AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-04-23 · Documentation low

File: AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md

Summary

Added IAM policy example showing resource-based permissions for API destinations

Security assessment

Improves documentation of security controls by showing how to implement least-privilege access for API destinations, but does not address a specific security vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md b/AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md
index 39aa2a558..5c065f7af 100644
--- a//AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md
+++ b//AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md
@@ -165 +165,18 @@ The ARN of the API destination that was created by the request.
-Property description not available.
+Returns the Amazon Resource Name (ARN) of an API destination in resource format, so it can be used in the `Resource` element of IAM permission policy statements. For more information, see [Resource types defined by Amazon EventBridge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html#amazoneventbridge-resources-for-iam-policies) in the _Service Authorization Reference_.
+
+For example, the following resource defines an IAM policy that grants permission to update a specific API destination.
+    
+    
+    Resources:
+      ExamplePolicy:
+        Type: AWS::IAM::Policy
+        Properties:
+          PolicyName: ExamplePolicy
+          PolicyDocument:
+            Version: '2012-10-17'
+            Statement:
+              - Effect: Allow
+                Action:
+                  - events:UpdateApiDestination
+                Resource:
+                  - !GetAtt myApiDestination.ArnForPolicy