AWS network-firewall documentation change
Summary
Added guidance about policy variable application to VPC endpoint associations and ownership considerations
Security assessment
Emphasizes proper policy configuration for shared firewalls, which helps prevent misconfiguration-related security gaps. While not fixing a specific vulnerability, it adds security best practice documentation.
Diff
diff --git a/network-firewall/latest/developerguide/firewall-policy-settings.md b/network-firewall/latest/developerguide/firewall-policy-settings.md index 4420c82ae..50a51b69a 100644 --- a//network-firewall/latest/developerguide/firewall-policy-settings.md +++ b//network-firewall/latest/developerguide/firewall-policy-settings.md @@ -9 +9,5 @@ Capacity limitations -A firewall policy in Network Firewall has the following configuration settings, which you define when you create or update the firewall policy. All settings except for the firewall policy name are mutable. +A firewall policy in Network Firewall has the following configuration settings, which you define when you create or update the firewall policy. All settings except for the firewall policy name are changeable. + +###### Tip + +If you own a firewall that is shared with others using VPC endpoint associations, you should review the settings in your firewall policy to ensure they apply to VPC endpoint associations as needed. @@ -44,0 +49,4 @@ The firewall policy `EXTERNAL_NET` setting is the negation of its `HOME_NET` set +###### Note + +Policy variables do not automatically apply to VPC endpoint associations. For example, if `HOME_NET` is already configured for a primary firewall, you must also configure it to apply to VPC endpoints associated with that firewall. +