AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-04-18 · Documentation medium

File: AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md

Summary

Added detailed documentation about KMS key usage for archive encryption

Security assessment

Documents encryption options and recommends customer-managed keys for security best practices, but does not fix a specific security issue

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md b/AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md
index 45254eb10..e41f696e6 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md
@@ -98 +98,11 @@ _Required_ : No
-Property description not available.
+The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt this archive. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN.
+
+If you do not specify a customer managed key identifier, EventBridge uses an AWS owned key to encrypt the archive.
+
+For more information, see [Identify and view keys](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) in the _AWS Key Management Service Developer Guide_. 
+
+###### Important
+
+If you have specified that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well. 
+
+For more information, see [Encrypting archives](https://docs.aws.amazon.com/eventbridge/latest/userguide/encryption-archives.html) in the _Amazon EventBridge User Guide_.