AWS aws-backup high security documentation change
Summary
Added kms:GenerateDataKey permission to AWS Backup service role policy
Security assessment
Expanding KMS permissions to include GenerateDataKey indicates enhanced encryption requirements for backup operations. This directly impacts cryptographic controls and key management security practices.
Diff
diff --git a/aws-backup/latest/devguide/security-iam-awsmanpol.md b/aws-backup/latest/devguide/security-iam-awsmanpol.md index 3bb4f57ad..4e92173ad 100644 --- a//aws-backup/latest/devguide/security-iam-awsmanpol.md +++ b//aws-backup/latest/devguide/security-iam-awsmanpol.md @@ -280 +280,4 @@ This policy’s version defines the permissions for the policy. When the user or - "Action": "kms:Decrypt", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ],