AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-08-22 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md

Summary

Added requirement that CloudFormation stacks modifying cross-region S3 bucket policies must be deployed in us-east-1 Region

Security assessment

Specifies a security precaution by enforcing deployment in a specific Region to maintain control over cross-region bucket policy modifications

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md
index 7a146fed4..109687068 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md
@@ -17 +17 @@ As a security precaution, the root user of the AWS account that owns a bucket ca
-When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in regions different from the stack's region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.
+When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or `us-east-1` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.