AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2025-11-13 · Documentation low

File: AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md

Summary

Added clarification about message type requirements for ED25519 signing algorithms

Security assessment

While the change provides important cryptographic implementation details, it documents proper usage rather than addressing a specific security vulnerability. Ensures correct usage of security features but doesn't indicate a security fix.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md b/AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
index 8b85a3dc6..08d5a172a 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-resource-kms-key.md
@@ -232,0 +233,4 @@ AWS KMS supports the following key specs for KMS keys:
+    * `ECC_NIST_EDWARDS25519` (ed25519) - signing and verification only
+
+      * **Note:** For ECC_NIST_EDWARDS25519 KMS keys, the ED25519_SHA_512 signing algorithm requires [`MessageType:RAW`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType), while ED25519_PH_SHA_512 requires [`MessageType:DIGEST`](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html#KMS-Sign-request-MessageType). These message types cannot be used interchangeably.
+