AWS Security ChangesHomeSearch

AWS AmazonCloudFront medium security documentation change

Service: AmazonCloudFront · 2025-05-31 · Security-related medium

File: AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md

Summary

Updated documentation for VPC origin requirements including Network ACL configuration, subnet requirements, load balancer restrictions, and security group management

Security assessment

Added explicit guidance about Network ACL configurations requiring both inbound/outbound rules when client IP preservation is enabled. This addresses potential misconfigurations that could block legitimate traffic or allow unauthorized access. Also emphasizes security group requirements for CloudFront's managed prefix list to restrict origin access.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
index 926ac8a1e..1e097bcd5 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
@@ -17 +17 @@ Here are some reasons why you might want to use VPC origins:
-  * **Scalability and performance** – VPC origins helps you to secure your web applications, freeing up time to focus on growing your critical business applications while improving security and maintaining high-performance and global scalability with CloudFront. VPC origins streamlines security management and reduces operational complexity so that you can use CloudFront as the single point of entry for your applications.
+  * **Scalability and performance** – VPC origins helps you to secure your web applications, freeing up time to focus on growing your critical business applications while improving security and maintaining high performance and global scalability with CloudFront. VPC origins streamlines security management and reduces operational complexity so that you can use CloudFront as the single point of entry for your applications.
@@ -31,0 +32,4 @@ Before you create a VPC origin for your CloudFront distribution, you must comple
+    * Network ACLs associated with your VPC subnets apply to egress (outbound) traffic when client IP address preservation is enabled on your VPC origin. However, for traffic to be allowed to exit through your VPC origin you must configure the ACL as both an inbound and outbound rule.
+
+For example, to allow TCP and UDP clients using an ephemeral source port to connect to your endpoint through your VPC origin, associate the subnet of your endpoint with a Network ACL that allows outbound traffic destined to an ephemeral TCP or UDP port (port range 1024-65535, destination 0.0.0.0/0). In addition, create a matching inbound rule (port range 1024-65535, source 0.0.0.0/0).
+
@@ -36 +40,3 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * **Internet gateway** – Required so that your VPC can receive traffic from the internet. The internet gateway is not used for routing traffic to origins inside the subnet, and you don’t need to update the routing policies.
+    * **Internet gateway** – You need to add an internet gateway to the VPC that has your VPC origin resources. The internet gateway is required to denote that the VPC can receive traffic from the internet. The internet gateway is not used for routing traffic to origins inside the subnet, and you don't need to update the routing policies.
+
+    * **Private subnet with at least one available IPv4 address** – CloudFront routes to your subnet by using a service-managed elastic network interface (ENI) that CloudFront creates after you define your VPC origin resource with CloudFront. You must have at least one available IPv4 address in your private subnet so that the ENI creation process can succeed. The IPv4 address can be private, and there is no additional cost for it.
@@ -38 +44,3 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * **Private subnet with at least one available IPv4 address** – CloudFront routes to your subnet by using an elastic network interface (ENI) that CloudFront creates after your define your private origin CloudFront resource. You must have at least one available IPv4 address in your private subnet so that the ENI creation process can succeed. The IPv4 address can be private, and there is no additional cost for it.
+###### Note
+
+IPv6-only subnets are not supported.
@@ -44,3 +52 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * To be used as a VPC origin, a Network Load Balancer must have a security group attached to it.
-
-    * Dual-stack Network Load Balancers and Network Load Balancers with TLS listeners can't be added as origins.
+    * Gateway Load Balancers, dual-stack Network Load Balancers and Network Load Balancers with TLS listeners can't be added as origins.
@@ -48 +54 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * Gateway Load Balancers are not supported for VPC origins.
+    * To be used as a VPC origin, a Network Load Balancer must have a security group attached to it.
@@ -50 +56 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-  * Update the security group for your VPC private origin (Application Load Balancer, Network Load Balancer, or EC2 instance) to explicitly allow the CloudFront managed prefix list. This restricts traffic coming to the VPC origin. For more information, see [Use the CloudFront managed prefix list](./LocationsOfEdgeServers.html#managed-prefix-list).
+    * Update your security groups for the VPC private origins to explicitly allow the CloudFront managed prefix list. For more information, see [Use the CloudFront managed prefix list](./LocationsOfEdgeServers.html#managed-prefix-list).
@@ -53,0 +60 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
+###### Note
@@ -54,0 +62 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
+WebSockets, gRPC traffic, and origin rewrite with Lambda@Edge in CloudFront is not supported for VPC origins. For more information, see [Work with requests and responses](./lambda-generating-http-responses.html) in the Lambda@Edge documentation.
@@ -57 +64,0 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-###### Note
@@ -59 +65,0 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-WebSockets, gRPC traffic, and origin rewrite with Lambda@Edge in CloudFront is not supported for VPC origins. For more information, see [Work with requests and responses](./lambda-generating-http-responses.html) in the Lambda@Edge documentation.