AWS Security ChangesHomeSearch

AWS vpn low security documentation change

Service: vpn · 2025-06-22 · Security-related low

File: vpn/latest/s2svpn/cgw-options.md

Summary

Removed '(Optional)' label from customer gateway IP address requirement description, while maintaining exception for private certificate use cases

Security assessment

The change clarifies/enforces that a static IP is required by default for VPN gateways unless using specific certificate configurations. This prevents misconfigurations where users might have incorrectly omitted the IP address in non-qualifying scenarios, which could lead to insecure VPN connections or connection failures. However, there's no explicit mention of patching a vulnerability.

Diff

diff --git a/vpn/latest/s2svpn/cgw-options.md b/vpn/latest/s2svpn/cgw-options.md
index 19a66fe7c..d9c112532 100644
--- a//vpn/latest/s2svpn/cgw-options.md
+++ b//vpn/latest/s2svpn/cgw-options.md
@@ -20 +20 @@ If you don't have a public ASN, you can use a private ASN in the range of 64,512
-(Optional) The IP address of the customer gateway device's external interface. |  The IP address must be static. If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See [Firewall rules](./FirewallRules.html) for more info. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.  
+The IP address of the customer gateway device's external interface. |  The IP address must be static. If your customer gateway device is behind a network address translation (NAT) device, use the IP address of your NAT device. Also, ensure that UDP packets on port 500 (and port 4500, if NAT traversal is being used) are allowed to pass between your network and the AWS Site-to-Site VPN endpoints. See [Firewall rules](./FirewallRules.html) for more info. An IP address is not required when you are using a private certificate from AWS Private Certificate Authority and a public VPN.