AWS Security ChangesHomeSearch

AWS awssupport documentation change

Service: awssupport · 2026-02-13 · Documentation medium

File: awssupport/latest/user/support-console-access-control.md

Summary

Updated VPN configuration note to clarify client IP forwarding requirements when using aws:SourceIp IAM conditions.

Security assessment

Clarifies security best practices for IAM policy enforcement (aws:SourceIp condition) but doesn't address a specific vulnerability. Proactively prevents misconfigurations that could cause authorization failures, enhancing security documentation.

Diff

diff --git a/awssupport/latest/user/support-console-access-control.md b/awssupport/latest/user/support-console-access-control.md
index 3b5280e36..d47afc1a3 100644
--- a//awssupport/latest/user/support-console-access-control.md
+++ b//awssupport/latest/user/support-console-access-control.md
@@ -33 +33 @@ SaveFeedback |  WRITE |  Grants permission to save questionnaire feedback.
-If you have a custom VPN configuration, then your IAM policies must allow the Support Center Console API endpoint in the [aws.sourceIP conditions](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html). If the Support Center Console API endpoint isn't allowed, then your ClientIp address won't forward to the API correctly. The following table provides the Support Center Console API endpoints by AWS Region.
+If you have a custom VPN configuration, make sure that you configure your VPN to correctly forward your client IP address to the Support Center Console API endpoint. When using a VPN with AWS Identity and Access Management policies that include [aws:SourceIp](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_deny-ip.html) conditions, the client IP address specified in your IAM policy must be forwarded to the API endpoint, not the VPN's IP address. If the VPN forwards its own IP address instead of the client IP address, authorization might fail because the IP address doesn't match the `aws:SourceIp` condition in your IAM policy. The following table provides the Support Center Console API endpoints by AWS Region.