AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-09-19 · Documentation low

File: eventbridge/latest/userguide/eb-encryption-event-bus-cmkey-configure.md

Summary

Expanded instructions for configuring event bus encryption keys, including key rotation scenarios and decryption/re-encryption process details

Security assessment

The changes improve operational guidance for managing encryption keys but do not address a specific security vulnerability. The added details about key rotation and data re-encryption processes enhance security documentation without indicating a prior security flaw.

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey-configure.md b/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey-configure.md
index bdd5e54cc..0ab29a6f9 100644
--- a//eventbridge/latest/userguide/eb-encryption-event-bus-cmkey-configure.md
+++ b//eventbridge/latest/userguide/eb-encryption-event-bus-cmkey-configure.md
@@ -9 +9 @@ Set encryption when creating an event busUpdate encryption on an event bus
-You can specify the KMS key for EventBridge to use when you create or update an event bus. You can also update the default event bus to use a customer managed key for custom and partner events as well. 
+You can specify the KMS key for EventBridge to use when you create or update an event bus. You can also update the default event bus to use a customer managed key as well. 
@@ -35 +35,12 @@ Optionally, use `dead-letter-config` to specify a dead-letter queue (DLQ).
-You can update the AWS KMS key being used for encryption at rest on an existing event bus. This includes changing from the default AWS owned key to a customer managed key, from a customer managed key to the default AWS owned key, or from one customer managed key to another.
+You can update the AWS KMS key being used for encryption at rest on an existing event bus. This includes:
+
+  * Changing from the default AWS owned key to a customer managed key.
+
+  * Changing from a customer managed key to the default AWS owned key.
+
+  * Changing from one customer managed key to another.
+
+
+
+
+When you update an event bus to use a different AWS KMS key, EventBridge decrypts any data stored on the event bus and then encrypts it using the new key.
@@ -96 +107 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please
-Encrypting events
+Encrypting event buses