AWS step-functions documentation change
Summary
Updated ARN patterns to use 'account-id' placeholder instead of numeric account IDs and 'region' placeholder
Security assessment
Changes only standardize documentation examples by using consistent placeholder values rather than specific account numbers/regions. No security vulnerability or new security feature addressed.
Diff
diff --git a/step-functions/latest/dg/encryption-at-rest.md b/step-functions/latest/dg/encryption-at-rest.md index c22519781..2b389dcfd 100644 --- a//step-functions/latest/dg/encryption-at-rest.md +++ b//step-functions/latest/dg/encryption-at-rest.md @@ -138 +138 @@ If you enable state machine encryption with a AWS KMS key, and your state machin - "Resource": "arn:aws:kms:region:accountId:key/keyId", + "Resource": "arn:aws:kms:region:account-id:key/keyId", @@ -141 +141 @@ If you enable state machine encryption with a AWS KMS key, and your state machin - "kms:EncryptionContext:SourceArn": "arn:aws:logs:region:accountId:*" + "kms:EncryptionContext:SourceArn": "arn:aws:logs:region:account-id:*" @@ -220 +220 @@ The following is an example execution role policy: - "arn:aws:kms:us-east-1:123456789012:key/keyId" + "arn:aws:kms:region:account-id:key/keyId" @@ -225 +225 @@ The following is an example execution role policy: - "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName" + "arn:aws:states:region:account-id:stateMachine:stateMachineName" @@ -257 +257 @@ When customer managed key encryption is enabled on an Activity Task, the state m - "arn:aws:kms:us-east-1:123456789012:key/keyId" + "arn:aws:kms:region:account-id:key/keyId" @@ -262 +262 @@ When customer managed key encryption is enabled on an Activity Task, the state m - "arn:aws:states:us-east-1:123456789012:activity:activityName" + "arn:aws:states:region:account-id:activity:activityName" @@ -283 +283 @@ Step Functions provides an encryption context in AWS KMS cryptographic operation - "encryptionContext": {"aws:states:stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"} + "encryptionContext": {"aws:states:stateMachineArn": "arn:aws:states:region:account-id:stateMachine:stateMachineName"} @@ -286 +286 @@ Step Functions provides an encryption context in AWS KMS cryptographic operation - "encryptionContext": {"aws:states:activityArn": "arn:aws:states:us-east-1:123456789012:activity:activityName"} + "encryptionContext": {"aws:states:activityArn": "arn:aws:states:region:account-id:activity:activityName"} @@ -302 +302 @@ The following example shows how to limit the use of a AWS KMS key for execution - "arn:aws:kms:us-east-1:123456789012:key/keyId" + "arn:aws:kms:region:account-id:key/keyId" @@ -306 +306 @@ The following example shows how to limit the use of a AWS KMS key for execution - "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName" + "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:region:account-id:stateMachine:stateMachineName" @@ -327 +327 @@ The following example policy uses the `kms:ViaService` condition to allow the AW - "AWS": "arn:aws:iam::123456789012:role/ExampleRole" + "AWS": "arn:aws:iam::account-id:role/ExampleRole"