AWS Security ChangesHomeSearch

AWS eventbridge medium security documentation change

Service: eventbridge · 2025-05-31 · Security-related medium

File: eventbridge/latest/userguide/eb-use-identity-based.md

Summary

Updated IAM policy with account matching condition for Secrets Manager access

Security assessment

Added Condition block enforcing same-account access for secrets, addressing potential cross-account security risks

Diff

diff --git a/eventbridge/latest/userguide/eb-use-identity-based.md b/eventbridge/latest/userguide/eb-use-identity-based.md
index 7ab867ce0..4892f785f 100644
--- a//eventbridge/latest/userguide/eb-use-identity-based.md
+++ b//eventbridge/latest/userguide/eb-use-identity-based.md
@@ -186 +186,6 @@ You can't attach [AmazonEventBridgeApiDestinationsServiceRolePolicy](https://doc
-          "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*"
+    			"Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*",
+    			"Condition": {
+    				"StringEquals": {
+    					"aws:ResourceAccount": "${aws:PrincipalAccount}"
+    				}
+    			}
@@ -487,0 +493 @@ Change | Description | Date
+AmazonEventBridgeApiDestinationsServiceRolePolicy – Updated policy |  EventBridge updated policy to restrict the scope of permissions for Secrets Manager operations to the same account. | May 29, 2025