AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-11-13 · Documentation low

File: elasticloadbalancing/latest/application/load-balancer-access-logs.md

Summary

Added JWT validation error codes and metrics documentation

Security assessment

Documents monitoring aspects of new security feature (JWT validation) but doesn't fix a security vulnerability.

Diff

diff --git a/elasticloadbalancing/latest/application/load-balancer-access-logs.md b/elasticloadbalancing/latest/application/load-balancer-access-logs.md
index d479be37f..8c33da94b 100644
--- a//elasticloadbalancing/latest/application/load-balancer-access-logs.md
+++ b//elasticloadbalancing/latest/application/load-balancer-access-logs.md
@@ -261,0 +262,15 @@ Code | Description | Metric
+If the load balancer cannot complete an jwt-validation action, the load balancer stores one of the following reason codes in the error_reason field of the access log. The load balancer also increments the corresponding CloudWatch metric. For more information, see [Verify JWTs using an Application Load Balancer](./listener-verify-jwt.html).
+
+Code | Description | Metric  
+---|---|---  
+`JWTHeaderNotPresent` |  Request does not contain Authorization header. |  `JWTValidationFailureCount`  
+`JWTRequestFormatInvalid` |  Token in request is malformed or missing mandatory parts (header, payload, or signature), Header does not contain "Bearer " prefix, Header contains a different auth type like "Basic ", Authorization header is present but token is not present, if there are multiple tokens present in the request |  `JWTValidationFailureCount`  
+`AuthInvJWKSRequestTimeoutalidIdToken` |  The load balancer is unable to communicate with the JWKS endpoint, or the JWKS endpoint is not responding within 5 seconds. |  `JWTValidationFailureCount`  
+`JWKSResponseSizeExceeded` |  The size of the response returned by the JWKS endpoint exceeds 150KB or the number of keys returned by the JWKS endpoint exceeds 10. |  `JWTValidationFailureCount`  
+`AuthInvJWKSRequestFailed` |  There is an error response (non-2XX) from the JWKS endpoint. |  `JWTValidationFailureCount`  
+`AuthInvalidUseJWTSignatureValidationFailed` |  Failed to validate token signature for any reason including signature does not match, the public key was invalid and could not be converted to a decoding key, public key size was not 2K, Token is signed with an Unsupported Algorithm, the KID in the token is not present in the JWKS endpoint. |  `JWTValidationFailureCount`  
+`JWTClaimNotPresent` |  JWT in the client request does not contain a claim which is required for validation |  `JWTValidationFailureCount`  
+`JWTClaimFormatInvalid` |  The format of the claim’s value in the JWT does not match the format specified in the configuration |  `JWTValidationFailureCount`  
+`JWTClaimValueInvalid` |  The value of the claim in the JWT is invalid. |  `JWTValidationFailureCount`  
+`JWTValidationInternalError` |  The load balancer encountered an unexpected error while validating the JWT in the client request. |  `JWTValidationFailureCount`  
+