AWS Security ChangesHomeSearch

AWS cloudformation-cli documentation change

Service: cloudformation-cli · 2025-11-16 · Documentation medium

File: cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.md

Summary

Added 'annotations' field to Hook response structure with security severity levels and remediation guidance

Security assessment

The change introduces documentation for security severity levels (INFORMATIONAL to CRITICAL) and remediation guidance in Hook responses, referencing AWS Security Hub's severity framework. While this enhances security documentation for reporting violations, there is no evidence of addressing a specific existing security vulnerability.

Diff

diff --git a/cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.md b/cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.md
index b39c5cb70..233d5aedc 100644
--- a//cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.md
+++ b//cloudformation-cli/latest/hooks-userguide/lambda-hooks-create-lambda-function.md
@@ -63 +63 @@ The following is an example shape of the response Hooks expects:
-      "clientRequestToken": String
+      "clientRequestToken": String,
@@ -65,0 +66,10 @@ The following is an example shape of the response Hooks expects:
+      "annotations": [
+        {
+          "annotationName": String,
+          "status": "PASSED" or "FAILED" or "SKIPPED",
+          "statusMessage": String,
+          "remediationMessage": String,
+          "remediationLink": String,
+          "severityLevel": "INFORMATIONAL" or "LOW" or "MEDIUM" or "HIGH" or "CRITICAL"
+        }
+      ]
@@ -111,0 +122,39 @@ How long Hooks should wait to invoke this Hook again.
+annotations
+    
+
+An array of annotation objects that provide further details and remediation guidance. 
+
+annotationName
+    
+
+An identifier for the annotation.
+
+status
+    
+
+The Hook invocation status. This is helpful when annotations represent logic with pass/fail evaluation similar to a Guard rule. 
+
+_Valid values_ : (`PASSED` | `FAILED` | `SKIPPED`)
+
+statusMessage
+    
+
+Explanation for the specific status.
+
+remediationMessage
+    
+
+Suggestion for fixing a `FAILED` status. For example, if a resource is missing encryption, you can state how to add encryption to the resource configuration.
+
+remediationLink
+    
+
+An HTTP URL for additional remediation guidance.
+
+severityLevel
+    
+
+Defines the relative risk associated with any violations of this type. When assigning severity levels to your Hook invocation results, you can reference the AWS Security Hub [severity framework](https://docs.aws.amazon.com/securityhub/latest/userguide/asff-required-attributes.html#Severity) as an example of how to structure meaningful severity categories. 
+
+_Valid values_ : (`INFORMATIONAL` | `LOW` | `MEDIUM` | `HIGH` | `CRITICAL`)
+