AWS AWSCloudFormation documentation change
Summary
Added detailed documentation about KMS key usage for archive encryption
Security assessment
Documents encryption options and recommends customer-managed keys for security best practices, but does not fix a specific security issue
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md b/AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md index 45254eb10..e41f696e6 100644 --- a//AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md +++ b//AWSCloudFormation/latest/UserGuide/aws-resource-events-archive.md @@ -98 +98,11 @@ _Required_ : No -Property description not available. +The identifier of the AWS KMS customer managed key for EventBridge to use, if you choose to use a customer managed key to encrypt this archive. The identifier can be the key Amazon Resource Name (ARN), KeyId, key alias, or key alias ARN. + +If you do not specify a customer managed key identifier, EventBridge uses an AWS owned key to encrypt the archive. + +For more information, see [Identify and view keys](https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html) in the _AWS Key Management Service Developer Guide_. + +###### Important + +If you have specified that EventBridge use a customer managed key for encrypting the source event bus, we strongly recommend you also specify a customer managed key for any archives for the event bus as well. + +For more information, see [Encrypting archives](https://docs.aws.amazon.com/eventbridge/latest/userguide/encryption-archives.html) in the _Amazon EventBridge User Guide_.