AWS Security ChangesHomeSearch

AWS fsx medium security documentation change

Service: fsx · 2025-04-16 · Security-related medium

File: fsx/latest/LustreGuide/s3-server-side-encryption-support.md

Summary

Modified KMS policy statement order and added PrincipalArn condition for FSx S3 access role

Security assessment

Change modifies encryption-related IAM policy conditions and adds explicit role ARN restriction, directly addressing access control for security-sensitive encryption operations

Diff

diff --git a/fsx/latest/LustreGuide/s3-server-side-encryption-support.md b/fsx/latest/LustreGuide/s3-server-side-encryption-support.md
index e54a98c30..82cdf4d7b 100644
--- a//fsx/latest/LustreGuide/s3-server-side-encryption-support.md
+++ b//fsx/latest/LustreGuide/s3-server-side-encryption-support.md
@@ -71,2 +71,2 @@ The following policy statement allows all Amazon FSx file systems in your accoun
-                "kms:CallerAccount": "aws_account_id",
-                "kms:ViaService": "s3.bucket-region.amazonaws.com"
+              "kms:ViaService": "s3.bucket-region.amazonaws.com",
+              "kms:CallerAccount": "aws_account_id"
@@ -75 +74,0 @@ The following policy statement allows all Amazon FSx file systems in your accoun
-                "aws:userid": "*:FSx",
@@ -76,0 +76,3 @@ The following policy statement allows all Amazon FSx file systems in your accoun
+            },
+            "ArnLike": {
+              "aws:PrincipalArn": "arn:aws_partition:iam::aws_account_id:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fs-*"