AWS Security ChangesHomeSearch

AWS AWSCloudFormation high security documentation change

Service: AWSCloudFormation · 2025-08-19 · Security-related high

File: AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-trustedentityset.md

Summary

Enhanced documentation for GuardDuty TrustedEntitySet resource with details about threat detection suppression, ownership validation, status tracking, and usage guidance.

Security assessment

The changes explicitly document security controls for allow-listing trusted IPs/domains to suppress GuardDuty findings. Added validation that GuardDuty verifies S3 bucket ownership to prevent misconfigurations, and clarifies security implications of list activation status. These changes directly impact security posture by preventing false negatives in threat detection.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-trustedentityset.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-trustedentityset.md
index 97d9a516e..6a40cd26b 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-trustedentityset.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-guardduty-trustedentityset.md
@@ -9 +9 @@ This is the new _AWS CloudFormation Template Reference Guide_. Please update you
-Creates a new trusted entity set. In the trusted entity set, you can provide IP addresses and domains that you believe are secure for communication in your AWS environment. GuardDuty will not generate findings for the entries that are specified in a trusted entity set. At any given time, you can have only one trusted entity set. 
+The `AWS::GuardDuty::TrustedEntitySet` resource helps you create a list of IP addresses and domain names that you can use for secure communication with your AWS infrastructure and applications. Once you activate this list, GuardDuty will not generate findings when there is an activity associated with these safe IP addresses and domain names. At any given time, you can have only one trusted entity set. 
@@ -11 +11 @@ Creates a new trusted entity set. In the trusted entity set, you can provide IP
-Only users of the administrator account can manage the entity sets, which automatically apply to member accounts.
+Only the users of the GuardDuty administrator account can manage the entity sets. These settings automatically apply member accounts.
@@ -54 +54 @@ To declare this entity in your AWS CloudFormation template, use the following sy
-Property description not available.
+A boolean value that determines if GuardDuty can start using this list for custom threat detection. For GuardDuty to prevent generating findings based on an activity associated with these entries, this list must be active.
@@ -65 +65,3 @@ _Required_ : No
-Property description not available.
+The unique regional detector ID of the GuardDuty account for which you want to create a trusted entity set.
+
+To find the `detectorId` in the current Region, see the Settings page in the GuardDuty console, or run the [ListDetectors](https://docs.aws.amazon.com/guardduty/latest/APIReference/API_ListDetectors.html) API.
@@ -80 +82,3 @@ _Required_ : No
-Contains information on the owner of the bucket.
+The AWS account ID that owns the Amazon S3 bucket specified in the _Location_ field. 
+
+Whether or not you provide the account ID for this optional field, GuardDuty validates that the account ID associated with the `DetectorId` value owns the S3 bucket in the `Location` field. If GuardDuty finds that this S3 bucket doesn't belong to the specified account ID, you will get an error at the time of activating this list.
@@ -91 +95 @@ _Required_ : No
-Property description not available.
+The format of the file that contains the trusted entity set. For information about supported formats, see [List formats](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#prepare_list) in the _Amazon GuardDuty User Guide_.
@@ -106 +110 @@ _Required_ : Yes
-Property description not available.
+The URI of the file that contains the trusted entity set.
@@ -121 +125 @@ _Required_ : Yes
-Property description not available.
+A user-friendly name to identify the trusted entity set. Valid characters include lowercase letters, uppercase letters, numbers, dash(-), and underscore (_).
@@ -132 +136,3 @@ _Required_ : No
-Property description not available.
+The tags to be added to a new trusted entity set resource. Each tag consists of a key and an optional value, both of which you define.
+
+For more information, see [Tag](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-resource-tags.html).
@@ -143,0 +150,4 @@ _Required_ : No
+When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the unique ID of the `TrustedEntitySet`. 
+
+For more information about using the `Ref` function, see [`Ref`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-ref.html).
+
@@ -145,0 +156,4 @@ _Required_ : No
+The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
+
+For more information about using the `Fn::GetAtt` intrinsic function, see [`Fn::GetAtt`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-getatt.html).
+
@@ -151 +165 @@ _Required_ : No
-Property description not available.
+The timestamp when the trusted entity set was created.
@@ -156 +170 @@ Property description not available.
-Property description not available.
+Specifies the error details when the status of the trusted entity set shows as **Error**.
@@ -161 +175 @@ Property description not available.
-Property description not available.
+The status of your `TrustedEntitySet`. For information about valid status values, see [Understanding list statuses](https://docs.aws.amazon.com/guardduty/latest/ug/guardduty_upload-lists.html#guardduty-entity-list-statuses) in the _Amazon GuardDuty User Guide_.
@@ -166 +180 @@ Property description not available.
-Property description not available.
+The timestamp when the trusted entity set was updated.