AWS Security ChangesHomeSearch

AWS cli medium security documentation change

Service: cli · 2025-11-19 · Security-related medium

File: cli/latest/reference/cloudformation/get-hook-result.md

Summary

Added requirement for kms:Decrypt permissions when accessing encrypted Hook annotations and linked to KMS key policy documentation.

Security assessment

Explicitly stating the need for kms:Decrypt permissions addresses an access control requirement for encrypted data. This change directly relates to security by enforcing least-privilege access to sensitive Hook results, preventing unauthorized decryption of protected annotations.

Diff

diff --git a/cli/latest/reference/cloudformation/get-hook-result.md b/cli/latest/reference/cloudformation/get-hook-result.md
index fe17589fd..9484b56b6 100644
--- a//cli/latest/reference/cloudformation/get-hook-result.md
+++ b//cli/latest/reference/cloudformation/get-hook-result.md
@@ -15 +15 @@
-  * [AWS CLI 2.31.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.39 Command Reference](../../index.html) »
@@ -60,0 +61,2 @@ Retrieves detailed information and remediation guidance for a Hook invocation re
+If the Hook uses a KMS key to encrypt annotations, callers of the `GetHookResult` operation must have `kms:Decrypt` permissions. For more information, see [KMS key policy and permissions for encrypting CloudFormation Hooks results at rest](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.html) in the _CloudFormation Hooks User Guide_ .
+
@@ -471 +473 @@ Annotations -> (list)
-  * [AWS CLI 2.31.37 Command Reference](../../index.html) »
+  * [AWS CLI 2.31.39 Command Reference](../../index.html) »