AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2026-03-31 · Documentation low

File: AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md

Summary

Clarified that the 'Mode' property for mutual authentication defaults to 'off' only on initial creation, and that removing the property from a template does not disable it - it must be explicitly set to 'off'.

Security assessment

This change clarifies the behavior of a security feature (mutual authentication) to prevent misconfiguration. It does not address a specific vulnerability but improves documentation to avoid unintended security posture (e.g., leaving mutual authentication enabled by mistake).

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md
index 5ae09cc8f..c65fde5de 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md
@@ -64 +64 @@ _Required_ : No
-The client certificate handling method. Options are `off`, `passthrough` or `verify`. The default value is `off`.
+The client certificate handling method. Options are `off`, `passthrough` or `verify`. The default value on initial resource creation is `off`. After mutual authentication is turned on, you must explicitly set the `Mode` to `off` to turn it off; removing the property from your template will not turn it off.