Add security considerations note to cfn package docs#10371
Merged
aemous merged 1 commit intoJun 4, 2026
Conversation
Add a warning callout to the `aws cloudformation package` reference documentation clarifying that the command treats the supplied template as trusted build input. Paths referenced by template properties such as CodeUri, ContentUri, TemplateURL, and the AWS::Include Location are resolved against the local filesystem and uploaded to S3 using the invoking user's AWS credentials and OS identity, with no constraint to the template's directory. Users should not run the command against templates from untrusted sources.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #10371 +/- ##
===========================================
+ Coverage 93.39% 93.42% +0.03%
===========================================
Files 210 211 +1
Lines 17052 17312 +260
===========================================
+ Hits 15925 16174 +249
- Misses 1127 1138 +11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
2 tasks
aemous
approved these changes
Jun 4, 2026
aemous
left a comment
aemous
left a comment
Contributor
There was a problem hiding this comment.
LGTM, thanks for your contribution
aemous
added
cloudformation
v1
documentation
aws-sdk-python-automation
added a commit
that referenced
this pull request
Jun 5, 2026
* release-1.45.24: Bumping version to 1.45.24 Update changelog based on model updates Add security considerations note to cfn package docs (#10371)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issue #, if available:
Description of changes:
Adds a security-considerations warning to the
aws cloudformation packagereference documentation (rendered at https://docs.aws.amazon.com/cli/latest/reference/cloudformation/package.html, sourced fromawscli/examples/cloudformation/_package_description.rst).The note clarifies that the command treats the supplied CloudFormation template as trusted build input: properties such as
CodeUri,ContentUri,TemplateURL, and theAWS::IncludeLocationparameter cause the CLI to read files from the local filesystem at the paths the template specifies and upload them to the user-provided S3 bucket under the invoking user's AWS credentials and OS identity. Paths in the template are not constrained to the template's directory — relative paths that traverse above it (e.g.CodeUri: ../src/my-function) are supported by design for monorepo, shared-fragment, and nested-stack layouts. The note advises users not to run the command against templates from untrusted sources.This is a documentation-only change; no behavior changes and no changelog entry is required (matching the precedent of #9316).
Generated by AI tools, and reviewed by Roger Zhang.
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.