AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-04-23 · Security-related medium

File: AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.md

Summary

Added warning about IAM role persistence after stack deletion and guidance to revoke CloudWatch Logs access

Security assessment

Addresses potential security risk where API Gateway retains IAM role permissions after stack deletion, which could lead to unintended logging access. Provides explicit instructions to mitigate this through policy updates.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.md b/AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.md
index bd2744fb0..0fed7e920 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-resource-apigateway-account.md
@@ -8,0 +9,2 @@ The `AWS::ApiGateway::Account` resource specifies the IAM role that Amazon API G
+When you delete a stack containing this resource, API Gateway can still assume the provided IAM role to write API logs to CloudWatch Logs. To deny API Gateway access to write API logs to CloudWatch logs, update the permissions policies or change the IAM role to deny access.
+