AWS controltower documentation change
Summary
Added 'kms:GenerateDataKey*' permission to the example AWS KMS key policy for backup prerequisites.
Security assessment
The update ensures documentation reflects required permissions for encryption key operations, which is critical for enforcing encryption-at-rest. While this strengthens security documentation, there is no evidence it resolves a specific security vulnerability or incident.
Diff
diff --git a/controltower/latest/userguide/backup-prerequisites.md b/controltower/latest/userguide/backup-prerequisites.md index 1368c14c6..8b1755dd2 100644 --- a//controltower/latest/userguide/backup-prerequisites.md +++ b//controltower/latest/userguide/backup-prerequisites.md @@ -44,0 +45 @@ Your AWS KMS key requires a key policy. Consider a key policy similar to this on + "kms:GenerateDataKey*"'