AWS Security ChangesHomeSearch

AWS vpc medium security documentation change

Service: vpc · 2025-08-25 · Security-related medium

File: vpc/latest/userguide/igw-ingress-routing.md

Summary

Added warning about VPC Block Public Access interaction with ingress routing

Security assessment

Documents a critical security configuration detail where VPC Block Public Access (BPA) subnet-level exclusions don't work with ingress routing, potentially leading to unintended traffic blocking or exposure. Provides guidance to disable BPA or use VPC-level exclusions.

Diff

diff --git a/vpc/latest/userguide/igw-ingress-routing.md b/vpc/latest/userguide/igw-ingress-routing.md
index 35bafcba2..982acae07 100644
--- a//vpc/latest/userguide/igw-ingress-routing.md
+++ b//vpc/latest/userguide/igw-ingress-routing.md
@@ -128 +128 @@ This feature only works with the public IP CIDRs that you bring to AWS following
-**Important best practices**
+**Best practices**
@@ -136,0 +137,11 @@ This feature only works with the public IP CIDRs that you bring to AWS following
+###### Important
+
+If you are using [VPC Block Public Access (BPA)](./security-vpc-bpa.html), when BPA is enabled, it will block traffic to subnets using ingress routing, even if you've set a subnet-level BPA exclusion. Subnet-level exclusions do not work for ingress routing. To allow ingress routing traffic with BPA enabled:
+
+  * Disable BPA completely, or
+
+  * Use a VPC-level exclusion
+
+
+
+