AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-08-28 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md

Summary

Clarified allowed HTTP callback URLs to include 127.0.0.1 and ::1 with custom ports, and formatted code examples

Security assessment

The change explicitly restricts insecure HTTP usage to specific localhost variants and emphasizes testing purposes only. This clarifies security boundaries for callback URLs, reducing potential misconfigurations that could expose credentials or tokens over insecure channels.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md
index 4a7cbc5d5..296dbf3c9 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-cognito-userpoolclient.md
@@ -231 +231 @@ See [OAuth 2.0 - Redirection Endpoint](https://tools.ietf.org/html/rfc6749#secti
-Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing purposes only.
+Amazon Cognito requires HTTPS over HTTP except for callback URLs to `http://localhost`, `http://127.0.0.1` and `http://[::1]`. These callback URLs are for testing purposes only. You can specify custom TCP ports for your callback URLs.
@@ -233 +233 @@ Amazon Cognito requires HTTPS over HTTP except for http://localhost for testing
-App callback URLs such as myapp://example are also supported.
+App callback URLs such as `myapp://example` are also supported.