AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md

Summary

Updated navigation links, corrected apostrophe usage, changed image path, and adjusted formatting for DNS Firewall recommendations

Security assessment

Changes include typo corrections (apostrophe), navigation link updates, and image path modifications. Security-related content about DNS Firewall logging modes and allow-list strategies remains unchanged. No evidence of addressing vulnerabilities or adding new security features.

Diff

diff --git a/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md b/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md
index 1be7c7b15..86c9aa0d3 100644
--- a//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md
+++ b//prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/centralized-egress.md
@@ -5 +5 @@
-[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Transitioning to multiple AWS accounts](welcome.html)
+[Documentation](/index.html)[AWS Prescriptive Guidance](https://aws.amazon.com/prescriptive-guidance/)[Transitioning to multiple AWS accounts](introduction.html)
@@ -15 +15 @@ You can use [AWS Network Firewall](https://docs.aws.amazon.com/network-firewall/
-You can also use the [Amazon Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) to limit egress traffic to specific domain names, primarily to prevent unauthorized exfiltration of your data. In DNS Firewall rules, you can apply [domain lists](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-domain-lists.html) (Route 53 documentation), which allow or deny access to specified domains. You can use AWS managed domain lists, which contain domain names that are associated with malicious activity or other potential threats, or you can create custom domain lists. You create DNS Firewall rule groups and then apply them to your VPCs. Outbound DNS requests route through a Resolver in the VPC for domain name resolution, and DNS Firewall filters the requests based on the rule groups applied to the VPC. Recursive DNS requests going to the Resolver don’t flow through the transit gateway and Network Firewall path. Route 53 Resolver and DNS Firewall should be considered to be a separate egress path out of the VPC.
+You can also use the [Amazon Route 53 Resolver DNS Firewall](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall.html) to limit egress traffic to specific domain names, primarily to prevent unauthorized exfiltration of your data. In DNS Firewall rules, you can apply [domain lists](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-domain-lists.html) (Route 53 documentation), which allow or deny access to specified domains. You can use AWS managed domain lists, which contain domain names that are associated with malicious activity or other potential threats, or you can create custom domain lists. You create DNS Firewall rule groups and then apply them to your VPCs. Outbound DNS requests route through a Resolver in the VPC for domain name resolution, and DNS Firewall filters the requests based on the rule groups applied to the VPC. Recursive DNS requests going to the Resolver don't flow through the transit gateway and Network Firewall path. Route 53 Resolver and DNS Firewall should be considered to be a separate egress path out of the VPC.
@@ -19 +19 @@ The following image shows a sample architecture for centralized egress. Before n
-![Traffic routing from other accounts through the network account and to the internet.](/images/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/images/3_egress.png)
+![Traffic routing from other accounts through the network account and to the internet.](/images/prescriptive-guidance/latest/transitioning-to-multiple-aws-accounts/images/guide-img/b35f7443-fbaf-4ce8-bb48-32b6441d573f/images/dc070c63-31ad-44d5-8d97-5e0031e65b61.png)
@@ -23 +23 @@ The following image shows a sample architecture for centralized egress. Before n
-  * Start in [logging-only mode](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html) (Route 53 documentation). Change to block mode after you have validated that legitimate traffic isn’t affected.
+  * Start in [logging-only mode](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resolver-dns-firewall-rule-actions.html) (Route 53 documentation). Change to block mode after you have validated that legitimate traffic isn't affected.
@@ -33 +33 @@ The following image shows a sample architecture for centralized egress. Before n
-  * As a starting point, you can use a deny list that includes the AWS managed rules. You can then work over time toward implementing an allow-list model. For example, instead of including only a strict list of fully qualified domain names in the allow list, begin by using some wildcards, such as _*.example.com_. You can even allow only the top-level domains you expect and block all others. Then, over time, narrow those down too.
+  * As a starting point, you can use a deny list that includes the AWS managed rules. You can then work over time toward implementing an allow-list model. For example, instead of including only a strict list of fully qualified domain names in the allow list, begin by using some wildcards, such as *.example.com. You can even allow only the top-level domains you expect and block all others. Then, over time, narrow those down too.