AWS Security ChangesHomeSearch

AWS amazonq high security documentation change

Service: amazonq · 2025-04-03 · Security-related high

File: amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md

Summary

Added KMS key policy requirement for customer-managed keys to allow ISV access

Security assessment

Explicit security configuration added for KMS key permissions to enable decryption access - critical for data protection

Diff

diff --git a/amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md b/amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md
index 74d5bcaf3..2e5d447e9 100644
--- a//amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md
+++ b//amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md
@@ -14,0 +15,26 @@ To add an ISV as a data accessor, complete the following prerequisites:
+  4. If you are using a customer managed key in your Amazon Q Business Application, you must set your key policy to allow the ISV principal access to the KMS key with the following policy:
+    
+        {
+        "Version": "2012-10-17",
+        "Id": "isv-key-consolepolicy",
+        "Statement": [
+            {
+                "Sid": "Enable IAM User Permissions",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": ${isv_principal}
+                },
+                "Action": "kms:Decrypt",
+                "Resource": ${your_kms_key_arn}
+            },
+            "Condition": {
+                    "StringLike": {
+                        "kms:ViaService": [
+                            "qbusiness.${region}.amazonaws.com"
+                        ]
+                    }
+            }
+        ]
+    }
+        
+
@@ -26 +52 @@ Verified data accessors
-Granting permissions
+Add data accessor