AWS Security ChangesHomeSearch

AWS vpc documentation change

Service: vpc · 2026-06-10 · Documentation low

File: vpc/latest/tgw/create-metering-policy-entry.md

Summary

Expanded the list of supported attachment types for metering policy entries to include Client VPN, Network Function, and VPN Concentrator.

Security assessment

The change only adds new attachment types (Client VPN, Network Function, VPN Concentrator) to metering policy criteria. This expands billing/tracking capabilities but contains no references to vulnerabilities, security patches, or security features. Metering policies relate to cost allocation, not security controls.

Diff

diff --git a/vpc/latest/tgw/create-metering-policy-entry.md b/vpc/latest/tgw/create-metering-policy-entry.md
index 7080f2278..e22dedd6c 100644
--- a//vpc/latest/tgw/create-metering-policy-entry.md
+++ b//vpc/latest/tgw/create-metering-policy-entry.md
@@ -15 +15 @@ Metering policy entries function as conditional rules that are evaluated in sequ
-Entries support a wide range of matching criteria including attachment types (VPC, VPN, Direct Connect Gateway), specific attachment IDs, source and destination CIDR blocks, protocol types, and port ranges. You can combine multiple criteria within a single entry to create precise targeting rules. For example, you might create an entry that matches all HTTPS traffic (port 443) from VPC attachments to a specific destination CIDR range and charges those flows to a security team's account. If no entries match a particular traffic flow, the default metered account specified in the parent metering policy is charged, ensuring all traffic is properly billed. Creating an entry takes 2 billing hours to take effect.
+Entries support a wide range of matching criteria including attachment types (VPC, VPN, Client VPN, Direct Connect Gateway, Peering, Network Function, and VPN Concentrator), specific attachment IDs, source and destination CIDR blocks, protocol types, and port ranges. You can combine multiple criteria within a single entry to create precise targeting rules. For example, you might create an entry that matches all HTTPS traffic (port 443) from VPC attachments to a specific destination CIDR range and charges those flows to a security team's account. If no entries match a particular traffic flow, the default metered account specified in the parent metering policy is charged, ensuring all traffic is properly billed. Creating an entry takes 2 billing hours to take effect.
@@ -56 +56 @@ A metering policy defines the default cost allocation behavior and global settin
-     * **Source attachment type or ID** \- Filter by attachment type (VPC, VPN, Direct Connect Gateway, Peering) or ID.
+     * **Source attachment type or ID** \- Filter by attachment type (VPC, VPN, Client VPN, Direct Connect Gateway, Peering, Network Function, and VPN Concentrator) or ID.