AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2026-03-16 · Documentation low

File: network-firewall/latest/developerguide/suricata-limitations-caveats.md

Summary

Added limitation that TLS rule matches in session holding configurations won't include SNI in alert logs

Security assessment

Documents a logging limitation in security-related TLS rule matches but does not indicate an active vulnerability

Diff

diff --git a/network-firewall/latest/developerguide/suricata-limitations-caveats.md b/network-firewall/latest/developerguide/suricata-limitations-caveats.md
index f9b51a6b7..7bb2f40b2 100644
--- a//network-firewall/latest/developerguide/suricata-limitations-caveats.md
+++ b//network-firewall/latest/developerguide/suricata-limitations-caveats.md
@@ -61,0 +62,2 @@ For example, say you set the rule group's `HOME_NET` to `10.0.0.0`, and the fire
+  * When matching TLS based rules in a session holding configuration, alert logs will not contain the SNI that was accessed upon rule match. 
+