AWS AWSCloudFormation medium security documentation change
Summary
Added requirement that CloudFormation stacks modifying cross-region S3 bucket policies must be deployed in us-east-1 Region
Security assessment
Specifies a security precaution by enforcing deployment in a specific Region to maintain control over cross-region bucket policy modifications
Diff
diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md index 7a146fed4..109687068 100644 --- a//AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md +++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-s3-bucketpolicy.md @@ -17 +17 @@ As a security precaution, the root user of the AWS account that owns a bucket ca -When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in regions different from the stack's region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows. +When using the `AWS::S3::BucketPolicy` resource, you can create, update, and delete bucket policies for S3 buckets located in Regions that are different from the stack's Region. However, the CloudFormation stacks should be deployed in the US East (N. Virginia) or `us-east-1` Region. This cross-region bucket policy modification functionality is supported for backward compatibility with existing workflows.