AWS Security ChangesHomeSearch

AWS cli documentation change

Service: cli · 2026-05-10 · Documentation medium

File: cli/latest/reference/route53resolver/create-resolver-endpoint.md

Summary

Added new flags for DNS64 and IPv6 internet access with security warnings

Security assessment

Added documentation for new security features (DNS64/IPv6 access) with explicit warnings about protecting endpoints using security groups/NACLs. While this adds security documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/cli/latest/reference/route53resolver/create-resolver-endpoint.md b/cli/latest/reference/route53resolver/create-resolver-endpoint.md
index 20cb69434..60c80ecde 100644
--- a//cli/latest/reference/route53resolver/create-resolver-endpoint.md
+++ b//cli/latest/reference/route53resolver/create-resolver-endpoint.md
@@ -15 +15 @@
-  * [AWS CLI 2.34.44 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.45 Command Reference](../../index.html) »
@@ -84,0 +85,2 @@ See also: [AWS API Documentation](https://docs.aws.amazon.com/goto/WebAPI/route5
+    [--dns64-enabled | --no-dns64-enabled]
+    [--ipv6-internet-access-enabled | --no-ipv6-internet-access-enabled]
@@ -395,0 +398,12 @@ Syntax:
+`--dns64-enabled` | `--no-dns64-enabled` (boolean)
+
+> Specifies whether DNS64 is enabled for the inbound Resolver endpoint. When set to `true` , Route 53 Resolver synthesizes AAAA (IPv6) records for IPv4-only services by prepending the `64:ff9b::/96` prefix to the IPv4 address. This enables IPv6-only clients that send queries through the inbound endpoint to reach IPv4-only services. DNS64 works with NAT64 to provide complete IPv6-to-IPv4 translation. Default is false.
+
+`--ipv6-internet-access-enabled` | `--no-ipv6-internet-access-enabled` (boolean)
+
+> Specifies whether IPv6 internet access is enabled for the outbound Resolver endpoint. When set to `true` , the endpoint elastic network interfaces (ENIs) can forward DNS queries to public IPv6 targets through an internet gateway. Default is false.
+> 
+> ### Warning
+> 
+> When you enable IPv6 internet access, use network controls like security groups, NACLs, or egress-only internet gateways to protect the endpoint ENIs from unsolicited ingress traffic. Be aware that some network controls can affect DNS query throughput due to connection tracking. For more information, see [Amazon EC2 security group connection tracking](https://docs.aws.amazon.com/ec2/latest/userguide/security-group-connection-tracking.html) and [Resolver endpoint scaling](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/best-practices-resolver-endpoint-scaling.html) .
+
@@ -821,0 +836,8 @@ ResolverEndpoint -> (structure)
+> 
+> Dns64Enabled -> (boolean)
+>
+>> Indicates whether DNS64 is enabled for the inbound Resolver endpoint. When `true` , Route 53 Resolver synthesizes AAAA (IPv6) records for IPv4-only services by prepending the `64:ff9b::/96` prefix to the IPv4 address.
+> 
+> Ipv6InternetAccessEnabled -> (boolean)
+>
+>> Indicates whether IPv6 internet access is enabled for the outbound Resolver endpoint. When `true` , the endpoint elastic network interfaces (ENIs) can forward DNS queries to public IPv6 targets through an internet gateway.
@@ -833 +855 @@ ResolverEndpoint -> (structure)
-  * [AWS CLI 2.34.44 Command Reference](../../index.html) »
+  * [AWS CLI 2.34.45 Command Reference](../../index.html) »