AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-06-19 · Documentation medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md

Summary

Added support for ML-DSA asymmetric key pairs and related specifications

Security assessment

Documents new cryptographic algorithm support (ML-DSA) which is a security feature, but doesn't address a specific vulnerability

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
index dc24140a2..49ed474a3 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
@@ -236,0 +237,8 @@ AWS KMS supports the following key specs for KMS keys:
+  * Asymmetric ML-DSA key pairs (signing and verification)
+
+    * `ML_DSA_44`
+
+    * `ML_DSA_65`
+
+    * `ML_DSA_87`
+
@@ -271 +279,3 @@ Select only one valid value.
-  * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs specify `SIGN_VERIFY`.
+  * For asymmetric KMS keys with `ECC_SECG_P256K1` key pairs, specify `SIGN_VERIFY`.
+
+  * For asymmetric KMS keys with ML-DSA key pairs, specify `SIGN_VERIFY`.
@@ -322 +332,6 @@ You can ignore `ENABLED` when Origin is `EXTERNAL`. When a KMS key with Origin `
-AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.
+  * AWS CloudFormation doesn't support creating an `Origin` parameter of the `AWS_CLOUDHSM` or `EXTERNAL_KEY_STORE` values.
+
+  * `EXTERNAL` is not supported for ML-DSA keys.
+
+
+