AWS tag-editor documentation change
Summary
Added requirement for kms:GenerateDataKey permission when using SSE-KMS encrypted S3 buckets
Security assessment
Documents required security permissions for proper encryption configuration but doesn't address a specific security vulnerability
Diff
diff --git a/tag-editor/latest/userguide/tag-policies-orgs.md index 250ad1ca5..6f8374e65 100644 --- a/tag-editor/latest/userguide/tag-policies-orgs.md +++ b/tag-editor/latest/userguide/tag-policies-orgs.md @@ -102,0 +103,2 @@ Evaluating organization-wide compliance with tag policies requires the following +If the Amazon S3 bucket where the report is being delivered is encrypted via SSE-KMS, you must also have the `kms:GenerateDataKey` permission for that bucket. +