AWS vpc documentation change
Summary
Corrected Gateway Load Balancer (GWLB) behavior description from 'blocked even if' to 'blocked unless' and added warning about internet-facing load balancers with partial subnet exclusions.
Security assessment
The change clarifies security feature behavior and adds important security documentation about a potential misconfiguration scenario. The correction of GWLB behavior from 'even if' to 'unless' fixes inaccurate documentation that could have led to security misconfigurations. The added note warns about a security implication where internet-facing load balancers with partial subnet exclusions can still route public traffic to non-excluded subnets, which is valuable security guidance but not evidence of addressing a specific security incident.
Diff
diff --git a/vpc/latest/userguide/security-vpc-bpa-basics.md b/vpc/latest/userguide/security-vpc-bpa-basics.md index 9226b73e5..3537e805b 100644 --- a//vpc/latest/userguide/security-vpc-bpa-basics.md +++ b//vpc/latest/userguide/security-vpc-bpa-basics.md @@ -46 +46 @@ The following resources and services support VPC BPA and traffic to these servic - * **Gateway Load Balancer (GWLB)** : All inbound and outbound traffic is blocked even if the subnet containing GWLB endpoints is excluded. + * **Gateway Load Balancer (GWLB)** : All inbound and outbound traffic is blocked unless the subnet containing GWLB endpoints is excluded. @@ -89,0 +90,2 @@ Traffic related to private connectivity, such as traffic for the following servi + * If you have an internet-facing load balancer and you create a VPC BPA exclusion for only one of its subnets, the load balancer can still receive public traffic in the excluded subnet and route it privately to targets in subnets that are not excluded. To ensure VPC BPA fully blocks public access to your targets, make sure none of the load balancer subnets are excluded. +