AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2026-03-28 · Documentation low

File: network-firewall/latest/developerguide/session-holding-tls.md

Summary

Added clarification that alert logs based on TLS rules in session holding configuration will not contain the SNI that was accessed upon rule match.

Security assessment

This change documents a logging limitation in TLS session holding configuration. While it relates to security monitoring capabilities, it does not address a security vulnerability or add new security features - it simply clarifies existing behavior.

Diff

diff --git a/network-firewall/latest/developerguide/session-holding-tls.md b/network-firewall/latest/developerguide/session-holding-tls.md
index c0106f13f..e48012597 100644
--- a//network-firewall/latest/developerguide/session-holding-tls.md
+++ b//network-firewall/latest/developerguide/session-holding-tls.md
@@ -19 +19 @@ Without session holding, Network Firewall immediately initiates TCP/TLS handshak
-With session holding, Network Firewall waits for SNI information from the client's TLS handshake before initiating downstream connections. This lets the firewall evaluate TLS SNI-based rules first, preventing any connection attempts to blocked domains from reaching downstream servers.
+With session holding, Network Firewall waits for SNI information from the client's TLS handshake before initiating downstream connections. This lets the firewall evaluate TLS SNI-based rules first, preventing any connection attempts to blocked domains from reaching downstream servers. Alert logs based on TLS rules in this configuration will not contain the SNI that was accessed upon rule match.