AWS vpc-lattice documentation change
Summary
Added DNS resolution requirements for domain-name targets and clarified private hosted zone behavior
Security assessment
Documents security best practices for DNS resolution (IN_VPC requirement) when using private DNS servers or Route53 private zones, reducing exposure to DNS spoofing attacks. No vulnerability fix indicated.
Diff
diff --git a/vpc-lattice/latest/ug/resource-configuration.md b/vpc-lattice/latest/ug/resource-configuration.md index 70595fe94..67225b400 100644 --- a//vpc-lattice/latest/ug/resource-configuration.md +++ b//vpc-lattice/latest/ug/resource-configuration.md @@ -136,0 +137,11 @@ The following considerations apply to consumers of resource configurations: +For resource configurations that are domain-name targets, a private hosted zone entry is not created if the following are true: + + * Resource gateway is in the same VPC as the service network VPC endpoint/service network VPC association. + + * DNS resolution is set to IN_VPC on the resource gateway. + + * The custom domain name or group domain is the same or higher-level domain of the domain-name target. + + + + @@ -151 +162 @@ In the resource configuration, identify the resource in one of the following way - * By a **domain-name target** : You can use any domain name that is publicly resolvable. If your domain name points to an IP that's outside of your VPC, you must have a NAT gateway in your VPC. + * By a **domain-name target** : You can use any domain name. If you use a private DNS server or your domain is in a Route53 private hosted zone, then the resource gateway must have DNS resolution set to IN_VPC. If your domain name points to an IP that's outside of your VPC, you must have a NAT gateway in your VPC.