AWS Security ChangesHomeSearch

AWS solutions documentation change

Service: solutions · 2025-11-22 · Documentation medium

File: solutions/latest/distributed-load-testing-on-aws/aws-well-architected-design-considerations.md

Summary

Enhanced network security section emphasizing private access via VPC endpoints

Security assessment

Strengthens documentation about network isolation but doesn't indicate a vulnerability fix

Diff

diff --git a/solutions/latest/distributed-load-testing-on-aws/aws-well-architected-design-considerations.md b/solutions/latest/distributed-load-testing-on-aws/aws-well-architected-design-considerations.md
index 01ab2a555..e6eb1d163 100644
--- a//solutions/latest/distributed-load-testing-on-aws/aws-well-architected-design-considerations.md
+++ b//solutions/latest/distributed-load-testing-on-aws/aws-well-architected-design-considerations.md
@@ -17 +17 @@ This section describes how we architected this solution using the principles and
-  * Resources defined as infrastructure as code using CloudFormation.
+  * All resources are defined as infrastructure as code using AWS CloudFormation templates generated from AWS CDK constructs.
@@ -19 +19 @@ This section describes how we architected this solution using the principles and
-  * The solution pushes metrics to Amazon CloudWatch at various stages to provide observability into the infrastructure: Lambda functions, Amazon ECS tasks, Amazon S3 buckets, and the rest of the solution components.
+  * The solution pushes metrics to CloudWatch at various stages to provide observability into Lambda functions, ECS tasks, S3 buckets, and other solution components.
@@ -28 +28 @@ This section describes how we architected this solution using the principles and
-  * Amazon Cognito authenticates and authorizes web UI app users.
+  * Cognito authenticates and authorizes web console users and API requests.
@@ -30 +30 @@ This section describes how we architected this solution using the principles and
-  * All interservice communications use applicable [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) roles.
+  * All interservice communications use [AWS Identity and Access Management](https://aws.amazon.com/iam/) (IAM) roles with least privilege access, containing only the minimum permissions required.
@@ -32 +32 @@ This section describes how we architected this solution using the principles and
-  * All roles used by the solution follow least privilege access. They only contain the minimum permissions required to accomplish the task.
+  * All data storage, including S3 buckets and DynamoDB tables, encrypts data at rest using AWS managed keys.
@@ -34 +34 @@ This section describes how we architected this solution using the principles and
-  * All data storage, including the S3 buckets, encrypts the data at rest.
+  * Logging, tracing, and versioning are enabled where applicable for audit and compliance purposes.
@@ -36 +36 @@ This section describes how we architected this solution using the principles and
-  * An Amazon Cognito user pool manages user access to the console and the distributed load tester API Gateway endpoints.
+  * Network access is private by default with VPC endpoints enabled where available to keep traffic within the AWS network.
@@ -38 +37,0 @@ This section describes how we architected this solution using the principles and
-  * Logging, tracing, and versioning is turned on where applicable.
@@ -40 +38,0 @@ This section describes how we architected this solution using the principles and
-  * Network access is private by default with [Amazon Virtual Private Cloud](https://aws.amazon.com/vpc/) (Amazon VPC) endpoints being turned on where available.
@@ -42,0 +41 @@ This section describes how we architected this solution using the principles and
+###### Note
@@ -43,0 +43 @@ This section describes how we architected this solution using the principles and
+The solution creates multiple CloudWatch log groups with varying retention periods based on log volume and cost considerations:
@@ -45 +45,6 @@ This section describes how we architected this solution using the principles and
-###### Note
+Log Type | Retention Period  
+---|---  
+ECS container insights |  1 day  
+Step Functions, ECS custom logs, API Gateway access logs |  1 year  
+Lambda runtime logs |  2 years  
+API Gateway execution logs |  Never expire  
@@ -47 +52 @@ This section describes how we architected this solution using the principles and
-Distributed Load Testing on AWS creates multiple CloudWatch log groups based on the service being used. The log retention period for the logs varies based on the storage and cost of the volume of log events generated. The solution creates container insight logs for the ECS tasks; these logs have log retention configured to 1 day. The logs created for the services AWS Step Functions, ECS Load Testing custom logs, and API Gateway logs are configured with a retention period of 1 year. AWS Lambda runtime logs have log retention configured to 2 years. API Gateway execution logs have log retention configured to never expire. You can change the log retention periods based on your requirements in the CloudWatch console.
+You can modify these retention periods in the CloudWatch console based on your requirements.
@@ -86,0 +92,2 @@ This section describes how we architected this solution using the principles and
+  * AWS AgentCore Gateway serves as a cost-effective Lambda-based proxy to the distributed load testing API, eliminating the need for dedicated infrastructure and reducing costs through serverless pay-per-request pricing.
+