AWS eventbridge documentation change
Summary
Added note about schema discovery not being supported with customer managed keys and added a new key policy allowing EventBridge to validate key permissions
Security assessment
The changes clarify security-related limitations and add a key policy for proper key permission validation, but there's no evidence of addressing a specific security vulnerability
Diff
diff --git a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md index 09af8fbde..2bf1cf351 100644 --- a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md +++ b/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md @@ -10,0 +11,4 @@ If you specify a customer managed key for an event bus, you have the option of s +###### Note + +Schema discovery is not supported for event buses encrypted using a customer managed key. To enable schema discovery on an event bus, choose to use an AWS owned key. For more information, see [KMS key options](./eb-encryption-at-rest-key-options.html). + @@ -41,0 +46,11 @@ As a security best practice, we recommend you include condition keys in the key + { + "Sid": "Allow EventBridge to validate key permission", + "Effect": "Allow", + "Principal": { + "Service": "events.amazonaws.com" + }, + "Action": [ + "kms:DescribeKey" + ] + "Resource": "*" + }, @@ -49 +63,0 @@ As a security best practice, we recommend you include condition keys in the key - "kms:DescribeKey",