AWS Security ChangesHomeSearch

AWS cloudformation-cli medium security documentation change

Service: cloudformation-cli · 2025-11-16 · Security-related medium

File: cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md

Summary

Updated IAM permission documentation with granular user permissions, added section for viewing detailed Hook invocation results, and included KMS encryption guidance

Security assessment

Added documentation for GetHookResult action and KMS encryption of invocation results. These changes address access control to sensitive operational data and encryption-at-rest security features. The KMS key policy reference specifically adds security documentation for data protection.

Diff

diff --git a/cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md b/cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md
index c289dcb91..b837d11b2 100644
--- a//cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md
+++ b//cloudformation-cli/latest/hooks-userguide/grant-iam-permissions-for-hooks.md
@@ -5 +5 @@
-Allow users to manage HooksAllow users to publish custom Hooks publiclyAllow users to request invocation results
+Allow a user to manage HooksAllow a user to publish custom Hooks publiclyAllow a user to view Hook invocation resultsAllow a user to view detailed Hook invocation results
@@ -22,0 +23,2 @@ This topic covers the permissions that are needed to do the following:
+  * View details for an invocation result – Access detailed information and remediation guidance for a specific Hook invocation result in your account.
+
@@ -30 +32,5 @@ As you create your IAM policies, you can find documentation for all of the actio
-  * Allow users to manage Hooks
+  * Allow a user to manage Hooks
+
+  * Allow a user to publish custom Hooks publicly
+
+  * Allow a user to view Hook invocation results
@@ -32 +38 @@ As you create your IAM policies, you can find documentation for all of the actio
-  * Allow users to publish custom Hooks publicly
+  * Allow a user to view detailed Hook invocation results
@@ -34 +40 @@ As you create your IAM policies, you can find documentation for all of the actio
-  * Allow users to request invocation results
+  * [AWS KMS key policy and permissions for encrypting AWS CloudFormation Hooks results at rest](./hooks-kms-key-policy.html)
@@ -39 +45 @@ As you create your IAM policies, you can find documentation for all of the actio
-## Allow users to manage Hooks
+## Allow a user to manage Hooks
@@ -80 +86 @@ Users who manage Hooks might need some related permissions, for example:
-## Allow users to publish custom Hooks publicly
+## Allow a user to publish custom Hooks publicly
@@ -116 +122 @@ JSON
-## Allow users to request invocation results
+## Allow a user to view Hook invocation results
@@ -118 +124,5 @@ JSON
-The IAM permissions needed to view Hook invocation results change depending on the API request being made. 
+The IAM permissions needed to view Hook invocation results change depending on the type of information being requested.
+
+### List Hook invocation results
+
+To list Hook invocation results, users need different permissions depending on the API request being made.
@@ -127 +137 @@ The IAM permissions needed to view Hook invocation results change depending on t
-The following shows an example of a basic permissions policy for requesting Hook invocation results. IAM identities (users or roles) with this policy have permission to request all invocation results using all available parameter combinations.
+The following shows an example of a basic permissions policy for listing Hook invocation results. IAM identities (users or roles) with this policy have permission to request all invocation results using all available parameter combinations.
@@ -151 +161 @@ JSON
-### Control which change sets can be specified
+#### Control which change sets can be specified
@@ -188 +198 @@ JSON
-### Control which Hooks can be specified
+#### Control which Hooks can be specified
@@ -236,0 +247,24 @@ JSON
+## Allow a user to view detailed Hook invocation results
+
+To grant permissions to view the detailed results of a specific Hook invocation, you must grant access to the `cloudformation:GetHookResult` action. This permission allows users to retrieve detailed information and remediation guidance for a specific Hook invocation result. For more information, see [GetHookResult](https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_GetHookResult.html) in the _AWS CloudFormation API Reference_.
+
+The following example IAM policy grants permissions to the `cloudformation:GetHookResult` action.
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Effect": "Allow",
+           "Action": [
+             "cloudformation:GetHookResult"
+          ],
+          "Resource": "*"
+        }
+      ]
+    }
+
+###### Note
+
+You can configure Hooks to encrypt detailed invocation results stored in the cloud with your own AWS KMS keys. For information about how to set up the key policy and IAM permissions that you need when you use a customer managed key for encryption, see [AWS KMS key policy and permissions for encrypting AWS CloudFormation Hooks results at rest](./hooks-kms-key-policy.html). 
+
@@ -245 +279 @@ Create Hooks using CloudFormation templates
-Document history
+AWS KMS key policy and permissions