AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-02-27 · Documentation low

File: AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.md

Summary

Updated CloudFormation template examples for EventBridge connections, restructuring the JSON/YAML format and adding 'IsValueSecret' flag for sensitive parameters

Security assessment

The changes add explicit marking of sensitive parameters as secret ('IsValueSecret: true'), which improves security documentation but does not address a specific security issue

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.md
index 00c6c5464..40daa7651 100644
--- a/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.md
+++ b/AWSCloudFormation/latest/UserGuide/aws-resource-events-connection.md
@@ -174 +176,2 @@ The following example creates a connection named pagerduty-connection using ApiK
-      "PagerDutyConection": 
+      "Resources": {
+        "Connection": {
@@ -182,6 +185 @@ The following example creates a connection named pagerduty-connection using ApiK
-                    "ApiKeyValue" : "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:pagerdutyApiToken-S9SoDa}}"},
-                "AdditionalParameters" : {
-                    "BodyParameters" : {
-                        "routing_key" : "my-pagerduty-integration-key", 
-                    }, 
-                }, 
+                "ApiKeyValue": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:pagerdutyApiToken-S9SoDa}}"
@@ -188,0 +187,12 @@ The following example creates a connection named pagerduty-connection using ApiK
+              "InvocationHttpParameters": {
+                "BodyParameters": [
+                  {
+                    "Key": "routing_key",
+                    "Value": "my-pagerduty-integration-key",
+                    "IsValueSecret": true
+                  }
+                ]
+              }
+            }
+          }
+        }
@@ -195 +205,2 @@ The following example creates a connection named pagerduty-connection using ApiK
-    PagerDutyConection:
+    Resources:
+      Connection:
@@ -198 +209 @@ The following example creates a connection named pagerduty-connection using ApiK
-        Name: 'pagerduty-connection'
+          Name: pagerduty-connection
@@ -204 +215 @@ The following example creates a connection named pagerduty-connection using ApiK
-          AdditionalParameters:
+            InvocationHttpParameters:
@@ -206 +217,3 @@ The following example creates a connection named pagerduty-connection using ApiK
-            routing_key: 'my-pagerduty-integration-key'
+                - Key: routing_key
+                  Value: my-pagerduty-integration-key
+                  IsValueSecret: true
@@ -216 +229,2 @@ The following example creates a connection named auth0-connection using OAuth au
-      "Auth0Connection":
+      "Resources": {
+        "Auth0Connection": {
@@ -222,0 +237 @@ The following example creates a connection named auth0-connection using OAuth au
+                "AuthorizationEndpoint": "https://yourUserName.us.auth0.com/oauth/token",
@@ -224,2 +239,2 @@ The following example creates a connection named auth0-connection using OAuth au
-                        "ClientId": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientId}}",
-                        "ClientSecret": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientSecret}}",
+                  "ClientID": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientId}}",
+                  "ClientSecret": "{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientSecret}}"
@@ -227 +241,0 @@ The following example creates a connection named auth0-connection using OAuth au
-                    "AuthorizationEndpoint" : "https://yourUserName.us.auth0.com/oauth/token",
@@ -229,7 +243,13 @@ The following example creates a connection named auth0-connection using OAuth au
-                    "AdditionalParameters" : {
-                        "BodyParameters: {
-                            "audience" : "my-auth0-identifier",
-                        },
-                    },    
-                },
-            },
+                "OAuthHttpParameters": {
+                  "BodyParameters": [
+                    {
+                      "Key": "audience",
+                      "Value": "my-auth0-identifier",
+                      "IsValueSecret": true
+                    }
+                  ]
+                }
+              }
+            }
+          }
+        }
@@ -241,0 +262 @@ The following example creates a connection named auth0-connection using OAuth au
+    Resources:
@@ -245 +266 @@ The following example creates a connection named auth0-connection using OAuth au
-        Name: 'auth0-connection'
+          Name: auth0-connection
@@ -248,0 +270 @@ The following example creates a connection named auth0-connection using OAuth au
+              AuthorizationEndpoint: https://yourUserName.us.auth0.com/oauth/token
@@ -250 +272 @@ The following example creates a connection named auth0-connection using OAuth au
-              ClientId: '{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientId}}'
+                ClientID: '{{resolve:secretsmanager:arn:aws:secretsmanager:us-west-2:123456789012:secret:auth0ClientId}}'
@@ -252 +273,0 @@ The following example creates a connection named auth0-connection using OAuth au
-            AuthorizationEndpoint: 'https://yourUserName.us.auth0.com/oauth/token'
@@ -254 +275 @@ The following example creates a connection named auth0-connection using OAuth au
-            AdditionalParameters:
+              OAuthHttpParameters:
@@ -256,2 +277,3 @@ The following example creates a connection named auth0-connection using OAuth au
-                audience: 'my-auth0-identifier'
-            #Note: This AdditionalParameters field is a child of OAuthParameters entry, meaning it's only sent with the token exchange
+                  - Key: audience
+                    Value: my-auth0-identifier
+                    IsValueSecret: true