diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
index 7c16b0be58e345..e9b2d399f35c40 100644
--- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains.mdx
@@ -17,6 +17,10 @@ Local Domain Fallback only applies to devices running the WARP client.
Because DNS requests subject to Local Domain Fallback bypass the Gateway resolver, they are not subject to Gateway DNS policies or DNS logging. If you want to route DNS queries to custom resolvers and apply Gateway filtering, use [resolver policies](/cloudflare-one/policies/gateway/resolver-policies/). If both Local Domain Fallback and resolver policies are configured for the same device, Cloudflare will apply client-side Local Domain Fallback rules first.
+### AWS
+
+
+
## Manage local domains
### View domains
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
index e1efa8d1c1ca09..0d3ee64de4a84e 100644
--- a/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
+++ b/src/content/docs/cloudflare-one/connections/connect-networks/deployment-guides/aws.mdx
@@ -127,6 +127,12 @@ EOF
You can optionally [create Gateway network policies](/cloudflare-one/connections/connect-networks/private-net/cloudflared/#4-recommended-filter-network-traffic-with-gateway) to control who can access the instance via its private IP.
+:::caution
+
+
+
+:::
+
## Firewall configuration
To secure your AWS instance, you can configure your [Security Group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) to deny all inbound traffic and allow only outbound traffic to the [Cloudflare Tunnel IP addresses](/cloudflare-one/connections/connect-networks/configure-tunnels/tunnel-with-firewall/#required-for-tunnel-operation). All Security Group rules are Allow rules; traffic that does not match a rule is blocked. Therefore, you can delete all inbound rules and leave only the relevant outbound rules.
diff --git a/src/content/partials/cloudflare-one/aws-resolver.mdx b/src/content/partials/cloudflare-one/aws-resolver.mdx
new file mode 100644
index 00000000000000..0b236a221675ee
--- /dev/null
+++ b/src/content/partials/cloudflare-one/aws-resolver.mdx
@@ -0,0 +1,10 @@
+---
+{}
+
+---
+
+Avoid configuring your [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Resolver Policy](/cloudflare-one/policies/gateway/resolver-policies/) to direct all `*.amazonaws.com` DNS resolution via AWS Route 53 Resolver.
+
+Some AWS endpoints (such as `ssm.us-east-1.amazonaws.com`) are public AWS endpoints that are not resolvable via internal VPC resolution. This can break AWS Console features for users on WARP.
+
+Only route specific Route 53 zones, or VPC Endpoints (such as `vpce.amazonaws.com`), through the internal VPC resolver.
\ No newline at end of file