AWS AWSCloudFormation documentation change
Summary
Clarified that the 'Mode' property for mutual authentication defaults to 'off' only on initial creation, and that removing the property from a template does not disable it - it must be explicitly set to 'off'.
Security assessment
This change clarifies the behavior of a security feature (mutual authentication) to prevent misconfiguration. It does not address a specific vulnerability but improves documentation to avoid unintended security posture (e.g., leaving mutual authentication enabled by mistake).
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md index 5ae09cc8f..c65fde5de 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-elasticloadbalancingv2-listener-mutualauthentication.md @@ -64 +64 @@ _Required_ : No -The client certificate handling method. Options are `off`, `passthrough` or `verify`. The default value is `off`. +The client certificate handling method. Options are `off`, `passthrough` or `verify`. The default value on initial resource creation is `off`. After mutual authentication is turned on, you must explicitly set the `Mode` to `off` to turn it off; removing the property from your template will not turn it off.