AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2025-10-25 · Documentation low

File: network-firewall/latest/developerguide/reporting.md

Summary

Restructured content to add 'Caveats and considerations' section, clarified report limitations including UNKNOWN_DOMAIN classification and observation count cap (2,147,483,647)

Security assessment

Changes focus on documenting operational limitations and data classification behavior rather than addressing security vulnerabilities. No evidence of patching exploits or mitigating attacks.

Diff

diff --git a/network-firewall/latest/developerguide/reporting.md b/network-firewall/latest/developerguide/reporting.md
index 80a1677e8..bb70be173 100644
--- a//network-firewall/latest/developerguide/reporting.md
+++ b//network-firewall/latest/developerguide/reporting.md
@@ -5 +5 @@
-Generating reports in Network FirewallCreating stateful rule groups from reports
+ConsiderationsGenerating reportsCreating stateful rule groups from reports
@@ -17 +17 @@ Before you can generate a traffic analysis report, you must enable **Traffic ana
-You can generate up to one report per traffic type, per 30 day period. For example, when you successfully create an HTTP traffic report, you cannot create another HTTP traffic report until 30 days pass. Alternatively, if you generate a report that combines metrics on both HTTP and HTTPS traffic, you cannot create another report for either traffic type until 30 days pass. Network Firewall automatically deletes the report after 30 days. If the custom HTTP and TLS logs do not contain an SNI or the HTTP hostname, Network Firewall will classify it as UNKNOWN_DOMAIN.
+###### Note
@@ -19 +19,3 @@ You can generate up to one report per traffic type, per 30 day period. For examp
-When you generate a report, you create a snapshot into the last 30 days of network traffic monitored by your firewall. The maximum number of results per report is 1000. Each report provides insight into the following metrics for any given firewall:
+You can generate up to one report per traffic type, per 30 day period. For example, when you successfully create an HTTP traffic report, you cannot create another HTTP traffic report until 30 days pass. Alternatively, if you generate a report that combines metrics on both HTTP and HTTPS traffic, you cannot create another report for either traffic type until 30 days pass. Network Firewall automatically deletes the report after 30 days.
+
+Each report provides insight into the following metrics for any given firewall:
@@ -35,0 +38,15 @@ When you generate a report, you create a snapshot into the last 30 days of netwo
+## Caveats and considerations for traffic analysis reports
+
+Consider the following in your use of traffic analysis reports:
+
+  * When you generate a report, you create a snapshot into the last 30 days of network traffic monitored by your firewall.
+
+  * The maximum number of results per report is 1000.
+
+  * If your custom HTTP and TLS logs do not contain an SNI or the HTTP hostname, Network Firewall will classify it as UNKNOWN_DOMAIN.
+
+  * The observation count on reported domain access attempts cannot exceed the maximum of 2,147,483,647. For example, if one or more of your reported domains was accessed more than 2,147,483,647 times within the 30 day reporting period, the count shown in your generated report will not exceed 2,147,483,647.
+
+
+
+