AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2026-07-04 · Documentation low

File: organizations/latest/userguide/orgs_manage_policies_ec2_syntax.md

Summary

Added documentation for VPC Encryption Controls feature including policy syntax, modes (unmanaged/attempt_monitor/attempt_enforce), exclusions, considerations, and best practices

Security assessment

The change documents a new security feature (VPC traffic encryption enforcement) but doesn't reference any specific vulnerability or incident. It proactively describes security controls rather than addressing a known exploit.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_ec2_syntax.md b/organizations/latest/userguide/orgs_manage_policies_ec2_syntax.md
index 0a1efd022..a11e2da17 100644
--- a//organizations/latest/userguide/orgs_manage_policies_ec2_syntax.md
+++ b//organizations/latest/userguide/orgs_manage_policies_ec2_syntax.md
@@ -61,0 +62,2 @@ The following are the AWS services and attributes that EC2 policies support. In
+  * VPC Encryption Controls
+
@@ -489,0 +492,88 @@ If you use this attribute in a EC2 policy, you cannot use the following operatio
+VPC Encryption Controls
+    
+
+###### Policy effect
+
+Controls whether Amazon VPC encryption controls are enabled and in which mode for the VPCs in accounts that are in scope of the policy. For more information, see [VPC Encryption Controls](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-encryption-controls.html) in the _Amazon VPC User Guide_.
+
+###### Policy contents
+    
+    
+    {
+      "ec2_attributes": {
+        "vpc_encryption_control": {
+          "mode": {
+            "@@assign": "attempt_enforce"
+          },
+          "exclusions": {
+            "@@assign": ["internet_gateway", "nat_gateway", "vpc_lattice"]
+          }
+        }
+      }
+    }
+
+The following are the available fields for this attribute:
+
+  * `"mode"` (required): The Amazon VPC encryption controls mode to apply to all accounts and VPCs in scope.
+
+    * `"unmanaged"`: Amazon VPC encryption controls is turned off. If you detach the policy, the service rolls back the account-level Amazon VPC encryption controls to its previous state. The VPCs themselves may or may not successfully go back to the previous state—see Considerations.
+
+    * `"attempt_monitor"`: All in-scope VPCs attempt to move to monitor mode. Monitor mode audits the encryption status of traffic flows and identifies resources that allow unencrypted traffic. A VPC with no encryption controls moves to monitor; a VPC already in monitor stays in monitor; a VPC in enforce attempts to move to monitor; New VPCs are created in monitor mode.
+
+    * `"attempt_enforce"`: All in-scope VPCs attempt to move to enforce mode, which ensures the VPC only allows services that always encrypt traffic in transit. A VPC with encryption controls off moves to monitor first, then attempts enforce automatically when this mode is enabled at the account or organization level; a VPC in monitor mode attempts to migrate to enforce; a VPC already in enforce stays in enforce; New VPCs are created in enforce mode with any resource type exclusions defined at the organization or account level.
+
+  * `"exclusions"` (optional): Per-Region map of excludable resource types that can be excluded from Amazon VPC encryption controls.
+
+    * `internet_gateway`
+
+    * `nat_gateway`
+
+    * `vpc_lattice`
+
+    * `vpc_peering`
+
+    * `lambda`
+
+    * `egress_only_internet_gateway`
+
+    * `elastic_file_system`
+
+    * `virtual_private_gateway`
+
+
+
+
+###### Considerations
+
+  * When transitioning to enforce via account or organization-level `attempt_enforce`, the service places VPCs in monitor mode first, then automatically transitions them to enforce. The transition to enforce fails if the VPC contains non-compliant resources that are not covered by an exclusion; those VPCs remain in monitor mode with an enforce-failed state. Remediate those resources or add exclusions first.
+
+  * If you detach the policy, the encryption control configuration at the account level rolls back to its previous state before the policy was attached.
+
+  * If you use this attribute in an EC2 policy, VPC owners of in-scope VPCs will not be able to use the following commands at the VPC level (list not exhaustive):
+
+    * `ModifyVpcEncryptionControl`
+
+    * `DeleteVpcEncryptionControl`
+
+    * `CreateVpcEncryptionControl`
+
+  * If the transition to either mode fails, use `DescribeVpcEncryptionControls` to find all the VPCs that failed the transition, and then use `GetVpcResourcesBlockingEncryptionEnforcement` to find the violating resources within the VPCs.
+
+  * The order of precedence for exclusions is organization, then OU, then account, then VPC. An organization-level exclusion takes precedence over an account-level exclusion, which takes precedence over a VPC-level exclusion.
+
+
+
+
+###### Best practices
+
+  * **Monitor before enforce.** Always run `attempt_monitor` org-wide and use the account status report to confirm VPCs don't have non-excludable resources before moving to `attempt_enforce`.
+
+  * **Stage enforcement with exclusions.** Use per-Region `exclusions` for resources that do not support encryption in transit (for example, IGW, NAT gateway, Amazon VPC Lattice).
+
+  * **Understand precedence.** Org mode and exclusions override account and VPC settings; plan rollouts top-down.
+
+  * **Plan for peering.** Delete VPC peering exclusions before attempting to move enforce-mode VPCs back to monitor.
+
+
+
+