AWS cdk documentation change
Summary
Updated documentation for the 'requireApproval' CLI feature, clarifying its default behavior and redefining the 'any-change' and 'broadening' approval levels.
Security assessment
The change updates documentation for a security-related feature (approval of security-sensitive changes during deployment). It clarifies the scope of changes that trigger approval, which can help users avoid unintended security posture changes. However, there is no evidence of a specific security vulnerability being fixed.
Diff
diff --git a/cdk/v2/guide/cli.md b/cdk/v2/guide/cli.md index ae305256c..f9a2b059a 100644 --- a//cdk/v2/guide/cli.md +++ b//cdk/v2/guide/cli.md @@ -436 +436 @@ If your stack declares AWS CloudFormation outputs, these are normally displayed -To protect you against unintended changes that affect your security posture, the CDK CLI prompts you to approve security-related changes before deploying them. You can specify the level of change that requires approval: +To protect you against unintended changes that may affect your security posture, the CDK CLI by default prompts you to approve security-related changes before deploying them. You can specify the level of change that requires approval: @@ -446,2 +446,2 @@ Term | Meaning -`any-change` | Requires approval on any IAM or security-group-related change -`broadening` (default) | Requires approval when IAM statements or traffic rules are added; removals don’t require approval +`any-change` | Requires approval for any change to the stack +`broadening` (default) | Requires approval if changes involve a broadening of permissions or security group rules @@ -564 +564 @@ Key | Notes | CDK CLI option -`requireApproval` | Default approval level for security changes. See Approve security-related changes | `--require-approval` +`requireApproval` | Default approval level for changes that require manual approval. See Approve security-related changes. | `--require-approval`