AWS Security ChangesHomeSearch

AWS whitepapers documentation change

Service: whitepapers · 2025-11-19 · Documentation low

File: whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.md

Summary

Replaced 'AWS CloudFormation' with 'CloudFormation' in multiple instances for terminology consistency.

Security assessment

The changes are editorial adjustments to service naming conventions. The security context (VPC endpoint policies, SCPs, and FAS exceptions) remains unaltered. No new security guidance or vulnerability mitigation was introduced.

Diff

diff --git a/whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.md b/whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.md
index d930dadd4..299c9ad08 100644
--- a//whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.md
+++ b//whitepapers/latest/building-a-data-perimeter-on-aws/perimeter-implementation.md
@@ -45 +45 @@ Using VPC endpoint policies in this way can be considered a defense in depth app
-In some cases, you might need to directly access resources outside of _my AWS_. These could be Amazon S3 buckets that AWS provides for things like Amazon Linux packages, CloudWatch agent installation, or public data repositories. They could also be resources like [public SSM parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). When you use [`cfn-hup`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-hup.html), it supports the `on.command` hook, which allows you to use Amazon SQS messages to invoke the `cfn-hup` actions. This is used by AWS Elastic Beanstalk environments where the `cfn-hup` daemon retrieves an AWS CloudFormation specific credential to query an Amazon SQS queue owned by AWS. Remember that SCPs don’t apply to SLRs or AWS service principals, so when you need to create exceptions to allow them to access resources from your VPCs, you’ll need to use VPC endpoint policies. For example, in order to use AWS CloudFormation wait condition signaling, which uses an Amazon S3 presigned URL to a bucket owned by AWS, you have to create an exception to allow this access in a VPC endpoint policy. 
+In some cases, you might need to directly access resources outside of _my AWS_. These could be Amazon S3 buckets that AWS provides for things like Amazon Linux packages, CloudWatch agent installation, or public data repositories. They could also be resources like [public SSM parameters](https://docs.aws.amazon.com/systems-manager/latest/userguide/parameter-store-public-parameters.html). When you use [`cfn-hup`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-hup.html), it supports the `on.command` hook, which allows you to use Amazon SQS messages to invoke the `cfn-hup` actions. This is used by AWS Elastic Beanstalk environments where the `cfn-hup` daemon retrieves an CloudFormation specific credential to query an Amazon SQS queue owned by AWS. Remember that SCPs don’t apply to SLRs or AWS service principals, so when you need to create exceptions to allow them to access resources from your VPCs, you’ll need to use VPC endpoint policies. For example, in order to use CloudFormation wait condition signaling, which uses an Amazon S3 presigned URL to a bucket owned by AWS, you have to create an exception to allow this access in a VPC endpoint policy. 
@@ -65 +65 @@ Applying a similar constraint with an RCP can also be considered a defense in de
-There are several scenarios where AWS will act on your behalf with your IAM credentials from networks that AWS owns that will require exceptions to these policies. For example, you can use AWS CloudFormation to define a template of resources for which AWS orchestrates the creation, update, and deletion. The initial request to create a AWS CloudFormation stack will originate from an expected network, but the subsequent requests for each resource in the template are made by the AWS CloudFormation service in an AWS network using your credentials with [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) (FAS) or a [service role for AWS CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) that you’ve specified. This situation also occurs when you use Athena to [run queries on CloudTrail logs](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html). The `aws:ViaAWSService` IAM policy condition provides a way to implement an exception for scenarios where FAS is used in requests made by AWS on your behalf. 
+There are several scenarios where AWS will act on your behalf with your IAM credentials from networks that AWS owns that will require exceptions to these policies. For example, you can use CloudFormation to define a template of resources for which AWS orchestrates the creation, update, and deletion. The initial request to create a CloudFormation stack will originate from an expected network, but the subsequent requests for each resource in the template are made by the CloudFormation service in an AWS network using your credentials with [forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html) (FAS) or a [service role for CloudFormation](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-iam-servicerole.html) that you’ve specified. This situation also occurs when you use Athena to [run queries on CloudTrail logs](https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html). The `aws:ViaAWSService` IAM policy condition provides a way to implement an exception for scenarios where FAS is used in requests made by AWS on your behalf.