AWS Security ChangesHomeSearch

AWS cdk documentation change

Service: cdk · 2026-03-28 · Documentation low

File: cdk/v2/guide/cli.md

Summary

Updated documentation for the 'requireApproval' CLI feature, clarifying its default behavior and redefining the 'any-change' and 'broadening' approval levels.

Security assessment

The change updates documentation for a security-related feature (approval of security-sensitive changes during deployment). It clarifies the scope of changes that trigger approval, which can help users avoid unintended security posture changes. However, there is no evidence of a specific security vulnerability being fixed.

Diff

diff --git a/cdk/v2/guide/cli.md b/cdk/v2/guide/cli.md
index ae305256c..f9a2b059a 100644
--- a//cdk/v2/guide/cli.md
+++ b//cdk/v2/guide/cli.md
@@ -436 +436 @@ If your stack declares AWS CloudFormation outputs, these are normally displayed
-To protect you against unintended changes that affect your security posture, the CDK CLI prompts you to approve security-related changes before deploying them. You can specify the level of change that requires approval:
+To protect you against unintended changes that may affect your security posture, the CDK CLI by default prompts you to approve security-related changes before deploying them. You can specify the level of change that requires approval:
@@ -446,2 +446,2 @@ Term | Meaning
-`any-change` |  Requires approval on any IAM or security-group-related change  
-`broadening` (default) |  Requires approval when IAM statements or traffic rules are added; removals don’t require approval  
+`any-change` |  Requires approval for any change to the stack  
+`broadening` (default) |  Requires approval if changes involve a broadening of permissions or security group rules  
@@ -564 +564 @@ Key | Notes | CDK CLI option
-`requireApproval` |  Default approval level for security changes. See Approve security-related changes |  `--require-approval`  
+`requireApproval` |  Default approval level for changes that require manual approval. See Approve security-related changes. |  `--require-approval`