AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-02-26 · Documentation low

File: eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md

Summary

Replaced encryption setup instructions with detailed documentation about encryption context usage and added example key policy with security conditions

Security assessment

The changes focus on explaining encryption context binding and demonstrate security best practices in key policies (including condition keys to prevent confused deputy issues). While these are security enhancements, there's no evidence of addressing an existing vulnerability.

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
index 84c1ec402..09af8fbde 100644
--- a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
+++ b/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
@@ -3 +3 @@
-Set encryption when creating an event busUpdate encryption on an event bus
+Event bus encryption contextEvent bus key policy
@@ -11 +11 @@ If you specify a customer managed key for an event bus, you have the option of s
-## Specifying the AWS KMS key used for encryption when creating an event bus
+## Event bus encryption context
@@ -13 +13 @@ If you specify a customer managed key for an event bus, you have the option of s
-Choosing the AWS KMS key used for encryption is part of creating an event bus. The default is to use the AWS owned key provided by EventBridge. 
+An [encryption context](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) is a set of key–value pairs that contain arbitrary nonsecret data. When you include an encryption context in a request to encrypt data, AWS KMS cryptographically binds the encryption context to the encrypted data. To decrypt the data, you must pass in the same encryption context.
@@ -15 +15 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-###### To specify a customer managed key for encryption when creating an event bus (console)
+You can also use the encryption context as a condition for authorization in policies and grants.
@@ -17 +17 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-  * Follow these instructions:
+If you use a customer managed key to protect your EventBridge resources, you can use the encryption context to identify use of the KMS key in audit records and logs. It also appears in plaintext in logs, such as [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) and [Amazon CloudWatch Logs](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/WhatIsCloudWatchLogs.html).
@@ -19 +19 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-[Creating an event bus](./eb-create-event-bus.html).
+For event buses, EventBridge uses the same encryption context in all AWS KMS cryptographic operations. The context includes a single key–value pair, which contains the event bus ARN. 
@@ -21,0 +22,3 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
+    "encryptionContext": {
+        "kms:EncryptionContext:aws:events:event-bus:arn": "event-bus-arn"
+    }
@@ -22,0 +26 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
+## AWS KMS key policy for event bus
@@ -24 +28 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-###### To specify a customer managed key for encryption when creating an event bus (CLI)
+The following example key policy provides the required permissions for an event bus:
@@ -26 +30 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-  * When calling `[create-event-bus](https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus.
+  * `kms:DescribeKey`
@@ -28 +32 @@ Choosing the AWS KMS key used for encryption is part of creating an event bus. T
-Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ).
+  * `kms:GenerateDataKey`
@@ -29,0 +34 @@ Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ).
+  * `kms:Decrypt`
@@ -33,53 +37,0 @@ Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ).
-## Updating the AWS KMS key used for encryption on an event bus
-
-You can update the AWS KMS key being used for encryption at rest on an existing event bus. This includes changing from the default AWS owned key to a customer managed key, from a customer managed key to the default AWS owned key, or from one customer managed key to another.
-
-###### To update the KMS key used for encryption on an event bus (console)
-
-  1. Open the Amazon EventBridge console at [https://console.aws.amazon.com/events/](https://console.aws.amazon.com/events/).
-
-  2. In the navigation pane, choose **Event buses**.
-
-  3. Choose the event bus you want to update.
-
-  4. On the events bus details page, choose the **Encryption** tab.
-
-  5. Choose the KMS key for EventBridge to use when encrypting the event data stored on the event bus:
-
-     * Choose **Use AWS owned key** for EventBridge to encrypt the data using an AWS owned key.
-
-This AWS owned key is a KMS key that EventBridge owns and manages for use in multiple AWS accounts. In general, unless you are required to audit or control the encryption key that protects your resources, an AWS owned key is a good choice. 
-
-This is the default.
-
-     * Choose **Use customer managed key** for EventBridge to encrypt the data using the customer managed key that you specify or create.
-
-Customer managed keys are KMS keys in your AWS account that you create, own, and manage. You have full control over these KMS keys.
-
-       1. Specify an existing customer managed key, or choose **Create a new KMS key**.
-
-EventBridge displays the key status and any key aliases that have been associated with the specified customer managed key.
-
-       2. Choose the Amazon SQS queue to use as the dead-letter queue (DLQ) for this event bus, if any.
-
-EventBridge sends events that aren't successfully encrypted to the DLQ, if configured, so you can process them later.
-
-
-
-
-###### To update the KMS key used for encryption on an event bus (CLI)
-
-  * When calling `[update-event-bus](https://docs.aws.amazon.com/cli/latest/reference/events/create-event-bus.html)`, use the `kms-key-identifier` option to specify the customer managed key for EventBridge to use for encryption on the event bus.
-
-Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ).
-
-
-
-
-###### To update the KMS key used for encryption on the default event bus, using CloudFormation
-
-Because EventBridge provisions the default event bus into your account automatically, you cannot create it using a CloudFormation template, as you normally would for any resource you wanted to include in a CloudFormation stack. To include the default event bus in a CloudFormation stack, you must first _import_ it into a stack. Once you have imported the default event bus into a stack, you can then update the event bus properties as desired.
-
-  * Follow these instructions:
-
-[Updating a default bus using CloudFormation](./event-bus-update-default-cfn.html).
@@ -86,0 +39 @@ Because EventBridge provisions the default event bus into your account automatic
+As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy).
@@ -88,0 +42,19 @@ Because EventBridge provisions the default event bus into your account automatic
+    {
+      "Sid": "Allow EventBridge to encrypt events",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": [
+        "kms:DescribeKey",
+        "kms:GenerateDataKey",
+        "kms:Decrypt"
+      ]
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+            "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:region:account-id:event-bus/event-bus-arn",
+            "aws:SourceArn": "arn:aws:events:region:account-id:event-bus/event-bus-name"
+        }
+      }
+    }
@@ -96 +68 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Encryption context
+Maintaining key access
@@ -98 +70 @@ Encryption context
-Encryption for event bus targets
+Configuring event bus encryption