AWS Security ChangesHomeSearch

AWS cloudformation-cli medium security documentation change

Service: cloudformation-cli · 2026-02-13 · Security-related medium

File: cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.md

Summary

Corrected KMS encryption context key in policy examples from 'account-id' to actual account ID format

Security assessment

Fixes incorrect KMS policy condition that could lead to overly permissive access if copied without correction. The change ensures proper encryption context validation for CloudFormation operations, addressing a potential misconfiguration risk.

Diff

diff --git a/cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.md b/cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.md
index bfe5cef30..c08982dbf 100644
--- a//cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.md
+++ b//cloudformation-cli/latest/hooks-userguide/hooks-kms-key-policy.md
@@ -102 +102 @@ JSON
-              "kms:EncryptionContext:aws:cloudformation:account-id": "123456789012"
+              "kms:EncryptionContext:aws:cloudformation:123456789012": "123456789012"
@@ -155 +155 @@ JSON
-              "kms:EncryptionContext:aws:cloudformation:account-id": "123456789012"
+              "kms:EncryptionContext:aws:cloudformation:123456789012": "123456789012"
@@ -215 +215 @@ JSON
-              "kms:EncryptionContext:aws:cloudformation:account-id": "123456789012"
+              "kms:EncryptionContext:aws:cloudformation:123456789012": "123456789012"