AWS Security ChangesHomeSearch

AWS iot-fleetwise documentation change

Service: iot-fleetwise · 2025-04-11 · Documentation medium

File: iot-fleetwise/latest/developerguide/key-management.md

Summary

Updated CLI command formatting, parameter name correction (KMS key id → kms_key_id), and added required KMS permissions (Encrypt, ReEncrypt*) in multiple policy examples

Security assessment

The changes add required KMS permissions to policy examples and improve encryption configuration guidance, which enhances security documentation but does not indicate a specific security vulnerability being addressed.

Diff

diff --git a/iot-fleetwise/latest/developerguide/key-management.md b/iot-fleetwise/latest/developerguide/key-management.md
index f9503df1f..52b5205fa 100644
--- a//iot-fleetwise/latest/developerguide/key-management.md
+++ b//iot-fleetwise/latest/developerguide/key-management.md
@@ -82 +82 @@ To enable encryption, run the following command.
-  * Replace `KMS key id` with the ID of the KMS key.
+  * Replace `kms_key_id` with the ID of the KMS key.
@@ -88 +88,3 @@ To enable encryption, run the following command.
-    aws iotfleetwise put-encryption-configuration —kms-key-id KMS key id —encryption-type KMS_BASED_ENCRYPTION
+    aws iotfleetwise put-encryption-configuration \
+          --encryption-type KMS_BASED_ENCRYPTION \
+          --kms-key-id kms_key_id
@@ -112,0 +115 @@ After you create a KMS key, you must, at minimum, add the following statement to
+        "kms:Encrypt",
@@ -113,0 +117 @@ After you create a KMS key, you must, at minimum, add the following statement to
+        "kms:ReEncrypt*",
@@ -137,0 +142 @@ The following policy includes a service principal (an identifier for a service),
+        "kms:Encrypt",
@@ -138,0 +144 @@ The following policy includes a service principal (an identifier for a service),
+        "kms:ReEncrypt*",
@@ -140 +146 @@ The following policy includes a service principal (an identifier for a service),
-        "kms:DescribeKey",
+        "kms:DescribeKey"
@@ -178,0 +185 @@ If you enabled AWS KMS encryption, you must specify permissions in the role poli
+            "kms:Encrypt",
@@ -179,0 +187 @@ If you enabled AWS KMS encryption, you must specify permissions in the role poli
+            "kms:ReEncrypt*",
@@ -200,0 +209 @@ The following policy statement is required for your role to invoke encryption AP
+            "kms:Encrypt",
@@ -201,0 +211 @@ The following policy statement is required for your role to invoke encryption AP
+            "kms:ReEncrypt*",