has changed.

May 26, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated support for labeling to IP reputation lists and removed suffixes on rule names for Amazon IP reputation list.

May 4, 2021

Add support for Amazon Organizations Delegated Administrator

When you set the Amazon Firewall Manager administrator account, Firewall Manager now designates the account as the Amazon Organizations delegated administrator for Firewall Manager. With this change, when you set the Firewall Manager administrator account, you must provide a member account other than the organization's management account. This change doesn't affect your existing settings.

April 30, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the Amazon WAF Bot Control rule group.

April 1, 2021

Set individual rule actions to Count in a rule group

You can now set the individual rule actions in a rule group to Count. The information for the existing override, which is at the rule group level, has been corrected.

April 1, 2021

Scope-down statement for managed rule groups

You can now use a scope-down statement with managed rule groups in the same way as you can with a rate-based statement.

April 1, 2021

Log filtering

You can now filter the web ACL traffic that you log based on rule action and label.

April 1, 2021

Amazon WAF labels on web requests

You can configure rules to add labels to matching web requests and to match on labels that are added by other rules.

April 1, 2021

Amazon WAF Bot Control

You can monitor and control bot traffic with the new Amazon WAF Bot Control feature, which combines the Bot Control managed rule group with web request labeling, scope-down statements, and log filtering.

April 1, 2021

Firewall Manager supports Amazon Route 53 Resolver DNS Firewall policies

Amazon Firewall Manager supports central management of Amazon Route 53 Resolver DNS Firewall outbound DNS traffic filtering for your VPCs.

March 31, 2021

Custom request and response handling

You can include custom headers for web requests that Amazon WAF doesn't block and you can send custom responses for web requests that Amazon WAF blocks. This is available for web ACL default action and rule action settings.

March 29, 2021

Amazon Firewall Manager managed policy change

Update to FMSServiceRolePolicy.

March 17, 2021

Updated Amazon Managed Rules for Amazon WAF

Updated the following rule groups: core rule set (CRS), admin protection, known bad inputs, and Linux operating system.

March 3, 2021

Amazon Shield managed policy change tracking

Shield started tracking changes for its Amazon managed policies.

March 3, 2021

Amazon Firewall Manager managed policy change tracking

Firewall Manager started tracking changes for its Amazon managed policies.

March 2, 2021

Amazon WAF managed policy change tracking

Amazon WAF started tracking changes for its Amazon managed policies.

March 1, 2021

Inspect a web request body as parsed JSON

Added the option to inspect the web request body as parsed and filtered JSON. This is in addition to the existing option to inspect the web request body as plain text.

February 12, 2021

Firewall Manager supports Amazon Network Firewall policies

Amazon Firewall Manager supports central management of Amazon Network Firewall network traffic filtering for your VPCs.

November 17, 2020

Add support for Amazon Shield Advanced protection groups

You can now group your protected resources into logical groups and manage their protections collectively.

November 13, 2020

Added support for Amazon AppSync to Amazon WAF

You can now associate an Amazon WAF web ACL with your Amazon AppSync GraphQL API. This change is only available in the latest version of Amazon WAF and not in Amazon WAF Classic.

October 1, 2020

Updated Amazon Managed Rules for Amazon WAF

Updated the Windows operating system rule set.

September 23, 2020

Updated Amazon Managed Rules for Amazon WAF

Updated the rule sets PHP application and POSIX operating system.

September 16, 2020

Updated Amazon Shield console

Amazon Shield offers a new console option, with an improved user experience. The console guidance in the documentation is for the new console.

September 1, 2020

Firewall Manager updates to common security group policies

Amazon Firewall Manager common security group policies now support Application Load Balancers and Classic Load Balancers resource types through the console implementation. The new options are available in the common policy's Policy scope settings.

August 11, 2020

Updated Amazon Managed Rules for Amazon WAF

Updated the core rule set.

August 7, 2020

Specify IP address location in web request

Added the option to use IP addresses from an HTTP header that you specify, instead of using the web request origin. The alternate header is commonly X-Forwarded-For (XFF), but you can specify any header name. You can use this option for IP set matching, geo matching, and rate-based rule count aggregation.

July 9, 2020

Firewall Manager updates to content audit security group policies

Amazon Firewall Manager has expanded functionality for content audit security group policies including a managed rules option, that uses managed application and protocol lists, and details for resource violations.

July 7, 2020

Firewall Manager managed lists

Amazon Firewall Manager now supports managed application and protocol lists. Firewall Manager manages some lists and you can create and manage your own.

July 7, 2020

Firewall Manager supports shared VPCs in common security group policies

Amazon Firewall Manager now supports using common security group policies in shared VPCs. You can do this in addition to using them in the VPCs owned by in-scope accounts.

May 26, 2020

Updated Amazon Managed Rules for Amazon WAF

Added documentation for each rule in the Amazon Managed Rules for Amazon WAF.

May 20, 2020

Updated Amazon Managed Rules for Amazon WAF

Updated the Linux operating system rule group.

May 19, 2020

Add support for migrating Amazon WAF Classic resources to Amazon WAF (v2)

You can now use the console or API to export your Amazon WAF Classic resources for migration to the latest version of Amazon WAF.

April 27, 2020

Add support for Amazon Organizations organizational units in policy scope

Amazon Firewall Manager now supports using Amazon Organizations organizational units (OUs) to specify policy scope. You can use OUs to include or exclude accounts from the scope, in addition to including or excluding specific accounts. Specifying an OU is the same as specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

April 6, 2020

Add support for Amazon WAF (v2) to Amazon Firewall Manager

Amazon Firewall Manager now supports the latest version of Amazon WAF, in addition to the prior version, Amazon WAF Classic.

March 31, 2020

Update to Amazon Firewall Manager common security group policies

Amazon Firewall Manager common security group policy now has the option to apply the policy to all elastic network interfaces in your in-scope Amazon EC2 instances. You can still choose to only apply the policy to the default elastic network interface.

March 11, 2020

Updated Amazon Managed Rules for Amazon WAF

Amazon Managed Rules for Amazon WAF added an AWSManagedRulesAnonymousIpList rule group.

March 6, 2020

Updated Amazon Managed Rules for Amazon WAF

Amazon Managed Rules for Amazon WAF updated the WordPress application and AWSManagedRulesCommonRuleSet rule groups.

March 3, 2020

Added Amazon Route 53 health check to Amazon Shield Advanced protection options

Shield Advanced now supports the use of Amazon Route 53 health check associations, to improve the accuracy of threat detection and mitigation.

February 14, 2020

Updated Amazon Managed Rules for Amazon WAF

Amazon Managed Rules for Amazon WAF has updated the SQL Database rule group to add checking the message URI.

January 23, 2020

Firewall Manager new option for security group usage audit policy

Firewall Manager has a new option for security group usage audit policies. You can now set a minimum number of minutes a security group must remain unused before it's considered noncompliant. By default, this minutes setting is zero.

January 14, 2020

Firewall Manager new option for Amazon WAF policy

Firewall Manager has a new option for Amazon WAF policies. You can now choose to remove all existing web ACL associations from in-scope resources before associating the policy's new web ACLs to them.

January 14, 2020

Updated Amazon Managed Rules for Amazon WAF

Amazon Managed Rules for Amazon WAF has updated text transformations for rules in the Core Rule Set and the SQL Database rule groups.

December 20, 2019

Amazon Firewall Manager integrated with Amazon Security Hub

Amazon Firewall Manager now creates findings for resources that are out of compliance and for attacks and sends them to Amazon Security Hub.

December 18, 2019

Release of Amazon WAF version 2

New version of the Amazon WAF developer guide. You can manage a web ACL or rule group in JSON format. Expanded capabilities include logical rule statements, rule statement nesting, and full CIDR support for IP addresses and address ranges. Rules are no longer Amazon resources, but exist only in the context of a web ACL or rule group. For existing customers, the prior version of the service is now called Amazon WAF Classic. In the APIs, SDKs, and CLIs, Amazon WAF Classic retains its naming schemes and this latest version of Amazon WAF is referred to with an added "V2" or "v2", depending on the context. Amazon WAF can't access Amazon resources that were created in Amazon WAF Classic. To use those resources in Amazon WAF, you need to migrate them.

November 25, 2019

Amazon Managed Rules rule groups for Amazon WAF

Added Amazon Managed Rules rule groups. These are free of charge for Amazon WAF customers.

November 25, 2019

Amazon Firewall Manager support for Amazon Virtual Private Cloud security groups

Added support for Amazon VPC security groups to Firewall Manager.

October 10, 2019

Amazon Firewall Manager support for Amazon Shield Advanced

Added support for Shield Advanced to Firewall Manager.

March 15, 2019

Tutorial: Creating hierarchical policies

Added tutorial on creating hierarchical policies in Amazon Firewall Manager.

February 11, 2019

Rule-level control in rule groups

You can now exclude individual rules from Amazon Web Services Marketplace rule groups, as well as your own rule groups.

December 12, 2018

Amazon Shield Advanced support for Amazon Global Accelerator standard accelerators

Shield Advanced can now protect Amazon Global Accelerator standard accelerators.

November 26, 2018

Amazon WAF support for Amazon API Gateway

Amazon WAF now protects Amazon API Gateway APIs.

October 25, 2018

Expanded Amazon shield advanced getting started wizard

New wizard provides opportunity to create rate-based rules and Amazon CloudWatch Events.

August 31, 2018

Amazon WAF logging

Enable logging to get detailed information about traffic that is analyzed by your web ACL.

August 31, 2018

Support for query parameters in conditions

When creating a condition, you can now search the requests for specific parameters.

June 5, 2018

Shield advanced getting started wizard

Introduces a new streamlined process for subscribing to Amazon Shield Advanced.

June 5, 2018

Expanded allowed CIDR ranges

When creating an IP match condition, Amazon WAF now supports IPv4 address ranges: /8 and any range between /16 through /32.

June 5, 2018