AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-05-16 · Security-related medium

File: AWSCloudFormation/latest/UserGuide/service_code_examples.md

Summary

Moved 'NoEcho' security guidance section to later position and updated CLI examples for template URLs

Security assessment

The change reorganizes existing security guidance about masking sensitive parameters and avoiding credential embedding. While not adding new security content, it maintains critical warnings about secure handling of credentials in CloudFormation templates.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/service_code_examples.md b/AWSCloudFormation/latest/UserGuide/service_code_examples.md
index cbd1d66bc..fc727cb79 100644
--- a//AWSCloudFormation/latest/UserGuide/service_code_examples.md
+++ b//AWSCloudFormation/latest/UserGuide/service_code_examples.md
@@ -133,23 +132,0 @@ Use the [create-stack](https://docs.aws.amazon.com/cli/latest/reference/cloudfor
-By default, the `describe-stacks` command returns parameter values. To prevent sensitive parameter values such as passwords from being returned, include a `NoEcho` property set to `TRUE` in your CloudFormation template.
-
-###### Important
-
-Using the `NoEcho` attribute does not mask any information stored in the following:
-
-  * The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [CloudFormation template Metadata syntax](./metadata-section-structure.html).
-
-  * The `Outputs` template section. For more information, see [CloudFormation template Outputs syntax](./outputs-section-structure.html).
-
-  * The `Metadata` attribute of a resource definition. For more information, see [Metadata attribute](./aws-attribute-metadata.html).
-
-
-
-
-We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets.
-
-###### Important
-
-Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
-
-For more information, see the [Do not embed credentials in your templates](./security-best-practices.html#creds) best practice.
-
@@ -240,4 +217 @@ PowerShell
-Alternatively, you can specify the AWS Systems Manager location of a template file.
-
-AWS CLI
-    
+###### Note
@@ -245 +219 @@ AWS CLI
-The following `create-stack` command creates a stack with the name `myteststack` using an AWS Systems Manager document for the template URL.
+You can use the AWS CLI `--template-url` option to specify a template file location in Amazon S3 or AWS Systems Manager. For example:
@@ -248,2 +222 @@ The following `create-stack` command creates a stack with the name `myteststack`
-    aws cloudformation create-stack --stack-name myteststack \
-         --template-url "ssm-doc://arn:aws:ssm:us-east-1:123456789012:document/documentName"
+    --template-url https://s3.region-code.amazonaws.com/bucket-name/template-name
@@ -251 +224 @@ The following `create-stack` command creates a stack with the name `myteststack`
-Output:
+For AWS Systems Manager, use the following format:
@@ -254,3 +227 @@ Output:
-    {
-        "StackId": "arn:aws:cloudformation:us-east-1:123456789012:stack/myteststack/466df9e0-0dff-08e3-8e2f-5088487c4896"
-    }
+    --template-url "ssm-doc://arn:aws:ssm:region-code:account-id:document/document-name"
@@ -685,0 +657,23 @@ PowerShell
+By default, the `describe-stacks` command returns parameter values. To prevent sensitive parameter values such as passwords from being returned, include a `NoEcho` property set to `TRUE` in your CloudFormation templates.
+
+###### Important
+
+Using the `NoEcho` attribute does not mask any information stored in the following:
+
+  * The `Metadata` template section. CloudFormation does not transform, modify, or redact any information you include in the `Metadata` section. For more information, see [CloudFormation template Metadata syntax](./metadata-section-structure.html).
+
+  * The `Outputs` template section. For more information, see [CloudFormation template Outputs syntax](./outputs-section-structure.html).
+
+  * The `Metadata` attribute of a resource definition. For more information, see [Metadata attribute](./aws-attribute-metadata.html).
+
+
+
+
+We strongly recommend you do not use these mechanisms to include sensitive information, such as passwords or secrets.
+
+###### Important
+
+Rather than embedding sensitive information directly in your CloudFormation templates, we recommend you use dynamic parameters in the stack template to reference sensitive information that is stored and managed outside of CloudFormation, such as in the AWS Systems Manager Parameter Store or AWS Secrets Manager.
+
+For more information, see the [Do not embed credentials in your templates](./security-best-practices.html#creds) best practice.
+
@@ -1078 +1072 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Create quick-create links for stacks
+Use quick-create links to create CloudFormation stacks