AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-08-16 · Documentation medium

File: elasticloadbalancing/latest/application/edit-load-balancer-attributes.md

Summary

Updated documentation for Application Load Balancer attributes including idle timeout, client keepalive duration, deletion protection, desync mitigation mode, and host header preservation. Added detailed CLI commands, CloudFormation examples, and restructured sections for clarity.

Security assessment

The changes enhance documentation for security-related features like deletion protection (prevents accidental resource deletion) and desync mitigation mode (protects against HTTP desync attacks). While these are security features, there is no evidence in the diff that the changes address a specific active security vulnerability or incident. The updates primarily improve clarity and provide implementation examples.

Diff

diff --git a/elasticloadbalancing/latest/application/edit-load-balancer-attributes.md b/elasticloadbalancing/latest/application/edit-load-balancer-attributes.md
index 5b5d0c557..90c1d4b43 100644
--- a//elasticloadbalancing/latest/application/edit-load-balancer-attributes.md
+++ b//elasticloadbalancing/latest/application/edit-load-balancer-attributes.md
@@ -34 +34 @@ Application Load Balancers do not support HTTP/2 PING frames. These do not reset
-By default, Elastic Load Balancing sets the idle timeout value for your load balancer to 60 seconds, or 1 minute. Use the following procedure to set a different idle timeout value.
+By default, Elastic Load Balancing sets the idle timeout value for your load balancer to 60 seconds.
@@ -36 +36,4 @@ By default, Elastic Load Balancing sets the idle timeout value for your load bal
-###### To update the connection idle timeout value using the console
+Console
+    
+
+###### To update the connection idle timeout value
@@ -53 +56,13 @@ By default, Elastic Load Balancing sets the idle timeout value for your load bal
-###### To update the idle timeout value using the AWS CLI
+AWS CLI
+    
+
+###### To update the connection idle timeout value
+
+Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `idle_timeout.timeout_seconds` attribute. The valid range is 1 to 4000 seconds.
+    
+    
+    aws elbv2 modify-load-balancer-attributes \
+        --load-balancer-arn load-balancer-arn \
+        --attributes "Key=idle_timeout.timeout_seconds,Value=120"
+
+CloudFormation
@@ -55 +70,21 @@ By default, Elastic Load Balancing sets the idle timeout value for your load bal
-Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `idle_timeout.timeout_seconds` attribute.
+
+###### To update the connection idle timeout value
+
+Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the `idle_timeout.timeout_seconds` attribute. The valid range is 1 to 4000 seconds.
+    
+    
+    Resources:
+      myLoadBalancer:
+        Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+        Properties:
+          Name: my-alb
+          Type: application
+          Scheme: internal
+          Subnets: 
+            - !Ref subnet-AZ1
+            - !Ref subnet-AZ2
+          SecurityGroups: 
+            - !Ref mySecurityGroup
+          LoadBalancerAttributes: 
+            - Key: "idle_timeout.timeout_seconds"
+              Value: "120"
@@ -80 +115,4 @@ The Application Load Balancer assigns the HTTP client keepalive duration value d
-###### To update the client keepalive duration value using the console
+Console
+    
+
+###### To update the client keepalive duration
@@ -90 +128 @@ The Application Load Balancer assigns the HTTP client keepalive duration value d
-  5. Under **Traffic configuration** , enter a value for **HTTP client keepalive duration**. The valid range is 60 through 604800 seconds.
+  5. Under **Traffic configuration** , enter a value for **HTTP client keepalive duration**. The valid range is 60 to 604800 seconds.
@@ -97 +135,2 @@ The Application Load Balancer assigns the HTTP client keepalive duration value d
-###### To update the client keepalive duration value using the AWS CLI
+AWS CLI
+    
@@ -99 +138,32 @@ The Application Load Balancer assigns the HTTP client keepalive duration value d
-Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `client_keep_alive.seconds` attribute.
+###### To update the client keepalive duration
+
+Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `client_keep_alive.seconds` attribute. The valid range is 60 to 604800 seconds.
+    
+    
+    aws elbv2 modify-load-balancer-attributes \
+        --load-balancer-arn load-balancer-arn \
+        --attributes "Key=client_keep_alive.seconds,Value=7200"
+
+CloudFormation
+    
+
+###### To update the client keepalive duration
+
+Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the `client_keep_alive.seconds` attribute. The valid range is 60 to 604800 seconds.
+    
+    
+    Resources:
+      myLoadBalancer:
+        Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+        Properties:
+          Name: my-alb
+          Type: application
+          Scheme: internal
+          Subnets: 
+            - !Ref subnet-AZ1
+            - !Ref subnet-AZ2
+          SecurityGroups: 
+            - !Ref mySecurityGroup
+          LoadBalancerAttributes: 
+            - Key: "client_keep_alive.seconds"
+              Value: "7200"
@@ -107 +177,4 @@ If you enable deletion protection for your load balancer, you must disable it be
-###### To enable deletion protection using the console
+Console
+    
+
+###### To enable or disable deletion protection
@@ -117 +190 @@ If you enable deletion protection for your load balancer, you must disable it be
-  5. Under **Configuration** , turn on **Deletion protection**.
+  5. Under **Protection** , enable or disable **Deletion protection**.
@@ -124 +197 @@ If you enable deletion protection for your load balancer, you must disable it be
-###### To disable deletion protection using the console
+AWS CLI
@@ -126 +198,0 @@ If you enable deletion protection for your load balancer, you must disable it be
-  1. Open the Amazon EC2 console at [https://console.aws.amazon.com/ec2/](https://console.aws.amazon.com/ec2/).
@@ -128 +200 @@ If you enable deletion protection for your load balancer, you must disable it be
-  2. On the navigation pane, choose **Load Balancers**.
+###### To enable or disable deletion protection
@@ -130 +202 @@ If you enable deletion protection for your load balancer, you must disable it be
-  3. Select the load balancer.
+Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `deletion_protection.enabled` attribute.
@@ -132 +203,0 @@ If you enable deletion protection for your load balancer, you must disable it be
-  4. On the **Attributes** tab, choose **Edit**.
@@ -134 +205,3 @@ If you enable deletion protection for your load balancer, you must disable it be
-  5. Under **Configuration** page, turn off **Deletion protection**.
+    aws elbv2 modify-load-balancer-attributes \
+        --load-balancer-arn load-balancer-arn \
+        --attributes "Key=deletion_protection.enabled,Value=true"
@@ -136 +209 @@ If you enable deletion protection for your load balancer, you must disable it be
-  6. Choose **Save changes**.
+CloudFormation
@@ -138,0 +212 @@ If you enable deletion protection for your load balancer, you must disable it be
+###### To enable or disable deletion protection
@@ -139,0 +214 @@ If you enable deletion protection for your load balancer, you must disable it be
+Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the `deletion_protection.enabled` attribute.
@@ -141 +215,0 @@ If you enable deletion protection for your load balancer, you must disable it be
-###### To enable or disable deletion protection using the AWS CLI
@@ -143 +217,15 @@ If you enable deletion protection for your load balancer, you must disable it be
-Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `deletion_protection.enabled` attribute.
+    Resources:
+      myLoadBalancer:
+        Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+        Properties:
+          Name: my-alb
+          Type: application
+          Scheme: internal
+          Subnets: 
+            - !Ref subnet-AZ1
+            - !Ref subnet-AZ2
+          SecurityGroups: 
+            - !Ref mySecurityGroup
+          LoadBalancerAttributes: 
+            - Key: "deletion_protection.enabled"
+              Value: "true"
@@ -183 +271,4 @@ Severe | Allowed | Blocked | Blocked
-###### To update desync mitigation mode using the console
+Console
+    
+
+###### To update desync mitigation mode
@@ -193 +284 @@ Severe | Allowed | Blocked | Blocked
-  5. Under **Packet handling** , for **Desync mitigation mode** , choose **Defensive** , **Strictest** , or **Monitor**.
+  5. Under **Traffic configuration** , **Packet handling** , for **Desync mitigation mode** , choose **Defensive** , **Strictest** , or **Monitor**.
@@ -200 +291,16 @@ Severe | Allowed | Blocked | Blocked
-###### To update desync mitigation mode using the AWS CLI
+AWS CLI
+    
+
+###### To update desync mitigation mode
+
+Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `routing.http.desync_mitigation_mode` attribute. The possible values are `monitor`, `defensive`, or `strictest`. The default is `defensive`.
+    
+    
+    aws elbv2 modify-load-balancer-attributes \
+        --load-balancer-arn load-balancer-arn \
+        --attributes "Key=routing.http.desync_mitigation_mode,Value=monitor"
+
+CloudFormation
+    
+
+###### To update desync mitigation mode
@@ -202 +308,18 @@ Severe | Allowed | Blocked | Blocked
-Use the [modify-load-balancer-attributes](https://docs.aws.amazon.com/cli/latest/reference/elbv2/modify-load-balancer-attributes.html) command with the `routing.http.desync_mitigation_mode` attribute set to `monitor`, `defensive`, or `strictest`.
+Update the [AWS::ElasticLoadBalancingV2::LoadBalancer](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-resource-elasticloadbalancingv2-loadbalancer.html) resource to include the `routing.http.desync_mitigation_mode` attribute. The possible values are `monitor`, `defensive`, or `strictest`. The default is `defensive`.
+    
+    
+    Resources:
+      myLoadBalancer:
+        Type: 'AWS::ElasticLoadBalancingV2::LoadBalancer'
+        Properties:
+          Name: my-alb
+          Type: application
+          Scheme: internal
+          Subnets: 
+            - !Ref subnet-AZ1
+            - !Ref subnet-AZ2
+          SecurityGroups: 
+            - !Ref mySecurityGroup
+          LoadBalancerAttributes: 
+            - Key: "routing.http.desync_mitigation_mode"
+              Value: "monitor"
@@ -224 +347,4 @@ Request is sent on a non-default listener port and host header has port (for exa
-###### To enable host header preservation using the console