AWS Security ChangesHomeSearch

AWS AmazonCloudFront documentation change

Service: AmazonCloudFront · 2026-02-19 · Documentation low

File: AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md

Summary

Restructured documentation for VPC origins with clearer sections: VPC Configuration, Origin Resources, Security Group Configuration, and Protocol Restrictions. Added details on security group requirements, traffic allowance options, and explicit feature restrictions.

Security assessment

The changes add significant security documentation including: 1) Requirement for security groups on Network Load Balancers, 2) Introduction of service-managed security group 'CloudFront-VPCOrigins-Service-SG' with AWS management warnings, 3) Two explicit methods for allowing traffic (managed prefix list or service security group), 4) Prohibition against creating similarly-named custom security groups. However, there's no evidence these changes address a specific security vulnerability.

Diff

diff --git a/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md b/AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
index 6a60e8b41..8b23a996e 100644
--- a//AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
+++ b//AmazonCloudFront/latest/DeveloperGuide/private-content-vpc-origins.md
@@ -30 +30 @@ Before you create a VPC origin for your CloudFront distribution, you must comple
-  * Create a virtual private cloud (VPC) on Amazon VPC.
+### VPC Configuration
@@ -32 +32 @@ Before you create a VPC origin for your CloudFront distribution, you must comple
-    * Your VPC must be in one of the AWS Regions that are supported for VPC origins. For more information, see Supported AWS Regions for VPC origins.
+**Create a virtual private cloud (VPC) on Amazon VPC** in one of the AWS Regions that are supported for VPC origins. For information about creating a VPC, see [Create a VPC plus other VPC resources](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources) in the _Amazon VPC User Guide_. For a list of supported Regions, see Supported AWS Regions for VPC origins.
@@ -34 +34 @@ Before you create a VPC origin for your CloudFront distribution, you must comple
-    * Network ACLs associated with your VPC subnets apply to egress (outbound) traffic when client IP address preservation is enabled on your VPC origin. However, for traffic to be allowed to exit through your VPC origin you must configure the ACL as both an inbound and outbound rule.
+Your VPC must include the following:
@@ -36 +36 @@ Before you create a VPC origin for your CloudFront distribution, you must comple
-For example, to allow TCP and UDP clients using an ephemeral source port to connect to your endpoint through your VPC origin, associate the subnet of your endpoint with a Network ACL that allows outbound traffic destined to an ephemeral TCP or UDP port (port range 1024-65535, destination 0.0.0.0/0). In addition, create a matching inbound rule (port range 1024-65535, source 0.0.0.0/0).
+  * **Internet gateway** – You need to add an internet gateway to the VPC that has your VPC origin resources. The internet gateway is required to denote that the VPC can receive traffic from the internet. The internet gateway is not used for routing traffic to origins inside the subnet, and you don't need to update the routing policies.
@@ -38 +38 @@ For example, to allow TCP and UDP clients using an ephemeral source port to conn
-For information about creating a VPC, see [Create a VPC plus other VPC resources](https://docs.aws.amazon.com/vpc/latest/userguide/create-vpc.html#create-vpc-and-other-resources) in the _Amazon VPC User Guide_.
+  * **Private subnet with at least one available IPv4 address** – CloudFront routes to your subnet by using a service-managed elastic network interface (ENI) that CloudFront creates after you define your VPC origin resource with CloudFront. You must have at least one available IPv4 address in your private subnet so that the ENI creation process can succeed. The IPv4 address can be private, and there is no additional cost for it. IPv6-only subnets are not supported.
@@ -40 +39,0 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-  * Include the following in your VPC:
@@ -42 +40,0 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * **Internet gateway** – You need to add an internet gateway to the VPC that has your VPC origin resources. The internet gateway is required to denote that the VPC can receive traffic from the internet. The internet gateway is not used for routing traffic to origins inside the subnet, and you don't need to update the routing policies.
@@ -44 +41,0 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-    * **Private subnet with at least one available IPv4 address** – CloudFront routes to your subnet by using a service-managed elastic network interface (ENI) that CloudFront creates after you define your VPC origin resource with CloudFront. You must have at least one available IPv4 address in your private subnet so that the ENI creation process can succeed. The IPv4 address can be private, and there is no additional cost for it.
@@ -46 +43,24 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-###### Note
+### Origin Resources
+
+In the private subnet, launch an Application Load Balancer, a Network Load Balancer, or an EC2 instance to use as your origin. The resource you launch must be fully deployed and in Active status before you can use it for a VPC origin.
+
+**Origin restrictions:**
+
+  * Gateway Load Balancers cannot be added as origins
+
+  * Dual-stack Network Load Balancers cannot be added as origins
+
+  * Network Load Balancers with TLS listeners cannot be added as origins
+
+  * To be used as a VPC origin, a Network Load Balancer must have a security group attached to it
+
+
+
+
+### Security Group Configuration
+
+Your VPC origin resources (Application Load Balancer, Network Load Balancer, or EC2 instance) must have a security group attached. When you create a VPC origin, CloudFront automatically creates a service-managed security group with the naming pattern `CloudFront-VPCOrigins-Service-SG`. This security group is fully managed by AWS, and should not be edited.
+
+To allow traffic from CloudFront to reach your VPC origin, update the security group attached to your origin resource (ALB, NLB, or EC2 instance) to allow inbound traffic using one of the following methods:
+
+  * **Option 1:** Allow traffic from the CloudFront managed prefix list. For more information, see [Use the CloudFront managed prefix list](./LocationsOfEdgeServers.html#managed-prefix-list). This can be done before VPC origin created as well.
@@ -48 +68 @@ For information about creating a VPC, see [Create a VPC plus other VPC resources
-IPv6-only subnets are not supported.
+  * **Option 2:** Allow traffic from the CloudFront service-managed security group (`CloudFront-VPCOrigins-Service-SG`). This can be done only after the VPC origin is created and the service-managed security group is created. This configuration is further restrictive as it restricts the traffic only to your CloudFront distributions.
@@ -50 +69,0 @@ IPv6-only subnets are not supported.
-  * In the private subnet, launch an Application Load Balancer, a Network Load Balancer, or an EC2 instance to use as your origin.
@@ -52 +70,0 @@ IPv6-only subnets are not supported.
-    * The resource you launch must be fully deployed and in **Active** status before you can use it for a VPC origin.
@@ -54 +71,0 @@ IPv6-only subnets are not supported.
-    * Gateway Load Balancers, dual-stack Network Load Balancers and Network Load Balancers with TLS listeners can't be added as origins.
@@ -56 +73 @@ IPv6-only subnets are not supported.
-    * To be used as a VPC origin, a Network Load Balancer must have a security group attached to it.
+###### Important
@@ -58 +75 @@ IPv6-only subnets are not supported.
-    * Update your security groups for the VPC private origins to explicitly allow the CloudFront managed prefix list. For more information, see [Use the CloudFront managed prefix list](./LocationsOfEdgeServers.html#managed-prefix-list).
+Do not create your own security group with a name starting with `CloudFront-VPCOrigins-Service-SG`. This is an AWS reserved naming pattern for service-managed security groups. For more information, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/creating-security-groups.html).
@@ -60 +77 @@ IPv6-only subnets are not supported.
-###### Note
+### Protocol and Feature Restrictions
@@ -62 +79 @@ IPv6-only subnets are not supported.
-CloudFront-VPCOrigins-Service-SG is an AWS reserved name for security groups that are used for VPC origins. You must specify a different name for your security group. For more information, see [Creating a security group](https://docs.aws.amazon.com/vpc/latest/userguide/creating-security-groups.html).
+VPC origins do not support the following:
@@ -64 +81 @@ CloudFront-VPCOrigins-Service-SG is an AWS reserved name for security groups tha
-      * After the VPC origin is created, the security group can be further restricted to allow only traffic from your VPC origins. To do this, update the allowed traffic source from the managed prefix list to the CloudFront security group.
+  * WebSockets
@@ -66 +83 @@ CloudFront-VPCOrigins-Service-SG is an AWS reserved name for security groups tha
-###### Note
+  * gRPC traffic
@@ -68 +85 @@ CloudFront-VPCOrigins-Service-SG is an AWS reserved name for security groups tha
-WebSockets, gRPC traffic, origin request and origin response triggers with Lambda@Edge in CloudFront are not supported for VPC origins. For more information, see [Work with requests and responses](./lambda-generating-http-responses.html) in the Lambda@Edge documentation.
+  * Origin request and origin response triggers with Lambda@Edge