AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-09-19 · Documentation medium

File: AWSCloudFormation/latest/UserGuide/registry-public.md

Summary

Added IAM role trust policy example with security best practices for CloudFormation extensions

Security assessment

Demonstrates secure IAM configuration with principal restrictions, source account validation, and ARN constraints. While improving security posture, this is a routine documentation enhancement rather than addressing a specific vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/UserGuide/registry-public.md b/AWSCloudFormation/latest/UserGuide/registry-public.md
index 638cb8c34..3f2de50b9 100644
--- a//AWSCloudFormation/latest/UserGuide/registry-public.md
+++ b//AWSCloudFormation/latest/UserGuide/registry-public.md
@@ -100,0 +101,32 @@ The following is an example IAM role trust policy for a Hook extension.
+JSON
+    
+
+****
+    
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "resources.cloudformation.amazonaws.com",
+                        "hooks.cloudformation.amazonaws.com"
+                    ]
+                },
+                "Action": "sts:AssumeRole",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:SourceAccount": "123456789012"
+                    },
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:cloudformation:us-west-2:123456789012:type/hook/Organization-Service-Hook"
+                    }
+                }
+            }
+        ]
+    }
+    
+