AWS AWSCloudFormation documentation change
Summary
Added IAM policy example showing resource-based permissions for API destinations
Security assessment
Improves documentation of security controls by showing how to implement least-privilege access for API destinations, but does not address a specific security vulnerability.
Diff
diff --git a/AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md b/AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md index 39aa2a558..5c065f7af 100644 --- a//AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md +++ b//AWSCloudFormation/latest/UserGuide/aws-resource-events-apidestination.md @@ -165 +165,18 @@ The ARN of the API destination that was created by the request. -Property description not available. +Returns the Amazon Resource Name (ARN) of an API destination in resource format, so it can be used in the `Resource` element of IAM permission policy statements. For more information, see [Resource types defined by Amazon EventBridge](https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazoneventbridge.html#amazoneventbridge-resources-for-iam-policies) in the _Service Authorization Reference_. + +For example, the following resource defines an IAM policy that grants permission to update a specific API destination. + + + Resources: + ExamplePolicy: + Type: AWS::IAM::Policy + Properties: + PolicyName: ExamplePolicy + PolicyDocument: + Version: '2012-10-17' + Statement: + - Effect: Allow + Action: + - events:UpdateApiDestination + Resource: + - !GetAtt myApiDestination.ArnForPolicy