AWS Security ChangesHomeSearch

AWS Route53 documentation change

Service: Route53 · 2025-03-30 · Documentation medium

File: Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.md

Summary

Added guidance about using untracked connections in security groups to improve Resolver endpoint performance

Security assessment

Documents security group configuration options (untracked connections) but does not address specific vulnerabilities. The change enhances performance documentation with security-adjacent network configuration details.

Diff

diff --git a/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.md b/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.md
index 397220dc4..6ca5b0748 100644
--- a/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.md
+++ b/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.md
@@ -7 +7 @@
-Resolver endpoint security groups use connection tracking to gather information about traffic to and from the endpoints. Each endpoint interface has a maximum number of connections that can be tracked, and a high volume of DNS queries can exceed the connections and cause throttling and query loss. To reduce the number of connections that are tracked, implement security group rules that permit traffic based on the connection state of the traffic. For more information, see [ Security groups](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-security-groups.html) and [ Connection tracking](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html) in _Amazon EC2 User Guide_.
+Resolver endpoint security groups use connection tracking to gather information about traffic to and from the endpoints. Each endpoint interface has a maximum number of connections that can be tracked, and a high volume of DNS queries can exceed the connections and cause throttling and query loss. Connection tracking is AWS's default behavior for monitoring the state of traffic flowing through security groups (SGs). Using connection tracking in SGs will reduce the throughput of traffic, however, you can implement untracked connections to reduce overhead and improve performance. For more information see [Untracked connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#untracked-connections).
@@ -9,3 +9 @@ Resolver endpoint security groups use connection tracking to gather information
-Connections made through applications like Network Load Balancer and AWS Lambda (for a full list see [Automatically tracked connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#automatic-tracking) ) are automatically tracked, even if the security group configuration does not otherwise require tracking.
-
-If the connection tracking is enforced either by using restrictive security group rules or queries are routed through Network Load Balancer, the overall maximum queries per second per IP address for an endpoint can be as low as 1500.
+If the connection tracking is enforced either by using restrictive security group rules or queries are routed through Network Load Balancer (see [Automatically tracked connections](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-connection-tracking.html#automatic-tracking)), the overall maximum queries per second per IP address for an endpoint can be as low as 1500.