AWS Security ChangesHomeSearch

AWS step-functions documentation change

Service: step-functions · 2025-04-18 · Documentation low

File: step-functions/latest/dg/encryption-at-rest.md

Summary

Updated ARN patterns to use 'account-id' placeholder instead of numeric account IDs and 'region' placeholder

Security assessment

Changes only standardize documentation examples by using consistent placeholder values rather than specific account numbers/regions. No security vulnerability or new security feature addressed.

Diff

diff --git a/step-functions/latest/dg/encryption-at-rest.md b/step-functions/latest/dg/encryption-at-rest.md
index c22519781..2b389dcfd 100644
--- a//step-functions/latest/dg/encryption-at-rest.md
+++ b//step-functions/latest/dg/encryption-at-rest.md
@@ -138 +138 @@ If you enable state machine encryption with a AWS KMS key, and your state machin
-          "Resource": "arn:aws:kms:region:accountId:key/keyId",
+          "Resource": "arn:aws:kms:region:account-id:key/keyId",
@@ -141 +141 @@ If you enable state machine encryption with a AWS KMS key, and your state machin
-              "kms:EncryptionContext:SourceArn": "arn:aws:logs:region:accountId:*"
+              "kms:EncryptionContext:SourceArn": "arn:aws:logs:region:account-id:*"
@@ -220 +220 @@ The following is an example execution role policy:
-            "arn:aws:kms:us-east-1:123456789012:key/keyId"
+            "arn:aws:kms:region:account-id:key/keyId"
@@ -225 +225 @@ The following is an example execution role policy:
-                "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"
+                "arn:aws:states:region:account-id:stateMachine:stateMachineName"
@@ -257 +257 @@ When customer managed key encryption is enabled on an Activity Task, the state m
-            "arn:aws:kms:us-east-1:123456789012:key/keyId"
+            "arn:aws:kms:region:account-id:key/keyId"
@@ -262 +262 @@ When customer managed key encryption is enabled on an Activity Task, the state m
-                "arn:aws:states:us-east-1:123456789012:activity:activityName"
+                "arn:aws:states:region:account-id:activity:activityName"
@@ -283 +283 @@ Step Functions provides an encryption context in AWS KMS cryptographic operation
-    "encryptionContext": {"aws:states:stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"}
+    "encryptionContext": {"aws:states:stateMachineArn": "arn:aws:states:region:account-id:stateMachine:stateMachineName"}
@@ -286 +286 @@ Step Functions provides an encryption context in AWS KMS cryptographic operation
-    "encryptionContext": {"aws:states:activityArn": "arn:aws:states:us-east-1:123456789012:activity:activityName"}
+    "encryptionContext": {"aws:states:activityArn": "arn:aws:states:region:account-id:activity:activityName"}
@@ -302 +302 @@ The following example shows how to limit the use of a AWS KMS key for execution
-            "arn:aws:kms:us-east-1:123456789012:key/keyId"
+            "arn:aws:kms:region:account-id:key/keyId"
@@ -306 +306 @@ The following example shows how to limit the use of a AWS KMS key for execution
-              "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"
+              "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:region:account-id:stateMachine:stateMachineName"
@@ -327 +327 @@ The following example policy uses the `kms:ViaService` condition to allow the AW
-            "AWS": "arn:aws:iam::123456789012:role/ExampleRole"
+            "AWS": "arn:aws:iam::account-id:role/ExampleRole"