AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2025-11-22 · Documentation low

File: vpc/latest/userguide/flow-logs-limitations.md

Summary

Added limitations for encryption-status field and regional NAT gateway traffic logging

Security assessment

Documents limitations of security-related 'encryption-status' field but does not address a specific vulnerability. The changes clarify monitoring vs enforcement behavior for encryption controls without indicating a security flaw.

Diff

diff --git a/vpc/latest/userguide/flow-logs-limitations.md b/vpc/latest/userguide/flow-logs-limitations.md
index 137c516b5..77018d78a 100644
--- a//vpc/latest/userguide/flow-logs-limitations.md
+++ b//vpc/latest/userguide/flow-logs-limitations.md
@@ -57,0 +58,2 @@ Flow logs do not capture all IP traffic. The following types of traffic are not
+  * Traffic on a short-lived regional NAT gateway, which is deleted a few minutes after creation.
+
@@ -75,0 +78,17 @@ Limitations specific to ECS fields available in version 7:
+Limitations specific to `encryption-status` field:
+
+  * The encryption status may be '-'(not available) in some flows, due to limitation of some network appliance to report the encryption status. Users can ignore these flows in the analysis.
+
+  * Showing as encrypted in monitor mode does not mean the flow will be allowed in enforce mode. Vice versa.
+
+    * If a flow is encrypted in monitor mode, it may not be compliant in enforce mode:
+
+      * If the flow involves an ENI created by an AWS service, then the service needs to support Encryption Controls.
+
+      * If the flow goes through VPC peering, the peered VPC may not force Encryption Controls.
+
+    * If a flow is not encrypted in monitor mode, it may still be compliant in enforce mode, given the service related to the flow is added as an exclusion.
+
+
+
+