AWS Security ChangesHomeSearch

AWS eventbridge documentation change

Service: eventbridge · 2025-02-26 · Documentation low

File: eventbridge/latest/userguide/eb-encryption-key-policy.md

Summary

Removed detailed KMS key policy examples and condensed security guidance under 'Security when using customer managed keys for EventBridge encryption'

Security assessment

Change restructures security documentation to emphasize best practices for customer-managed keys, but doesn't indicate a specific security issue. Adds security documentation by consolidating security considerations.

Diff

diff --git a/eventbridge/latest/userguide/eb-encryption-key-policy.md
index 35026404a..7e388d771 100644
--- a/eventbridge/latest/userguide/eb-encryption-key-policy.md
+++ b/eventbridge/latest/userguide/eb-encryption-key-policy.md
@@ -3 +3 @@
-Event bus key policyPipe key policySecurity considerations
+Security considerations
@@ -30,146 +30 @@ EventBridge uses this for event pattern matching; users never have access to the
-## AWS KMS key policy for an event bus
-
-The following example key policy provides the required permissions for an event bus:
-
-  * `kms:DescribeKey`
-
-  * `kms:GenerateDataKey`
-
-  * `kms:Decrypt`
-
-
-
-    
-    
-    {
-      "Sid": "Allow EventBridge to encrypt events",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "events.amazonaws.com"
-      },
-      "Action": [
-        "kms:DescribeKey",
-        "kms:GenerateDataKey",
-        "kms:Decrypt"
-      ]
-      "Resource": "*",
-      "Condition": {
-        "StringEquals": {
-            "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:region:account-id:event-bus/event-bus-arn",
-            "aws:SourceArn": "arn:aws:events:region:account-id:event-bus/event-bus-name"
-        }
-      }
-    }
-
-## AWS KMS key policy for EventBridge Pipes
-
-The following example key policy provides the required permissions for a pipe:
-
-  * `kms:DescribeKey`
-
-  * `kms:GenerateDataKey`
-
-  * `kms:Decrypt`
-
-
-
-    
-    
-    {
-      "Id": "CMKKeyPolicy",
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::account-id:role/pipe-execution-role"
-          },
-          "Action": [
-            "kms:GenerateDataKey",
-            "kms:Decrypt",
-            "kms:DescribeKey"
-          ],
-          "Resource": "*",
-          "Condition": {
-            "ArnLike": {
-              "kms:EncryptionContext:aws:pipe:arn": "arn:aws:pipes:region:account-id:pipe/pipe-name"
-            },
-            "ForAnyValues:StringEquals": { // Requires that only PipeArn is passed in the encryption context
-              "kms:EncryptionContextKeys": [
-                "aws:pipe:arn"
-              ]
-            }
-          }
-        }
-      ]
-    }
-    
-
-### Permissions for pipe logs that include execution data
-
-If you have configured pipes logging to include execution data, the key policy must include the following permissions for the logging service:
-
-  * `kms:Decrypt`
-
-  * `kms:GenerateDataKey`
-
-
-
-
-For more information, see [Including execution data in EventBridge Pipes logs](./eb-pipes-logs.html#eb-pipes-logs-execution-data).
-
-The following example key policy provides the required permissions for pipes logging:
-    
-    
-    {
-      "Sid": "Enable log service encryption",
-      "Effect": "Allow",
-      "Principal": {
-        "Service": "delivery.logs.amazonaws.com"
-      },
-      "Action": [
-        "kms:Decrypt",
-        "kms:GenerateDataKey"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringLike": {
-          "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*"
-        }
-      }
-    }
-
-In addition, the pipe execution role requires the `kms:GenerateDataKey` permisson.
-    
-    
-    {
-      "Sid": "Enable log service encryption",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": "arn:aws:iam::account:role/pipe-execution-role"
-      },
-      "Action": [
-        "kms:GenerateDataKey"
-      ],
-      "Resource": "*",
-      "Condition": {
-        "StringLike": {
-          "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*"
-        }
-      }
-    }
-
-The pipe execution role should also include:
-    
-    
-    "Action": [
-        "kms:GenerateDataKey"
-      ],
-      "Resource": "key-arn",
-      "Condition": {
-        "StringLike": {
-          "kms:EncryptionContext:SourceArn": "arn:partition:logs:region:account:*"
-        }
-      }
-
-## Security when using customer managed keys for EventBridge event bus encryption
+## Security when using customer managed keys for EventBridge encryption
@@ -179 +34 @@ As a security best practice, add an `aws:SourceArn`, `aws:sourceAccount`, or `km
-The following example demonstrates how to follow this best practice in your IAM policy:
+The following example demonstrates how to follow this best practice in your IAM policy for an event bus: