All news with #aws waf tag

Customizing AWS WAF Anti-DDoS AMR Responses for L7

🛡️This post explains how to customize AWS WAF Anti-DDoS AMR responses to Layer 7 DDoS events using labels and additional rules. It summarizes the AMR’s baseline‑and‑anomaly approach, default mitigations (a mix of Block and JavaScript Challenge), and the importance of excluding non‑challengeable paths. Three practical examples show geo‑based blocking, tightened rate limits, and adaptive capacity‑aware defenses, with JSON/IaC configuration guidance.

China-nexus Rapid Exploitation of React2Shell CVE-2025-55182

🛡️ Amazon observed multiple China state-nexus groups rapidly exploiting CVE-2025-55182 (React2Shell), a critical unsafe deserialization flaw in React Server Components with a CVSS score of 10.0 that affects React 19.x and Next.js 15.x/16.x when using App Router. AWS deployed Sonaris active defense, AWS WAF managed rules (AWSManagedRulesKnownBadInputsRuleSet v1.24+) and MadPot honeypots to detect and block attempts, but these protections are not substitutes for patching. Customers running self-managed React/Next.js applications must update immediately, deploy interim WAF rules, and review logs for indicators such as POST requests with next-action or rsc-action-id headers.

Practical Steps to Minimize Key Exposure in AWS Environments

🔐 This AWS Security blog by Jennifer Paz outlines a layered, practical approach to reduce exposure from long‑term AWS credentials. It recommends discovery and risk assessment with CodeGuru Security, IAM Access Analyzer, credential reports, and Trusted Advisor, followed by enforcement using SCPs and RCPs to create a network data perimeter. The post also covers runtime protections (security groups, NACLs, Network Firewall, AWS WAF), automated rotation using Secrets Manager or rotation patterns, and threat detection via GuardDuty, all intended to bridge the gap until migration to temporary credentials is feasible.

AWS WAF Adds Web Bot Auth to Verify AI and Bot Traffic

🔐 AWS WAF now supports Web Bot Auth, providing cryptographic verification for automated agents and crawlers that access web applications. The capability uses signed HTTP messages and a public key directory defined by active IETF drafts to authenticate bot identities. AWS WAF will automatically allow verified WBA bots by default, refining previous behavior where the AI category blocked unverified bots. This change helps operators distinguish trusted automated traffic from potentially harmful automation.

AWS offers flat-rate CloudFront plans with built-in security

🔒 AWS is introducing flat-rate pricing plans for CloudFront that bundle global CDN delivery with built-in security (WAF, DDoS protection), Route 53 DNS, CloudWatch Logs ingestion, serverless edge compute, and monthly S3 storage credits. Plans eliminate overage charges so traffic spikes or attacks won’t trigger surprise fees. Tiers include Free, Pro ($15), Business ($200) and Premium ($1,000), and pay-as-you-go remains an option.

AWS Firewall Manager Now Available in Taipei Region

🔒 AWS announces that AWS Firewall Manager is now available in the AWS Asia Pacific (Taipei) Region. The service enables cloud security administrators and site reliability engineers to centrally create, deploy, and maintain defense-in-depth security policies across accounts, including AWS WAF protections and managed rule sets. By centralizing policy management, teams can reduce manual configuration, ensure consistent enforcement, and lower operational overhead. Customers should consult the documentation and region table for full feature and pricing details.

Secure Network Architectures for Generative AI on AWS

🔐 This post explains how to design defense-in-depth network architectures for generative AI workloads using AWS services. It outlines common external threats — including layer 4 and layer 7 DDoS, web request floods, application-specific exploits, and malicious bots — and maps mitigations to AWS capabilities. The guidance recommends private connectivity via Amazon Bedrock and AWS PrivateLink, edge protections with AWS WAF and AWS Shield, subnet-level controls using AWS Network Firewall, and continuous detection and response with GuardDuty, Inspector, and CloudWatch.

AWS WAF Bot, Fraud & DDoS Rule Group Expands Regions

🔒 AWS WAF's Targeted Bot Control, Fraud, and DDoS Prevention Rule Group are now available in Asia Pacific (Taipei), Asia Pacific (Bangkok), and Mexico (Central). These managed rule groups deliver detection and mitigations for sophisticated bots, application-layer DDoS, and account-takeover attacks at the web edge. Customers can deploy them to improve application resilience, reduce fraudulent activity, and limit resource consumption during attack campaigns.

AWS WAF Now Available in Asia Pacific (Taipei) Region

🛡️ AWS WAF is now available in the AWS Asia Pacific (Taipei) Region, allowing customers to deploy web application firewall protections closer to their users. The service helps protect web applications from common exploits and automated bots that can affect availability, security, or resource consumption. Note that AWS WAF Bot Control with targeted inspection and the Anti-DDoS managed rule group are not currently available in this region.

AWS WAF Adds Free Vended Logs Based on Request Volume

📣 AWS WAF now includes a free allocation of Vended Logs ingestion to CloudWatch: 500 MB for every 1 million WAF requests processed, provided at no additional cost. The allocation is applied automatically across WAF vended logs to CloudWatch, S3, and Firehose and is reconciled on your AWS bill at month end. Usage beyond the included allowance is charged at standard AWS WAF Vended Logs CloudWatch rates. This change helps reduce logging costs while preserving comprehensive security visibility and analytics.