AWS AmazonCloudWatch documentation change
Summary
Updated Secrets Manager integration documentation: corrected capitalization in secret reference format and added 'DescribeSecret' permission requirement.
Security assessment
The change clarifies proper secret reference format and adds a required permission (DescribeSecret) for secure secret retrieval. While it improves security documentation, there's no evidence of a specific vulnerability being addressed.
Diff
diff --git a/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_MultiCheck_Blueprint.md b/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_MultiCheck_Blueprint.md index e8fa96739..715d29dcf 100644 --- a//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_MultiCheck_Blueprint.md +++ b//AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_MultiCheck_Blueprint.md @@ -248 +248 @@ Synthetics refreshes OAuth tokens when a 401 or 407 response is returned. -To avoid storing secret values (such as passwords or API keys) in plain text, Synthetics provides an integration with AWS Secrets Manager. You can reference an entire secret value in your blueprint configuration with the format ` ${aws_SECRET:<secret_name>}`, or to reference a particular key ` ${aws_SECRET:<secret_name>:<secret_key>}`. +To avoid storing secret values (such as passwords or API keys) in plain text, Synthetics provides an integration with AWS Secrets Manager. You can reference an entire secret value in your blueprint configuration with the format ` ${AWS_SECRET:<secret_name>}`, or to reference a particular key ` ${AWS_SECRET:<secret_name>:<secret_key>}`. @@ -269 +269 @@ You can reference the username and password in your blueprint configuration as f -To allow Synthetics to retrieve the specified secret, the role ARN assumed by the canary needs to have secretsManager:GetSecretValue permissions. If the secret is encrypted using a customer-managed key instead of the AWS managed key AWS/secretsmanager, then you also need kms:Decrypt permissions for that key. +To allow Synthetics to retrieve the specified secret, the role ARN assumed by the canary needs to have both `secretsmanager:GetSecretValue` and `secretsmanager:DescribeSecret` permissions. If the secret is encrypted using a customer-managed key instead of the AWS managed key AWS/secretsmanager, then you also need kms:Decrypt permissions for that key. @@ -279 +279,4 @@ Example permissions: - "Action": "secretsmanager:GetSecretValue", + "Action": [ + "secretsmanager:GetSecretValue", + "secretsmanager:DescribeSecret" + ],