AWS Security ChangesHomeSearch

AWS eventbridge high security documentation change

Service: eventbridge · 2025-08-16 · Security-related high

File: eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md

Summary

Updated KMS key policy examples with specific account IDs, fixed policy syntax (ForAnyValue vs ForAnyValues), and corrected role ARN typo

Security assessment

The change corrects a critical policy syntax error (ForAnyValue vs ForAnyValues) in KMS encryption context conditions, which could lead to misconfigured encryption policies. Fixing policy syntax ensures proper enforcement of encryption requirements for EventBridge Pipes.

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md b/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
index 94856ea86..45935501d 100644
--- a//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
+++ b//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
@@ -71 +71 @@ JSON
-            "AWS": "arn:aws:iam::account-id:role/pipe-execution-role"
+          "AWS": "arn:aws:iam::123456789012:role/pipe-execution-role"
@@ -81 +81 @@ JSON
-            "AWS": "arn:aws:iam::account-id:role/pipe-execution-role"
+          "AWS": "arn:aws:iam::123456789012:role/pipe-execution-rolee"
@@ -90 +90 @@ JSON
-              "kms:EncryptionContext:aws:pipe:arn": "arn:aws:pipes:region:account-id:pipe/pipe-name"
+            "kms:EncryptionContext:aws:pipe:arn": "arn:aws:pipes:us-east-1:123456789012:pipe/pipe-name"
@@ -92 +92 @@ JSON
-            "ForAnyValues:StringEquals": { // Requires that only PipeArn is passed in the encryption context
+            "ForAnyValue:StringEquals": {