AWS Security ChangesHomeSearch

AWS AWSCloudFormation documentation change

Service: AWSCloudFormation · 2026-07-04 · Documentation medium

File: AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-annotationtableconfiguration.md

Summary

Major documentation update for S3 annotation tables including encryption requirements, IAM roles, operational notes, and configuration examples

Security assessment

The change significantly enhances documentation about security features including SSE-KMS encryption requirements and IAM role permissions, but doesn't address any specific security vulnerability.

Diff

diff --git a/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-annotationtableconfiguration.md b/AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-annotationtableconfiguration.md
index 24df7f0b2..7b78d6339 100644
--- a//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-annotationtableconfiguration.md
+++ b//AWSCloudFormation/latest/TemplateReference/aws-properties-s3-bucket-annotationtableconfiguration.md
@@ -5 +5 @@
-SyntaxProperties
+SyntaxPropertiesExamples
@@ -11 +11,5 @@ This is the new _CloudFormation Template Reference Guide_. Please update your bo
-Specifies the configuration for the annotation table associated with a bucket's Amazon S3 Metadata configuration. The annotation table is an Iceberg table that records annotation events for objects in the bucket.
+The annotation table configuration for an S3 Metadata configuration. The annotation table tracks all annotations on objects in your bucket so that you can query annotation data at scale.
+
+###### Note
+
+If you've disabled your annotation table configuration and now want to re-enable it, you must first manually delete the old annotation table from your AWS managed table bucket. Otherwise, the newly re-enabled annotation table configuration will enter a failed state because the annotation table already exists in the table bucket.
@@ -45 +49 @@ To declare this entity in your CloudFormation template, use the following syntax
-The state of the annotation table. Valid values are `ENABLED` and `DISABLED`.
+Specifies whether the annotation table configuration is enabled or disabled.
@@ -58 +62 @@ _Required_ : Yes
-Property description not available.
+The encryption configuration for the annotation table. To encrypt your annotation table with server-side encryption using AWS Key Management Service (AWS KMS) keys (SSE-KMS), set `SseAlgorithm` to `aws:kms`. You must also set `KmsKeyArn` to the ARN of a customer managed KMS key in the same Region where your general purpose bucket is located.
@@ -69 +73 @@ _Required_ : No
-The ARN of the IAM role used to manage the annotation table.
+The ARN of the IAM role that grants Amazon S3 Metadata permission to read annotations from your bucket.
@@ -80 +84 @@ _Required_ : No
-Property description not available.
+The Amazon Resource Name (ARN) for the annotation table.
@@ -91 +95 @@ _Required_ : No
-Property description not available.
+The name of the annotation table.
@@ -98,0 +103,98 @@ _Required_ : No
+## Examples
+
+###### 
+
+  * Enable an annotation table with SSE-KMS encryption
+
+  * Disable an annotation table
+
+
+
+
+### Enable an annotation table with SSE-KMS encryption
+
+The following example enables an annotation table configuration with server-side encryption using AWS KMS keys (SSE-KMS) for a bucket that already has a metadata configuration.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "S3Bucket": {
+          "Type": "AWS::S3::Bucket",
+          "DeletionPolicy": "Retain",
+          "Properties": {
+            "BucketName": "amzn-s3-demo-bucket1",
+            "MetadataConfiguration": {
+              "AnnotationTableConfiguration": {
+                "ConfigurationState": "ENABLED",
+                "EncryptionConfiguration": {
+                  "SseAlgorithm": "aws:kms",
+                  "KmsKeyArn": "arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab"
+                },
+                "Role": "arn:aws:iam::123456789012:role/my-annotation-role"
+              }
+            }
+          }
+        }
+      }
+    }
+          
+
+#### YAML
+    
+    
+    Resources:
+      S3Bucket:
+        Type: AWS::S3::Bucket
+        DeletionPolicy: Retain
+        Properties:
+          BucketName: amzn-s3-demo-bucket1
+          MetadataConfiguration:
+            AnnotationTableConfiguration:
+              ConfigurationState: ENABLED
+              EncryptionConfiguration:
+                SseAlgorithm: 'aws:kms'
+                KmsKeyArn: arn:aws:kms:us-east-2:123456789012:key/1234abcd-12ab-34cd-56ef-1234567890ab
+              Role: arn:aws:iam::123456789012:role/my-annotation-role
+          
+
+### Disable an annotation table
+
+The following example disables an annotation table configuration. Disabling the annotation table doesn't delete it. The annotation table is retained for your records until you decide to delete it.
+
+#### JSON
+    
+    
+    {
+      "Resources": {
+        "S3Bucket": {
+          "Type": "AWS::S3::Bucket",
+          "DeletionPolicy": "Retain",
+          "Properties": {
+            "BucketName": "amzn-s3-demo-bucket1",
+            "MetadataConfiguration": {
+              "AnnotationTableConfiguration": {
+                "ConfigurationState": "DISABLED"
+              }
+            }
+          }
+        }
+      }
+    }
+          
+
+#### YAML
+    
+    
+    Resources:
+      S3Bucket:
+        Type: AWS::S3::Bucket
+        DeletionPolicy: Retain
+        Properties:
+          BucketName: amzn-s3-demo-bucket1
+          MetadataConfiguration:
+            AnnotationTableConfiguration:
+              ConfigurationState: DISABLED
+          
+