AWS fis documentation change
Summary
Added documentation for new 'aws:network:disrupt-vpc-endpoint' action that blocks VPC endpoint traffic via security group manipulation. Updated references from 'Auto Scaling groups' to 'Amazon EC2 Auto Scaling groups' for consistency.
Security assessment
The change introduces documentation for a new fault injection action that modifies security groups to disrupt VPC endpoint traffic. While this relates to security controls (security groups), it documents testing capabilities rather than addressing a specific vulnerability. The action appears to be a resilience testing feature rather than a security fix.
Diff
diff --git a/fis/latest/userguide/fis-actions-reference.md b/fis/latest/userguide/fis-actions-reference.md index dea42faf0..a7a7bb4da 100644 --- a//fis/latest/userguide/fis-actions-reference.md +++ b//fis/latest/userguide/fis-actions-reference.md @@ -188 +188 @@ When you run the `aws:arc:start-zonal-autoshift` action, AWS FIS manages the zon -Zonal shift managed resources are resource types including Amazon EKS clusters, Amazon EC2 Application and Network Load Balancers, and Amazon EC2 Auto Scaling groups that can be enabled for ARC zonal autoshift. For more information, see [supported resources](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html) and [enabling zonal autoshift resources](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html) in the _ARC Developer Guide_. +Zonal shift managed resources are resource types including Amazon EKS clusters, Amazon EC2 Application and Network Load Balancers, and Amazon EC2 Auto Scaling groups that can be enabled for ARC zonal autoshift. For more information, see [supported resources](https://docs.aws.amazon.com/r53recovery/latest/dg/arc-zonal-shift.resource-types.html) and [enabling zonal autoshift resources](https://docs.aws.amazon.com//r53recovery/latest/dg/arc-zonal-autoshift.start-cancel.html) in the _ARC Developer Guide_. @@ -554 +554 @@ For an example policy, see [Example: Use condition keys for ec2:InjectApiError]( -Injects `InsufficientInstanceCapacity` error responses on requests made by the target Auto Scaling groups. This action only supports Auto Scaling groups using launch templates. To learn more about insufficient instance capacity errors, see the [Amazon EC2 user guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-capacity). +Injects `InsufficientInstanceCapacity` error responses on requests made by the target Amazon EC2 Auto Scaling groups. This action only supports Amazon EC2 Auto Scaling groups using launch templates. To learn more about insufficient instance capacity errors, see the [Amazon EC2 user guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/troubleshooting-launch.html#troubleshooting-launch-capacity). @@ -569 +569 @@ Injects `InsufficientInstanceCapacity` error responses on requests made by the t - * **percentage** – Optional. The percentage (1-100) of the target Auto Scaling group's launch requests to inject the fault. The default is 100. + * **percentage** – Optional. The percentage (1-100) of the target Amazon EC2 Auto Scaling group's launch requests to inject the fault. The default is 100. @@ -576 +576 @@ Injects `InsufficientInstanceCapacity` error responses on requests made by the t - * `ec2:InjectApiError`with condition key ec2:FisActionId value set to `aws:ec2:asg-insufficient-instance-capacity-error` and `ec2:FisTargetArns` condition key set to target Auto Scaling groups. + * `ec2:InjectApiError`with condition key ec2:FisActionId value set to `aws:ec2:asg-insufficient-instance-capacity-error` and `ec2:FisTargetArns` condition key set to target Amazon EC2 Auto Scaling groups. @@ -1839,0 +1840,2 @@ AWS FIS supports the following network actions. + * aws:network:disrupt-vpc-endpoint + @@ -2026,0 +2029,41 @@ Blocks traffic from the target transit gateway peering attachments that is desti +### aws:network:disrupt-vpc-endpoint + +Blocks inbound and outbound traffic of the target interface VPC endpoints. FIS creates a managed security group with empty rules and temporarily replaces security groups of the target VPC endpoints with this managed security group. If modifications are made to the target resources during action execution, the action will fail and the resources will not be restored to their pre-experiment state. Additionally, if a FIS-managed security group is modified during action execution, it will not be deleted by FIS. . + +###### Resource type + + * **aws:ec2:vpc-endpoint** + + + + +###### Parameters + + * `duration` – The length of time the action lasts. In the AWS FIS API, the value is a string in ISO 8601 format. For example, PT1M represents one minute. In the AWS FIS console, you enter the number of seconds, minutes, or hours. + + + + +###### Permissions + + * `ec2:DescribeVpcEndpoints` + + * `ec2:DescribeSecurityGroups` + + * `ec2:ModifyVpcEndpoint` + + * `ec2:CreateSecurityGroup` + + * `ec2:DeleteSecurityGroup` + + * `ec2:RevokeSecurityGroupEgress` + + * `ec2:CreateTags` + + * `vpce:AllowMultiRegion` * + + + + +* The permission is only required if you are targeting cross-region VPC endpoints +