AWS amazonq high security documentation change
Summary
Added KMS key policy requirement for customer-managed keys to allow ISV access
Security assessment
Explicit security configuration added for KMS key permissions to enable decryption access - critical for data protection
Diff
diff --git a/amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md b/amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md index 74d5bcaf3..2e5d447e9 100644 --- a//amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md +++ b//amazonq/latest/qbusiness-ug/data-accessors-prerequisites.md @@ -14,0 +15,26 @@ To add an ISV as a data accessor, complete the following prerequisites: + 4. If you are using a customer managed key in your Amazon Q Business Application, you must set your key policy to allow the ISV principal access to the KMS key with the following policy: + + { + "Version": "2012-10-17", + "Id": "isv-key-consolepolicy", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": { + "AWS": ${isv_principal} + }, + "Action": "kms:Decrypt", + "Resource": ${your_kms_key_arn} + }, + "Condition": { + "StringLike": { + "kms:ViaService": [ + "qbusiness.${region}.amazonaws.com" + ] + } + } + ] + } + + @@ -26 +52 @@ Verified data accessors -Granting permissions +Add data accessor