AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2026-01-10 · Documentation low

File: vpc/latest/tgw/tgw-modifying.md

Summary

Revised Transit Gateway modification docs: Removed detailed traffic encryption behavior and added attachment requirements for VPCs with Encryption Controls.

Security assessment

Changes document security feature (encryption support) but show no evidence of patching a vulnerability. Focuses on clarifying operational requirements for encrypted attachments.

Diff

diff --git a/vpc/latest/tgw/tgw-modifying.md b/vpc/latest/tgw/tgw-modifying.md
index cd9b7b4d3..15822c339 100644
--- a//vpc/latest/tgw/tgw-modifying.md
+++ b//vpc/latest/tgw/tgw-modifying.md
@@ -15,3 +15 @@ You cannot remove a CIDR block for the transit gateway if any of the IP addresse
-You must enable Encryption Support on a Transit Gateway explicitly to encrypt traffic between your VPCs that have encryption controls turned on.
-
-Traffic between two VPCs in enforce mode (without exclusions) is end-to-end encrypted via the TGW. Encryption on Transit Gateway also allows you to connect two VPCs that are in different Encryption Controls modes. Traffic between VPCs (one in enforce mode and another in Monitor or OFF mode) is guaranteed to be encrypted only between the VPC running in enforce mode, up to the Transit Gateway. Beyond that, it depends on the resource that is running in the non-enforced VPC and is not guaranteed to be encrypted between the Transit Gateway and the non-enforced VPC.
+Transit gateways that have Encryption Support enabled can be attached to VPCs with Encryption Controls in monitor or Enforce mode, or to VPCs that don’t have Encryption Controls enabled. VPCs that have Encryption Controls in Enforce mode can ONLY be attached to Transit Gateways that have Encryption Support enabled.