AWS elasticloadbalancing documentation change
Summary
Added JWT validation error codes and metrics documentation
Security assessment
Documents monitoring aspects of new security feature (JWT validation) but doesn't fix a security vulnerability.
Diff
diff --git a/elasticloadbalancing/latest/application/load-balancer-access-logs.md b/elasticloadbalancing/latest/application/load-balancer-access-logs.md index d479be37f..8c33da94b 100644 --- a//elasticloadbalancing/latest/application/load-balancer-access-logs.md +++ b//elasticloadbalancing/latest/application/load-balancer-access-logs.md @@ -261,0 +262,15 @@ Code | Description | Metric +If the load balancer cannot complete an jwt-validation action, the load balancer stores one of the following reason codes in the error_reason field of the access log. The load balancer also increments the corresponding CloudWatch metric. For more information, see [Verify JWTs using an Application Load Balancer](./listener-verify-jwt.html). + +Code | Description | Metric +---|---|--- +`JWTHeaderNotPresent` | Request does not contain Authorization header. | `JWTValidationFailureCount` +`JWTRequestFormatInvalid` | Token in request is malformed or missing mandatory parts (header, payload, or signature), Header does not contain "Bearer " prefix, Header contains a different auth type like "Basic ", Authorization header is present but token is not present, if there are multiple tokens present in the request | `JWTValidationFailureCount` +`AuthInvJWKSRequestTimeoutalidIdToken` | The load balancer is unable to communicate with the JWKS endpoint, or the JWKS endpoint is not responding within 5 seconds. | `JWTValidationFailureCount` +`JWKSResponseSizeExceeded` | The size of the response returned by the JWKS endpoint exceeds 150KB or the number of keys returned by the JWKS endpoint exceeds 10. | `JWTValidationFailureCount` +`AuthInvJWKSRequestFailed` | There is an error response (non-2XX) from the JWKS endpoint. | `JWTValidationFailureCount` +`AuthInvalidUseJWTSignatureValidationFailed` | Failed to validate token signature for any reason including signature does not match, the public key was invalid and could not be converted to a decoding key, public key size was not 2K, Token is signed with an Unsupported Algorithm, the KID in the token is not present in the JWKS endpoint. | `JWTValidationFailureCount` +`JWTClaimNotPresent` | JWT in the client request does not contain a claim which is required for validation | `JWTValidationFailureCount` +`JWTClaimFormatInvalid` | The format of the claim’s value in the JWT does not match the format specified in the configuration | `JWTValidationFailureCount` +`JWTClaimValueInvalid` | The value of the claim in the JWT is invalid. | `JWTValidationFailureCount` +`JWTValidationInternalError` | The load balancer encountered an unexpected error while validating the JWT in the client request. | `JWTValidationFailureCount` +