AWS AWSCloudFormation medium security documentation change
Summary
Added documentation for GuardDuty IPSet/ThreatIntelSet 'ExpectedBucketOwner' property and formatted resource names
Security assessment
The 'ExpectedBucketOwner' property helps prevent S3 bucket ownership hijacking by explicitly validating the bucket owner. This addresses a potential security issue where unauthorized S3 buckets could be referenced. The documentation update explicitly describes this security control.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/doc-history.md b/AWSCloudFormation/latest/TemplateReference/doc-history.md index 6ab89cc66..f4cb3fe6e 100644 --- a//AWSCloudFormation/latest/TemplateReference/doc-history.md +++ b//AWSCloudFormation/latest/TemplateReference/doc-history.md @@ -19,0 +20,7 @@ Change| Description| Date +[Updated resource](./aws-template-resource-type-ref.html#AWS_GuardDuty)| The following resources were updated: `AWS::GuardDuty::IPSet` and `AWS::GuardDuty::ThreatIntelSet` + +[AWS::GuardDuty::IPSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-ipset.html) + Use `ExpectedBucketOwner` property to optionally provide the AWS account ID of the Amazon S3 bucket that owns the list location. +[AWS::GuardDuty::ThreatIntelSet](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-guardduty-threatintelset.html) + Use `ExpectedBucketOwner` property to optionally provide the AWS account ID of the Amazon S3 bucket that owns the list location. +| July 16, 2025 @@ -3678 +3685 @@ The following resources were added: AWS::AppSync::SourceApiAssociation -[Updated resource](./aws-template-resource-type-ref.html#AWS_GuardDuty)| The following resources were updated: AWS::GuardDuty::Filter, AWS::GuardDuty::IPSet, and AWS::GuardDuty::ThreatIntelSet +[Updated resource](./aws-template-resource-type-ref.html#AWS_GuardDuty)| The following resources were updated: `AWS::GuardDuty::Filter`, `AWS::GuardDuty::IPSet`, and `AWS::GuardDuty::ThreatIntelSet`