AWS eventbridge documentation change
Summary
Reorganized KMS key permissions and added specific role-based permissions for pipe execution
Security assessment
The changes improve security documentation by clarifying role-based permissions but don't address a specific security issue
Diff
diff --git a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md index 033e77aa9..a8ca164ce 100644 --- a/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md +++ b/eventbridge/latest/userguide/eb-encryption-pipes-cmkey.md @@ -66,2 +65,0 @@ As a security best practice, we recommend you include condition keys in the key - "kms:GenerateDataKey", - "kms:Decrypt", @@ -69,0 +68,11 @@ As a security best practice, we recommend you include condition keys in the key + "Resource": "*" + }, + { + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::account-id:role/pipe-execution-role" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ],