AWS Security ChangesHomeSearch

AWS elasticloadbalancing documentation change

Service: elasticloadbalancing · 2025-11-13 · Documentation low

File: elasticloadbalancing/latest/application/load-balancer-troubleshooting.md

Summary

Added documentation for HTTP 562 error and detailed JWT authentication failure scenarios, including token validation errors, missing claims, and JWKS endpoint communication issues.

Security assessment

The changes document JWT authentication error handling and troubleshooting steps, which are security-related features. However, there is no evidence of addressing a specific security vulnerability; instead, this enhances documentation for existing security mechanisms.

Diff

diff --git a/elasticloadbalancing/latest/application/load-balancer-troubleshooting.md b/elasticloadbalancing/latest/application/load-balancer-troubleshooting.md
index 632e9acc5..c4a59da69 100644
--- a//elasticloadbalancing/latest/application/load-balancer-troubleshooting.md
+++ b//elasticloadbalancing/latest/application/load-balancer-troubleshooting.md
@@ -177,0 +178,2 @@ The following HTTP errors are generated by the load balancer. The load balancer
+  * HTTP 562: JWKS Request Failed
+
@@ -207,0 +210,32 @@ You configured a listener rule to authenticate users, but one of the following i
+  * The JWT authentication failed due to one of the following reasons:
+
+    * The request is missing the Authorization header. (JWTHeaderNotPresent)
+
+    * The token format in the request is invalid. This can occur when:
+
+      * Token is malformed or missing mandatory parts (header, payload, or signature)
+
+      * Header lacks the "Bearer" prefix
+
+      * Header contains a different authentication type (e.g., "Basic")
+
+      * Authorization header exists but token is missing
+
+      * Multiple tokens are present in the request (JWTRequestFormatInvalid)
+
+    * The token signature validation failed. This can occur when:
+
+      * Signature doesn't match
+
+      * Public key is invalid or cannot be converted to a decoding key
+
+      * Public key size is not 2K
+
+      * Token is signed with an unsupported algorithm
+
+      * KID in the token is not present in the JWKS endpoint (JWTSignatureValidationFailed)
+
+    * The JWT is missing a required claim for validation. (JWTClaimNotPresent)
+
+    * The format of a claim's value in the JWT doesn't match the specified configuration format. (JWTClaimFormatInvalid)
+
@@ -280,0 +315,4 @@ Possible causes:
+  * The load balancer is unable to communicate with the JWKS endpoint, or the JWKS endpoint is not responding within 5 seconds.
+
+  * The size of the response returned by the JWKS endpoint exceeds 150KB or the number of keys returned by the JWKS endpoint exceeds 10
+
@@ -351,0 +390,4 @@ You configured a listener rule to authenticate users, but the IdP returned an er
+### HTTP 562: JWKS Request Failed
+
+The load balancer failed to receive a successful response from the JWKS (JSON Web Key Set) endpoint. A successful response should have a status code in the 200-299 range, but a different status code was received instead.
+