AWS Security ChangesHomeSearch

AWS vpc-lattice documentation change

Service: vpc-lattice · 2025-12-10 · Documentation medium

File: vpc-lattice/latest/ug/monitoring-access-logs.md

Summary

Added request tracking documentation using x-amzn-requestid header

Security assessment

Documents request correlation for observability/auditing (security best practice) but doesn't address vulnerabilities. Adds requestId field to access logs.

Diff

diff --git a/vpc-lattice/latest/ug/monitoring-access-logs.md b/vpc-lattice/latest/ug/monitoring-access-logs.md
index df2f4d567..02488a532 100644
--- a//vpc-lattice/latest/ug/monitoring-access-logs.md
+++ b//vpc-lattice/latest/ug/monitoring-access-logs.md
@@ -5 +5 @@
-IAM permissions required to enable access logsAccess log destinationsEnable access logsAccess log contentsResource access log contentsTroubleshoot access logs
+IAM permissions required to enable access logsAccess log destinationsEnable access logsRequest trackingAccess log contentsResource access log contentsTroubleshoot access logs
@@ -24,0 +25,2 @@ Charges apply when access logs are published. Logs that AWS natively publishes o
+  * Request tracking
+
@@ -162,0 +165,76 @@ Use the CLI command [create-access-log-subscription](https://docs.aws.amazon.com
+## Request tracking
+
+VPC Lattice supports request tracking and correlation across clients, targets, and logs for observability and debugging with the x-amzn-requestid header. This header can be set and sent by the client or generated by VPC Lattice and is sent to targets and also available in access logs.
+
+###### Default behavior
+
+  * VPC Lattice automatically generates this header for every request.
+
+  * The value is a randomly generated identifier (UUID-style by default).
+
+  * The generated identifier is:
+
+    * Propagated to downstream targets.
+
+    * Returned in response headers to clients.
+
+    * Logged in access logs
+
+
+
+
+###### Example (default response)
+
+The following is an example of a response sent to client with the default behavior of VPC Lattice generating a random value for the valu eof x-amzn-requestid header.
+    
+    
+    {
+        "HTTP/1.1 200 OK
+        x-amzn-requestid: a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"
+    }
+
+###### Client setting the value
+
+  * Clients can optionally set this header on incoming requests to override the automatically generated value.
+
+  * Considerations
+
+    * The header value does not need to follow a UUID format.
+
+    * If the header value exceeds 512 bytes, VPC Lattice will truncate it to 512.
+
+
+
+
+  * When overridden successfully, the provided header value will:
+
+    * Appear in response headers
+
+    * Be propagated to targets
+
+    * Appear in access logs and metrics
+
+
+
+
+###### Example (override client reqeust)
+
+The following is an example of a reqeust sent by the client with a header value.
+    
+    
+    {
+        "GET /my-service/endpoint HTTP/1.1 
+        Host: my-api.example.com
+        x-amzn-requestid: trace-request-foobar"
+    }
+
+###### Example (default override response)
+
+The following is an example of a response sent to client with the overridden value.
+    
+    
+    {
+        "HTTP/1.1 200 OK
+        x-amzn-requestid: trace-request-foobar"
+    }
+
@@ -194,0 +273 @@ Field | Description | Format
+`requestId` |  This a unique identifier automatically included in responses as the value of the x-amzn-requestid header. It enables request correlation across clients, targets, and logs for observability and debugging. |  string  
@@ -248 +327,2 @@ The following is an example log entry.
-        "grpcResponseCode": 1
+        "grpcResponseCode": 1,
+        "requestId": "a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"