AWS eventbridge documentation change
Summary
Added clarification that events in pipes are never stored at rest and updated terminology from 'KMS key' to 'AWS KMS key'
Security assessment
The change adds documentation about encryption practices (data not stored at rest) and reinforces security best practices for KMS key policies. While security-related, there's no evidence this addresses a specific vulnerability or incident.
Diff
diff --git a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md b/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md index b7c212985..555f486b0 100644 --- a//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md +++ b//eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md @@ -19,0 +20,2 @@ The pipe data EventBridge encrypts at rest includes: +Events flowing through a pipe are never stored at rest. + @@ -55 +57 @@ The following example key policy provides the required permissions for a pipe: -As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy). +As a security best practice, we recommend you include condition keys in the key policy to helps ensure that EventBridge uses the AWS KMS key only for the specified resource or account. For more information, see [Security considerations](./eb-encryption-key-policy.html#eb-encryption-event-bus-confused-deputy).