AWS vpc documentation change
Summary
Added clarification about HeadBucket API calls and AccessDenied errors in VPC flow log delivery to S3
Security assessment
Clarifies security-related permissions behavior for VPC flow logs, helping users understand audit trail implications. While related to security practices, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/vpc/latest/userguide/flow-logs-s3-permissions.md b/vpc/latest/userguide/flow-logs-s3-permissions.md index 7f7306122..b2e1099e5 100644 --- a//vpc/latest/userguide/flow-logs-s3-permissions.md +++ b//vpc/latest/userguide/flow-logs-s3-permissions.md @@ -69,0 +70,2 @@ It is a best practice to grant these permissions to the log delivery service pri +Note that the log delivery service calls the `HeadBucket` Amazon S3 API action to verify the existence and location of the S3 bucket. You are not required to grant the log delivery service permission to call this action; it will still deliver VPC flow logs even if it can't confirm that the S3 bucket exists and its location. However, there will be an `AccessDenied` error for the call to `HeadBucket` in your CloudTrail logs. +