Document history - AWS WAF, AWS Firewall Manager, and AWS Shield Advanced

Document history

Change Description Date

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF updated the Windows operating system rule set.

September 23, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF updated the rule sets PHP application and POSIX operating system.

September 16, 2020

Updated AWS Shield console

AWS Shield offers a new console option, with an improved user experience. The console guidance in the documentation is for the new console.

September 1, 2020

Firewall Manager updates to common security group policies

AWS Firewall Manager common security group policies now support Application Load Balancers and Classic Load Balancers resource types through the console implementation. The new options are available in the common policy's Policy scope settings.

August 11, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF updated the core rule set.

August 7, 2020

Firewall Manager supports AWS WAF logging configuration

AWS Firewall Manager now supports centralized logging configuration for AWS WAF policies.

July 30, 2020

Specify IP address location in web request

Added the option to use IP addresses from an HTTP header that you specify, instead of using the web request origin. The alternate header is commonly X-Forwarded-For (XFF), but you can specify any header name. You can use this option for IP set matching, geo matching, and rate-based rule count aggregation.

July 9, 2020

Firewall Manager updates to content audit security group policies

AWS Firewall Manager has expanded functionality for content audit security group policies including a managed rules option, that uses managed application and protocol lists, and details for resource violations.

July 7, 2020

Firewall Manager managed lists

AWS Firewall Manager now supports managed application and protocol lists. Firewall Manager manages some lists and you can create and manage your own.

July 7, 2020

Add support for AWS Shield Advanced proactive engagement

You can configure Shield Advanced to have the DDoS Response Team (DRT) contact you if the Amazon Route 53 health check associated with a protected resource becomes unhealthy during an event that's detected by Shield Advanced.

June 8, 2020

Firewall Manager supports shared VPCs in common security group policies

AWS Firewall Manager now supports using common security group policies in shared VPCs. You can do this in addition to using them in the VPCs owned by in-scope accounts.

May 26, 2020

Updated AWS Managed Rules for AWS WAF

Added documentation for each rule in the AWS Managed Rules for AWS WAF.

May 19, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF updated the Linux operating system rule group.

May 19, 2020

Add support for migrating AWS WAF Classic resources to AWS WAF (v2)

You can now use the console or API to export your AWS WAF Classic resources for migration to the latest version of AWS WAF.

April 27, 2020

Add support for AWS Organizations organizational units in policy scope

AWS Firewall Manager now supports using AWS Organizations organizational units (OUs) to specify policy scope. You can use OUs to include or exclude accounts from the scope, in addition to including or excluding specific accounts. Specifying an OU is the same as specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

April 6, 2020

Add support for AWS WAF (v2) to AWS Firewall Manager

AWS Firewall Manager now supports the latest version of AWS WAF, in addition to the prior version, AWS WAF Classic.

March 31, 2020

Update to AWS Firewall Manager common security group policies

AWS Firewall Manager common security group policy now has the option to apply the policy to all elastic network interfaces in your in-scope Amazon EC2 instances. You can still choose to only apply the policy to the default elastic network interface.

March 11, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF added a AWSManagedRulesAnonymousIpList rule group.

March 6, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF updated the WordPress application and AWSManagedRulesCommonRuleSet rule groups.

March 3, 2020

Added Amazon Route 53 health check to AWS Shield Advanced protection options

Shield Advanced now supports the use of Amazon Route 53 health check associations, to improve the accuracy of threat detection and mitigation.

February 14, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF has updated the SQL Database rule group to add checking the message URI.

January 23, 2020

Firewall Manager new option for security group usage audit policy

Firewall Manager has a new option for security group usage audit policies. You can now set a minimum number of minutes a security group must remain unused before it's considered noncompliant. By default, this minutes setting is zero.

January 14, 2020

Firewall Manager new option for AWS WAF policy

Firewall Manager has a new option for AWS WAF policies. You can now choose to remove all existing web ACL associations from in-scope resources before associating the policy's new web ACLs to them.

January 14, 2020

Updated AWS Managed Rules for AWS WAF

AWS Managed Rules for AWS WAF has updated text transformations for rules in the Core Rule Set and the SQL Database rule groups.

December 20, 2019

AWS Firewall Manager integrated with AWS Security Hub

AWS Firewall Manager now creates findings for resources that are out of compliance and for attacks and sends them to AWS Security Hub.

December 18, 2019

Release of AWS WAF version 2

New version of the AWS WAF developer guide. You can manage a web ACL or rule group in JSON format. Expanded capabilities include logical rule statements, rule statement nesting, and full CIDR support for IP addresses and address ranges. Rules are no longer AWS resources, but exist only in the context of a web ACL or rule group. For existing customers, the prior version of the service is now called AWS WAF Classic. In the APIs, SDKs, and CLIs, AWS WAF Classic retains its naming schemes and this latest version of AWS WAF is referred to with an added "V2" or "v2", depending on the context. AWS WAF can't access AWS resources that were created in AWS WAF Classic. To use those resources in AWS WAF, you need to migrate them.

November 25, 2019

AWS Managed Rules rule groups for AWS WAF

Added AWS Managed Rules rule groups. These are free of charge for AWS WAF customers.

November 25, 2019

AWS Firewall Manager support for Amazon Virtual Private Cloud security groups

Added support for Amazon VPC security groups to Firewall Manager.

October 10, 2019

AWS Firewall Manager support for AWS Shield Advanced

Added support for Shield Advanced to Firewall Manager.

March 15, 2019

Tutorial: Creating hierarchical policies

Added tutorial on creating hierarchical policies in AWS Firewall Manager.

February 11, 2019

Rule-level control in rule groups

You can now exclude individual rules from AWS Marketplace rule groups, as well as your own rule groups.

December 12, 2018

AWS Shield Advanced support for AWS Global Accelerator

Shield Advanced can now protect AWS Global Accelerator.

November 26, 2018

AWS WAF support for Amazon API Gateway REST API

AWS WAF now protects Amazon API Gateway REST APIs.

October 25, 2018

Expanded AWS shield advanced getting started wizard

New wizard provides opportunity to create rate-based rules and Amazon CloudWatch Events.

August 31, 2018

AWS WAF logging

Enable logging to get detailed information about traffic that is analyzed by your web ACL.

August 31, 2018

Support for query parameters in conditions

When creating a condition, you can now search the requests for specific parameters.

June 5, 2018

Shield advanced getting started wizard

Introduces a new streamlined process for subscribing to AWS Shield Advanced.

June 5, 2018

Expanded allowed CIDR ranges

When creating an IP match condition, AWS WAF now supports IPv4 address ranges: /8 and any range between /16 through /32.

June 5, 2018

Earlier updates

The following table describes important changes in each release of the AWS WAF Developer Guide.

Change API Version Description Release Date
Update 2016-08-24 AWS Marketplace rule groups November, 2017
Update 2016-08-24 Shield Advanced support for Elastic IP addresses November, 2017
Update 2016-08-24 Global threat dashboard November, 2017
Update 2016-08-24 DDoS-resistant website tutorial October, 2017
Update 2016-08-24 Geo and regex conditions October, 2017
Update 2016-08-24 Rate-based rules June, 2017
Update 2016-08-24 Reorganization April, 2017
Update 2016-08-24 Added information about DDOS protection and support for Application Load Balancers. November, 2016
New Features 2015-08-24

You can now log all your API calls to AWS WAF through AWS CloudTrail, the AWS service that records API calls for your account and delivers log files to your S3 bucket. CloudTrail logs can be used to enable security analysis, track changes to your AWS resources, and aid in compliance auditing. Integrating AWS WAF and CloudTrail lets you determine which requests were made to the AWS WAF API, the source IP address from which each request was made, who made the request, when it was made, and more.

If you are already using AWS CloudTrail, you will start seeing AWS WAF API calls in your CloudTrail log. If you haven't enabled CloudTrail for your account, you can enable it on CloudTrail from the AWS Management Console. There is no additional charge for enabling CloudTrail, but standard rates for Amazon S3 and Amazon SNS usage apply.

April 28, 2016

New Features

2015-08-24

You can now use AWS WAF to allow, block, or count web requests that appear to contain malicious scripts, known as cross-site scripting or XSS. Attackers sometimes insert malicious scripts into web requests in an effort to exploit vulnerabilities in web applications. For more information, see Cross-site scripting attack rule statement.

March 29, 2016

New Features

2015-08-24

With this release, AWS WAF adds the following features:

  • You can configure AWS WAF to allow, block, or count web requests based on the lengths of specified parts of the requests, such as query strings or URIs. For more information, see Size constraint rule statement.

  • You can configure AWS WAF to allow, block, or count web requests based on the content in the request body. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form. This feature applies to string match conditions, SQL injection match conditions, and the new size constraint conditions mentioned in the first bullet. For more information, see Request component.

January 27, 2016

New Feature

2015-08-24

You can now use the AWS WAF console to choose the CloudFront distributions that you want to associate a web ACL with. For more information, see Associating or Disassociating a Web ACL and a CloudFront Distribution.

November 16, 2015

Initial Release

2015-08-24

This is the first release of the AWS WAF Developer Guide.

October 6, 2015