AWS eventbridge documentation change
Summary
Expanded encryption documentation with detailed table of encrypted resources and recommendations about sensitive information
Security assessment
The change significantly enhances security documentation by detailing encryption practices and providing recommendations, but does not address a specific security issue.
Diff
diff --git a/eventbridge/latest/userguide/eb-data-protection.md index dba53847c..ecf4783c8 100644 --- a/eventbridge/latest/userguide/eb-data-protection.md +++ b/eventbridge/latest/userguide/eb-data-protection.md @@ -3 +3 @@ -Encryption +EncryptionEncryption at rest @@ -48,0 +49,37 @@ For event buses, this includes during an event being sent to EventBridge, as wel +## Encryption at rest in Amazon EventBridge + +EventBridge provides transparent server-side encryption by integrating with AWS Key Management Service (KMS). Encryption of data at rest by default helps reduce the operational overhead and complexity involved in protecting sensitive data. At the same time, it enables you to build secure applications that meet strict encryption compliance and regulatory requirements. + +The following table lists the artifacts that EventBridge encrypts at rest, by resource: + +**Resource** | **Details** | **AWS owned key** | **Customer managed key** +---|---|---|--- +[API destinations](./eb-api-destinations.html) | | Supported | Not supported +[Archives](./eb-archive.html) | | Supported | Not supported +[Events from AWS services](./eb-events.html#eb-service-event) | Event data includes all fields contained in the `event-detail` element of the event. EventBridge does not encrypt event metadata. For more information on event metadata, see [AWS service event metadata](https://docs.aws.amazon.com/eventbridge/latest/ref/events-structure.html) in the _Events Reference_. | Supported | Not supported +[Events from custom](./eb-putevents.html) and [partner](./eb-saas.html) sources | Event data includes all fields contained in the `event-detail` element of the event. EventBridge does not encrypt event metadata. For more information on event metadata, see [AWS service event metadata](https://docs.aws.amazon.com/eventbridge/latest/ref/events-structure.html) in the _Events Reference_. | Supported | [Supported](./eb-encryption-event-bus-cmkey.html) +[Event patterns](./eb-event-patterns.html) (event buses) | | Supported | Not supported +[Input transformers](./eb-transform-target-input.html) (event buses) | | Supported | Not supported +[Pipes](./eb-pipes.html) | Includes: + + * [Event patterns](./eb-event-patterns.html) + * [Input transformers](./eb-pipes-input-transformation.html) + * [Execution data](./eb-pipes-logs.html#eb-pipes-logs-execution-data) in logs + +Events flowing through a pipe are never stored at rest. | Supported | [Supported](./eb-encryption-pipes-cmkey.html) + +By default, EventBridge uses an AWS owned key to encrypt data. You can specify for EventBridge to use customer managed keys for specific resources instead. + +###### Important + +We strongly recommend that you never put confidential or sensitive information in the following artifacts, as they are not encrypted at rest: + + * Event bus names + + * Rule names + + * Shared resources, such at tags + + + + @@ -57 +94 @@ Security -Encryption at rest +KMS key options