AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-03-02 · Documentation low

File: eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md

Summary

Added note about schema discovery not being supported with customer managed keys and added a new key policy allowing EventBridge to validate key permissions

Security assessment

The changes clarify security-related limitations and add a key policy for proper key permission validation, but there's no evidence of addressing a specific security vulnerability

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
index 09af8fbde..2bf1cf351 100644
--- a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
+++ b/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md
@@ -10,0 +11,4 @@ If you specify a customer managed key for an event bus, you have the option of s
+###### Note
+
+Schema discovery is not supported for event buses encrypted using a customer managed key. To enable schema discovery on an event bus, choose to use an AWS owned key. For more information, see [KMS key options](./eb-encryption-at-rest-key-options.html).
+
@@ -41,0 +46,11 @@ As a security best practice, we recommend you include condition keys in the key
+    {
+      "Sid": "Allow EventBridge to validate key permission",
+      "Effect": "Allow",
+      "Principal": {
+        "Service": "events.amazonaws.com"
+      },
+      "Action": [
+        "kms:DescribeKey"
+      ]
+      "Resource": "*"
+    },
@@ -49 +63,0 @@ As a security best practice, we recommend you include condition keys in the key
-        "kms:DescribeKey",