AWS Security ChangesHomeSearch

AWS AWSCloudFormation medium security documentation change

Service: AWSCloudFormation · 2025-10-16 · Security-related medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md

Summary

Added documentation about required trusted host key format for VPC_LATTICE connectors, specifying removal of hostname from key entries

Security assessment

The change enforces proper host key validation format for VPC_LATTICE connectors to prevent potential man-in-the-middle attacks by ensuring keys are verified correctly without hostnames. This addresses a security configuration best practice.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md
index da021d2f3..d7e76c4fe 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-transfer-connector-sftpconfig.md
@@ -65,0 +66,2 @@ The public portion of the host key, or keys, that are used to identify the exter
+When creating connectors with egress config (VPC_LATTICE type connectors), since host name is not something we can verify, the only accepted trusted host key format is `key-type key-body` without the host name. For example: `ssh-rsa AAAAB3Nza...<long-string-for-public-key>`
+
@@ -83 +85 @@ This prints the public host key to standard output.
-`ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key`
+`ftp.host.com ssh-rsa AAAAB3Nza...<long-string-for-public-key>`
@@ -86,0 +89,2 @@ Copy and paste this string into the `TrustedHostKeys` field for the `create-conn
+For VPC Lattice type connectors (VPC_LATTICE), remove the hostname from the key and use only the `key-type key-body` format. In this example, it should be: `ssh-rsa AAAAB3Nza...<long-string-for-public-key>`
+