AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-06-19 · Documentation low

File: eventbridge/latest/userguide/eb-api-destinations.md

Summary

Replaced inline IAM policy JSON with a reference link and streamlined service-linked role explanation

Security assessment

The change restructures documentation about IAM permissions for API destinations but does not address a specific vulnerability. It continues to document security-related role permissions for Secrets Manager access.

Diff

diff --git a/eventbridge/latest/userguide/eb-api-destinations.md b/eventbridge/latest/userguide/eb-api-destinations.md
index 048329eb6..8eb080416 100644
--- a//eventbridge/latest/userguide/eb-api-destinations.md
+++ b//eventbridge/latest/userguide/eb-api-destinations.md
@@ -38,22 +38 @@ The following video demonstrates the use of API destinations:
-When you create a connection for an API destination, a service-linked role named **AWSServiceRoleForAmazonEventBridgeApiDestinations** is added to your account. EventBridge uses the service-linked role to create and store a secret in Secrets Manager. To grant the necessary permissions to the service-linked role, EventBridge attaches the **AmazonEventBridgeApiDestinationsServiceRolePolicy** policy to the role. The policy limits the permissions granted to only those necessary for the role to interact with the secret for the connection. No other permissions are included, and the role can interact only with the connections in your account to manage the secret.
-
-The following policy is the `AmazonEventBridgeApiDestinationsServiceRolePolicy`.
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Action": [
-                    "secretsmanager:CreateSecret",
-                    "secretsmanager:UpdateSecret",
-                    "secretsmanager:DescribeSecret",
-                    "secretsmanager:DeleteSecret",
-                    "secretsmanager:GetSecretValue",
-                    "secretsmanager:PutSecretValue"
-                ],
-                "Resource": "arn:aws:secretsmanager:*:*:secret:events!connection/*"
-            }
-        ]
-    }
+When you create a connection for an API destination, the service-linked role [AmazonEventBridgeApiDestinationsServiceRolePolicy](./eb-use-identity-based.html#api-destination-slr-policy) is added to your account. EventBridge uses this service-linked role to create and store a secret in Secrets Manager. To grant the necessary permissions to the service-linked role, EventBridge attaches the **AmazonEventBridgeApiDestinationsServiceRolePolicy** policy to the role. The policy limits the permissions granted to only those necessary for the role to interact with the secret for the connection. No other permissions are included, and the role can interact only with the connections in your account to manage the secret.