AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-09-19 · Documentation low

File: eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md

Summary

Added clarification that events in pipes are never stored at rest and updated terminology from 'KMS key' to 'AWS KMS key'

Security assessment

The change adds documentation about encryption practices (data not stored at rest) and reinforces security best practices for KMS key policies. While security-related, there's no evidence this addresses a specific vulnerability or incident.

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md b/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
index b7c212985..555f486b0 100644
--- a//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
+++ b//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md
@@ -19,0 +20,2 @@ The pipe data EventBridge encrypts at rest includes:
+Events flowing through a pipe are never stored at rest.
+
@@ -55 +57 @@ The following example key policy provides the required permissions for a pipe:
-As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy).
+As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the AWS KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy).