AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2025-06-28 · Documentation low

File: vpc/latest/userguide/flow-logs-s3-permissions.md

Summary

Added clarification about HeadBucket API calls and AccessDenied errors in VPC flow log delivery to S3

Security assessment

Clarifies security-related permissions behavior for VPC flow logs, helping users understand audit trail implications. While related to security practices, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/vpc/latest/userguide/flow-logs-s3-permissions.md b/vpc/latest/userguide/flow-logs-s3-permissions.md
index 7f7306122..b2e1099e5 100644
--- a//vpc/latest/userguide/flow-logs-s3-permissions.md
+++ b//vpc/latest/userguide/flow-logs-s3-permissions.md
@@ -69,0 +70,2 @@ It is a best practice to grant these permissions to the log delivery service pri
+Note that the log delivery service calls the `HeadBucket` Amazon S3 API action to verify the existence and location of the S3 bucket. You are not required to grant the log delivery service permission to call this action; it will still deliver VPC flow logs even if it can't confirm that the S3 bucket exists and its location. However, there will be an `AccessDenied` error for the call to `HeadBucket` in your CloudTrail logs.
+