AWS cli medium security documentation change
Summary
Added requirement for kms:Decrypt permissions when accessing encrypted Hook annotations and linked to KMS key policy documentation.
Security assessment
Explicitly stating the need for kms:Decrypt permissions addresses an access control requirement for encrypted data. This change directly relates to security by enforcing least-privilege access to sensitive Hook results, preventing unauthorized decryption of protected annotations.
Diff
diff --git a/cli/latest/reference/cloudformation/get-hook-result.md b/cli/latest/reference/cloudformation/get-hook-result.md index fe17589fd..9484b56b6 100644 --- a//cli/latest/reference/cloudformation/get-hook-result.md +++ b//cli/latest/reference/cloudformation/get-hook-result.md @@ -15 +15 @@ - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [AWS CLI 2.31.39 Command Reference](../../index.html) » @@ -60,0 +61,2 @@ Retrieves detailed information and remediation guidance for a Hook invocation re +If the Hook uses a KMS key to encrypt annotations, callers of the `GetHookResult` operation must have `kms:Decrypt` permissions. For more information, see [KMS key policy and permissions for encrypting CloudFormation Hooks results at rest](https://docs.aws.amazon.com/cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.html) in the _CloudFormation Hooks User Guide_ . + @@ -471 +473 @@ Annotations -> (list) - * [AWS CLI 2.31.37 Command Reference](../../index.html) » + * [AWS CLI 2.31.39 Command Reference](../../index.html) »