AWS Security ChangesHomeSearch

AWS network-firewall documentation change

Service: network-firewall · 2026-04-22 · Documentation low

File: network-firewall/latest/developerguide/session-holding-tls.md

Summary

Added note that Application Layer drop established default rules are incompatible with session-holding configuration.

Security assessment

This change documents a compatibility limitation between application layer drop rules and session-holding configurations. While it relates to security feature configuration, there's no evidence it addresses a specific security vulnerability or incident. It adds documentation about security feature limitations.

Diff

diff --git a/network-firewall/latest/developerguide/session-holding-tls.md b/network-firewall/latest/developerguide/session-holding-tls.md
index 00712f8b9..4408d6d27 100644
--- a//network-firewall/latest/developerguide/session-holding-tls.md
+++ b//network-firewall/latest/developerguide/session-holding-tls.md
@@ -12,0 +13,2 @@ To use session holding, you must have TLS Inspection configuration and TLS Inspe
+Application Layer drop established default rules are incompatible with a session-holding configuration. You can read more at [Managing evaluation order for Suricata compatible rules in AWS Network Firewall.](https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html)
+