AWS AWSCloudFormation medium security documentation change
Summary
Enhanced documentation for GuardDuty ThreatEntitySet resource with detailed property descriptions, activation requirements, ownership validation, and operational guidance
Security assessment
The change adds explicit validation that GuardDuty verifies S3 bucket ownership to prevent unauthorized data sources (security control against misconfiguration). It also documents threat detection activation (security feature) and malicious entity handling. The bucket ownership check specifically addresses a potential security vulnerability where using untrusted buckets could compromise detection integrity.
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatentityset.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatentityset.md index c2f8e1e8a..78f5619b2 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatentityset.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-threatentityset.md @@ -9 +9,3 @@ This is the new _AWS CloudFormation Template Reference Guide_. Please update you -Creates a new threat entity set. In a threat entity set, you can provide known malicious IP addresses and domains for your AWS environment. GuardDuty generates findings based on the entries in the threat entity sets. Only users of the administrator account can manage entity sets, which automatically apply to member accounts. +The `AWS::GuardDuty::ThreatEntitySet` resource helps you create a list of known malicious IP addresses and domain names in your AWS environment. Once you activate this list, GuardDuty will use the entries in this list as an additional source of threat detection and generate findings when there is an activity associated with these known malicious IP addresses and domain names. GuardDuty continues to monitor independently of this custom threat entity set. + +Only the users of the GuardDuty administrator account can manage this list. These settings automatically apply to the member accounts. @@ -52 +54 @@ To declare this entity in your AWS CloudFormation template, use the following sy -Property description not available. +A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to consider the entries in this list and generate findings based on associated activity, this list must be active. @@ -63 +65,3 @@ _Required_ : No -Property description not available. +The unique regional detector ID of the GuardDuty account for which you want to create a threat entity set. + +To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API. @@ -78 +82,3 @@ _Required_ : No -Contains information on the owner of the bucket. +The AWS account ID that owns the Amazon S3 bucket specified in the _Location_ field. + +Whether or not you provide the account ID for this optional field, GuardDuty validates that the account ID associated with the `DetectorId` owns the S3 bucket in the `Location` field. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list. @@ -89 +95 @@ _Required_ : No -Property description not available. +The format of the file that contains the threat entity set. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the _Amazon GuardDuty User Guide_. @@ -104 +110 @@ _Required_ : Yes -Property description not available. +The URI of the file that contains the threat entity set. @@ -119 +125 @@ _Required_ : Yes -Property description not available. +The user-friendly name to identify the threat entity set. Valid characters are alphanumeric, whitespace, dash (-), and underscores (_). @@ -130 +136,3 @@ _Required_ : No -Property description not available. +The tags to be added to a new threat entity set resource. Each tag consists of a key and an optional value, both of which you define. + +For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html). @@ -141,0 +150,4 @@ _Required_ : No +When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID associated with the newly created threat entity set. + +For more information about using the `Ref` function, see [`Ref`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html). + @@ -143,0 +156,4 @@ _Required_ : No +The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. + +For more information about using the `Fn::GetAtt` intrinsic function, see [`Fn::GetAtt`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html). + @@ -149 +165 @@ _Required_ : No -Property description not available. +The timestamp when the threat entity set was created. @@ -154 +170,6 @@ Property description not available. -Property description not available. +The details associated with the **Error** status of your threat entity list. + +`Id` + + +Returns the unique ID associated with the newly created threat entity set. @@ -159 +180 @@ Property description not available. -Property description not available. +The status of your `ThreatEntitySet`. For information about valid status values, see [Understanding list statuses](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#guardduty-entity-list-statuses) in the _Amazon GuardDuty User Guide_. @@ -164 +185 @@ Property description not available. -Property description not available. +The timestamp when the threat entity set was updated.