AWS Security ChangesHomeSearch

AWS vpc-lattice documentation change

Service: vpc-lattice · 2026-05-01 · Documentation low

File: vpc-lattice/latest/ug/resource-configuration.md

Summary

Added DNS resolution requirements for domain-name targets and clarified private hosted zone behavior

Security assessment

Documents security best practices for DNS resolution (IN_VPC requirement) when using private DNS servers or Route53 private zones, reducing exposure to DNS spoofing attacks. No vulnerability fix indicated.

Diff

diff --git a/vpc-lattice/latest/ug/resource-configuration.md b/vpc-lattice/latest/ug/resource-configuration.md
index 70595fe94..67225b400 100644
--- a//vpc-lattice/latest/ug/resource-configuration.md
+++ b//vpc-lattice/latest/ug/resource-configuration.md
@@ -136,0 +137,11 @@ The following considerations apply to consumers of resource configurations:
+For resource configurations that are domain-name targets, a private hosted zone entry is not created if the following are true:
+
+  * Resource gateway is in the same VPC as the service network VPC endpoint/service network VPC association.
+
+  * DNS resolution is set to IN_VPC on the resource gateway.
+
+  * The custom domain name or group domain is the same or higher-level domain of the domain-name target.
+
+
+
+
@@ -151 +162 @@ In the resource configuration, identify the resource in one of the following way
-  * By a **domain-name target** : You can use any domain name that is publicly resolvable. If your domain name points to an IP that's outside of your VPC, you must have a NAT gateway in your VPC.
+  * By a **domain-name target** : You can use any domain name. If you use a private DNS server or your domain is in a Route53 private hosted zone, then the resource gateway must have DNS resolution set to IN_VPC. If your domain name points to an IP that's outside of your VPC, you must have a NAT gateway in your VPC.