AWS vpc medium security documentation change
Summary
Added Step 2 for including/excluding intermediate resources in path analysis, expanded documentation about security audit and compliance use cases
Security assessment
Added explicit documentation about including/excluding intermediate components for security audits and policy enforcement. Specifically mentions using this feature to analyze paths bypassing AWS Network Firewall, which directly relates to security configuration analysis.
Diff
diff --git a/vpc/latest/reachability/getting-started.md b/vpc/latest/reachability/getting-started.md index b5a4a5347..26903d19b 100644 --- a//vpc/latest/reachability/getting-started.md +++ b//vpc/latest/reachability/getting-started.md @@ -5 +5 @@ -Step 1: Create and analyze a pathStep 2: View the results of the path analysisStep 3: Change the network configuration and analyze the pathStep 4: Delete the path +Step 1: Create and analyze a pathStep 2: Include or exclude intermediate resourcesStep 3: View the results of the path analysisStep 4: Change the network configuration and analyze the pathStep 5: Delete the path @@ -15 +15 @@ You can use Reachability Analyzer to determine whether a destination resource in - * Step 2: View the results of the path analysis + * Step 2: Include or exclude intermediate resources @@ -17 +17 @@ You can use Reachability Analyzer to determine whether a destination resource in - * Step 3: Change the network configuration and analyze the path + * Step 3: View the results of the path analysis @@ -19 +19,3 @@ You can use Reachability Analyzer to determine whether a destination resource in - * Step 4: Delete the path + * Step 4: Change the network configuration and analyze the path + + * Step 5: Delete the path @@ -55 +57,35 @@ Specify the path for the traffic from a source to a destination. After you creat -## Step 2: View the results of the path analysis +## Step 2: Include or exclude intermediate resources + +Reachability Analyzer supports the ability to include or exclude intermediate resources from analysis. + + * Including a specified intermediate component makes it particularly valuable for security audits, policy enforcement, and compliance verification in cloud environments and enterprise networks. While this provides granular control over path analysis, note that it will only show paths that _include_ the specified intermediate component, requiring good knowledge of the network topology for effective use. + + * Excluding an intermediate component removes that component from analysis. This makes it particularly valuable when you don't want your analysis to include a particular component. For example, you might have a path that runs through AWS Network Firewall, but you only want to analyze paths that bypass it. In this case, you would add the Network Firewall ARN to the exclude field. Reachability Analyzer will then ignore this resource and analyze only those paths that don't go through it. + + + + +###### To include or exclude intermediate resources + + 1. Choose the checkbox for the path that you want to include or exclude Amazon Resource Numbers (ARNs) for. + + 2. On the **Analysis path** panel, enter an optional ARN for either of the following: + + * **Include an intermediate component feature** + +The analyzer only considers paths that include the specified intermediate component. + + * **Exclude an intermediate component feature** + +The analyzer ignores a specific intermediate component during analysis and only analyzes alternate paths. + +###### Note + +You can only include a single ARN to include or exclude from analysis. Each ARN must be unique in order to prevent a conflict. + + 3. Choose **Confirm**. + + + + +## Step 3: View the results of the path analysis @@ -70 +106 @@ After the path analysis completes, you can view the result of the analysis. -## Step 3: Change the network configuration and analyze the path +## Step 4: Change the network configuration and analyze the path @@ -100 +136 @@ If the reachability status does not match your intent, you can change your netwo -## Step 4: Delete the path +## Step 5: Delete the path