AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2025-12-10 · Documentation low

File: vpc/latest/userguide/flow-log-records.md

Summary

Added clarification notes about encryption status determination for VPC endpoints

Security assessment

Documents how encryption status is inferred (port-based for endpoints, TLS requirements for services), improving transparency about security controls. No vulnerability addressed.

Diff

diff --git a/vpc/latest/userguide/flow-log-records.md b/vpc/latest/userguide/flow-log-records.md
index 4b4ffac26..5a31e1a4a 100644
--- a//vpc/latest/userguide/flow-log-records.md
+++ b//vpc/latest/userguide/flow-log-records.md
@@ -134,3 +134,3 @@ encryption-status |  Encryption status of the flow. For more information about V
-    * flows on TCP port 443 for interface endpoint to AWS service
-    * flows on TCP port 443 for gateway endpoint
-    * flows to encrypted Redshift cluster via VPC endpoint
+    * flows on TCP port 443 for interface endpoint to AWS service*
+    * flows on TCP port 443 for gateway endpoint*
+    * flows to encrypted Redshift cluster via VPC endpoint**
@@ -139 +139,5 @@ encryption-status |  Encryption status of the flow. For more information about V
-The value is '-' if VPC Encryption Controls is not enabled, or if FlowLog cannot get the status. **Parquet data type:** INT_32 |  10  
+The value is '-' if VPC Encryption Controls is not enabled, or if FlowLog cannot get the status.
+
+###### Note
+
+* For interface and gateway endpoints, AWS does not look at packet data to determine encryption status, we instead rely on the port used to assume encryption status.** For specified AWS managed endpoints, AWS determines encryption status based on the requirement for TLS in the service configuration. **Parquet data type:** INT_32 |  10