AWS elasticloadbalancing documentation change
Summary
Updated connection log format, added TID fields, and expanded TLS verification error details
Security assessment
The changes include Trace IDs (TID) in log entries and explicit TLS verification statuses (e.g., 'Failed:ClientCertUntrusted'). These updates improve visibility into mutual TLS failures and correlation capabilities, which are critical for security monitoring. However, there is no evidence of a resolved security vulnerability.
Diff
diff --git a/elasticloadbalancing/latest/application/load-balancer-connection-logs.md b/elasticloadbalancing/latest/application/load-balancer-connection-logs.md index 18cbc905e..262547c18 100644 --- a//elasticloadbalancing/latest/application/load-balancer-connection-logs.md +++ b//elasticloadbalancing/latest/application/load-balancer-connection-logs.md @@ -118,5 +117,0 @@ Each connection attempt has an entry in a connection log file. How client reques -Connection log entries use the following format: - - - [timestamp] [client_ip] [client_port] [listener_port] [tls_protocol] [tls_cipher] [tls_handshake_latency] [leaf_client_cert_subject] [leaf_client_cert_validity] [leaf_client_cert_serial_number] [tls_verify_status] - @@ -161 +156 @@ tls_verify_status | [HTTPS listener] The status of the connection request. This -conn_trace_id | The connection traceability ID is a **unique opaque ID** used to identify each connection. After a connection is established with a client, subsequent requests from this client will contain this ID in their respective access log entries. This ID acts as a foreign key to create a link between the connection and access logs. +conn_trace_id | The connection traceability ID is a **unique opaque ID** used to identify each connection. After a connection is established with a client, subsequent requests from this client contain this ID in their respective access log entries. This ID acts as a foreign key to create a link between the connection and access logs. @@ -184 +179 @@ Code | Description -The following are example connection log entries. +The following are example connection log entries. Note that the example text appears on multiple lines only to make them easier to read. @@ -186 +181 @@ The following are example connection log entries. -The following is an example log entry for a successful connection with a HTTPS listener with mutual TLS verify mode enabled on port 443: +The following is an example log entry for a successful connection with a HTTPS listener with mutual TLS verify mode enabled on port 443. @@ -189 +184,3 @@ The following is an example log entry for a successful connection with a HTTPS l - 2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 4.036 "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z FEF257372D5C14D4 Success + 2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 4.036 + "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z + FEF257372D5C14D4 Success TID_3180a73013c8ca4bac2f731159d4b0fe @@ -191 +188 @@ The following is an example log entry for a successful connection with a HTTPS l -The following is an example log entry for a failed connection with a HTTPS listener with mutual TLS verify mode enabled on port 443.: +The following is an example log entry for a failed connection with a HTTPS listener with mutual TLS verify mode enabled on port 443. @@ -194 +191,3 @@ The following is an example log entry for a failed connection with a HTTPS liste - 2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 - "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z FEF257372D5C14D4 Failed:ClientCertUntrusted + 2023-10-04T17:05:15.514108Z 203.0.113.1 36280 443 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 - + "CN=amazondomains.com,O=endEntity,L=Seattle,ST=Washington,C=US" NotBefore=2023-09-21T22:43:21Z;NotAfter=2026-06-17T22:43:21Z + FEF257372D5C14D4 Failed:ClientCertUntrusted TID_1c71a68d70587445ad5127ff8b2687d7