AWS vpc documentation change
Summary
Added limitations for encryption-status field and regional NAT gateway traffic logging
Security assessment
Documents limitations of security-related 'encryption-status' field but does not address a specific vulnerability. The changes clarify monitoring vs enforcement behavior for encryption controls without indicating a security flaw.
Diff
diff --git a/vpc/latest/userguide/flow-logs-limitations.md b/vpc/latest/userguide/flow-logs-limitations.md index 137c516b5..77018d78a 100644 --- a//vpc/latest/userguide/flow-logs-limitations.md +++ b//vpc/latest/userguide/flow-logs-limitations.md @@ -57,0 +58,2 @@ Flow logs do not capture all IP traffic. The following types of traffic are not + * Traffic on a short-lived regional NAT gateway, which is deleted a few minutes after creation. + @@ -75,0 +78,17 @@ Limitations specific to ECS fields available in version 7: +Limitations specific to `encryption-status` field: + + * The encryption status may be '-'(not available) in some flows, due to limitation of some network appliance to report the encryption status. Users can ignore these flows in the analysis. + + * Showing as encrypted in monitor mode does not mean the flow will be allowed in enforce mode. Vice versa. + + * If a flow is encrypted in monitor mode, it may not be compliant in enforce mode: + + * If the flow involves an ENI created by an AWS service, then the service needs to support Encryption Controls. + + * If the flow goes through VPC peering, the peered VPC may not force Encryption Controls. + + * If a flow is not encrypted in monitor mode, it may still be compliant in enforce mode, given the service related to the flow is added as an exclusion. + + + +