AWS fsx medium security documentation change
Summary
Modified KMS policy statement order and added PrincipalArn condition for FSx S3 access role
Security assessment
Change modifies encryption-related IAM policy conditions and adds explicit role ARN restriction, directly addressing access control for security-sensitive encryption operations
Diff
diff --git a/fsx/latest/LustreGuide/s3-server-side-encryption-support.md b/fsx/latest/LustreGuide/s3-server-side-encryption-support.md index e54a98c30..82cdf4d7b 100644 --- a//fsx/latest/LustreGuide/s3-server-side-encryption-support.md +++ b//fsx/latest/LustreGuide/s3-server-side-encryption-support.md @@ -71,2 +71,2 @@ The following policy statement allows all Amazon FSx file systems in your accoun - "kms:CallerAccount": "aws_account_id", - "kms:ViaService": "s3.bucket-region.amazonaws.com" + "kms:ViaService": "s3.bucket-region.amazonaws.com", + "kms:CallerAccount": "aws_account_id" @@ -75 +74,0 @@ The following policy statement allows all Amazon FSx file systems in your accoun - "aws:userid": "*:FSx", @@ -76,0 +76,3 @@ The following policy statement allows all Amazon FSx file systems in your accoun + }, + "ArnLike": { + "aws:PrincipalArn": "arn:aws_partition:iam::aws_account_id:role/aws-service-role/s3.data-source.lustre.fsx.amazonaws.com/AWSServiceRoleForFSxS3Access_fs-*"