AWS vpc documentation change
Summary
Added clarification notes about encryption status determination for VPC endpoints
Security assessment
Documents how encryption status is inferred (port-based for endpoints, TLS requirements for services), improving transparency about security controls. No vulnerability addressed.
Diff
diff --git a/vpc/latest/userguide/flow-log-records.md b/vpc/latest/userguide/flow-log-records.md index 4b4ffac26..5a31e1a4a 100644 --- a//vpc/latest/userguide/flow-log-records.md +++ b//vpc/latest/userguide/flow-log-records.md @@ -134,3 +134,3 @@ encryption-status | Encryption status of the flow. For more information about V - * flows on TCP port 443 for interface endpoint to AWS service - * flows on TCP port 443 for gateway endpoint - * flows to encrypted Redshift cluster via VPC endpoint + * flows on TCP port 443 for interface endpoint to AWS service* + * flows on TCP port 443 for gateway endpoint* + * flows to encrypted Redshift cluster via VPC endpoint** @@ -139 +139,5 @@ encryption-status | Encryption status of the flow. For more information about V -The value is '-' if VPC Encryption Controls is not enabled, or if FlowLog cannot get the status. **Parquet data type:** INT_32 | 10 +The value is '-' if VPC Encryption Controls is not enabled, or if FlowLog cannot get the status. + +###### Note + +* For interface and gateway endpoints, AWS does not look at packet data to determine encryption status, we instead rely on the port used to assume encryption status.** For specified AWS managed endpoints, AWS determines encryption status based on the requirement for TLS in the service configuration. **Parquet data type:** INT_32 | 10