AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-04-16 · Security-related medium

File: AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.md

Summary

Updated KeyStorageSecurityStandard documentation with new compliance requirements and error handling instructions

Security assessment

Changes specify updated cryptographic compliance standards (CCPC_LEVEL_1_OR_HIGHER) for CA creation in certain regions, directly addressing security compliance requirements. The update prevents InvalidArgsException errors related to security standards.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.md b/AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.md
index 02ffaf248..558ff5a3b 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-resource-acmpca-certificateauthority.md
@@ -85 +85 @@ _Required_ : Yes
-Specifies a cryptographic key management compliance standard used for handling CA keys.
+Specifies a cryptographic key management compliance standard for handling and protecting CA keys.
@@ -91 +91 @@ Default: FIPS_140_2_LEVEL_3_OR_HIGHER
-Some AWS Regions do not support the default. When creating a CA in these Regions, you must provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for `KeyStorageSecurityStandard`. Failure to do this results in an `InvalidArgsException` with the message, "A certificate authority cannot be created in this region with the specified security standard."
+Some AWS Regions don't support the default value. When you create a CA in these Regions, you must use `CCPC_LEVEL_1_OR_HIGHER` for the `KeyStorageSecurityStandard` parameter. If you don't, the operation returns an `InvalidArgsException` with this message: "A certificate authority cannot be created in this region with the specified security standard."
@@ -93 +93 @@ Some AWS Regions do not support the default. When creating a CA in these Regions
-For information about security standard support in various Regions, see [Storage and security compliance of AWS Private CA private keys](https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).
+For information about security standard support in different AWS Regions, see [Storage and security compliance of AWS Private CA private keys](https://docs.aws.amazon.com/privateca/latest/userguide/data-protection.html#private-keys).