AWS vpc-lattice documentation change
Summary
Added request tracking documentation using x-amzn-requestid header
Security assessment
Documents request correlation for observability/auditing (security best practice) but doesn't address vulnerabilities. Adds requestId field to access logs.
Diff
diff --git a/vpc-lattice/latest/ug/monitoring-access-logs.md b/vpc-lattice/latest/ug/monitoring-access-logs.md index df2f4d567..02488a532 100644 --- a//vpc-lattice/latest/ug/monitoring-access-logs.md +++ b//vpc-lattice/latest/ug/monitoring-access-logs.md @@ -5 +5 @@ -IAM permissions required to enable access logsAccess log destinationsEnable access logsAccess log contentsResource access log contentsTroubleshoot access logs +IAM permissions required to enable access logsAccess log destinationsEnable access logsRequest trackingAccess log contentsResource access log contentsTroubleshoot access logs @@ -24,0 +25,2 @@ Charges apply when access logs are published. Logs that AWS natively publishes o + * Request tracking + @@ -162,0 +165,76 @@ Use the CLI command [create-access-log-subscription](https://docs.aws.amazon.com +## Request tracking + +VPC Lattice supports request tracking and correlation across clients, targets, and logs for observability and debugging with the x-amzn-requestid header. This header can be set and sent by the client or generated by VPC Lattice and is sent to targets and also available in access logs. + +###### Default behavior + + * VPC Lattice automatically generates this header for every request. + + * The value is a randomly generated identifier (UUID-style by default). + + * The generated identifier is: + + * Propagated to downstream targets. + + * Returned in response headers to clients. + + * Logged in access logs + + + + +###### Example (default response) + +The following is an example of a response sent to client with the default behavior of VPC Lattice generating a random value for the valu eof x-amzn-requestid header. + + + { + "HTTP/1.1 200 OK + x-amzn-requestid: a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001" + } + +###### Client setting the value + + * Clients can optionally set this header on incoming requests to override the automatically generated value. + + * Considerations + + * The header value does not need to follow a UUID format. + + * If the header value exceeds 512 bytes, VPC Lattice will truncate it to 512. + + + + + * When overridden successfully, the provided header value will: + + * Appear in response headers + + * Be propagated to targets + + * Appear in access logs and metrics + + + + +###### Example (override client reqeust) + +The following is an example of a reqeust sent by the client with a header value. + + + { + "GET /my-service/endpoint HTTP/1.1 + Host: my-api.example.com + x-amzn-requestid: trace-request-foobar" + } + +###### Example (default override response) + +The following is an example of a response sent to client with the overridden value. + + + { + "HTTP/1.1 200 OK + x-amzn-requestid: trace-request-foobar" + } + @@ -194,0 +273 @@ Field | Description | Format +`requestId` | This a unique identifier automatically included in responses as the value of the x-amzn-requestid header. It enables request correlation across clients, targets, and logs for observability and debugging. | string @@ -248 +327,2 @@ The following is an example log entry. - "grpcResponseCode": 1 + "grpcResponseCode": 1, + "requestId": "a9f2c7a1-6b4f-4c79-9e87-ff5a1234a001"