AWS Security ChangesHomeSearch

AWS mediaconnect low security documentation change

Service: mediaconnect · 2025-04-25 · Security-related low

File: mediaconnect/latest/ug/iam-policy-examples-asm-secrets.md

Summary

Updated documentation to clarify IAM policy examples for MediaConnect encryption keys in Secrets Manager, added context about encryption key usage, and improved guidance on ARN placeholders

Security assessment

The changes emphasize secure IAM policy configuration for accessing encryption keys, reinforce least-privilege principles, and provide explicit guidance to replace placeholder ARNs. These updates directly relate to preventing insecure configurations that could expose secrets or grant excessive permissions.

Diff

diff --git a/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.md b/mediaconnect/latest/ug/iam-policy-examples-asm-secrets.md
index c1ff09526..5896d2f54 100644
--- a//mediaconnect/latest/ug/iam-policy-examples-asm-secrets.md
+++ b//mediaconnect/latest/ug/iam-policy-examples-asm-secrets.md
@@ -7 +7 @@ Allow read access to specific secretsAllow read access to all secrets created in
-# IAM policy examples for secrets in AWS Secrets Manager
+# Policy examples for accessing MediaConnect encryption keys in Secrets Manager
@@ -9 +9,7 @@ Allow read access to specific secretsAllow read access to all secrets created in
-During setup, [you create an IAM policy](./encryption-static-key-set-up.html#encryption-static-key-set-up-create-iam-policy) that you assign to AWS Elemental MediaConnect. This policy allows MediaConnect to read secrets that you have stored in AWS Secrets Manager. The settings for this policy are entirely up to you. The policy can range from most restrictive (allowing access to only specific secrets) to least restrictive (allowing access to any secret that you create using this AWS account). We recommend using the most restrictive policy as a best practice. However, the examples in this section show you how to set up policies with different levels of restriction. Because MediaConnect needs only read access to secrets, all the examples in this section show only the actions necessary to read the values that you store. 
+You can create IAM policies that allow AWS Elemental MediaConnect to read encryption keys that are stored as secrets in AWS Secrets Manager.
+
+When setting up static key encryption using MediaConnect, [you create an IAM policy](./encryption-static-key-set-up.html#encryption-static-key-set-up-create-iam-policy) that you assign to MediaConnect. This policy allows MediaConnect to read the secrets that you have stored in Secrets Manager. The settings for this policy are entirely up to you. The policy can range from most restrictive (allowing access to only specific secrets) to least restrictive (allowing access to any secret that you create using your AWS account). We recommend using the most restrictive policy as a best practice. However, the following examples show you how to set up policies with different levels of restriction. Because MediaConnect only needs read access to secrets, all of the examples show only the actions that are necessary to read the values that you store.
+
+###### Note
+
+While the following example IAM policies for Secrets Manager are broadly applicable to various AWS services, this page specifically demonstrates their use in the context of MediaConnect. For more information about Secrets Manager, refer to the [AWS Secrets Manager documentation](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
@@ -13 +19 @@ During setup, [you create an IAM policy](./encryption-static-key-set-up.html#enc
-  * Allow read access to specific secrets in AWS Secrets Manager
+  * Allow read access to specific secrets in Secrets Manager
@@ -15 +21 @@ During setup, [you create an IAM policy](./encryption-static-key-set-up.html#enc
-  * Allow read access to all secrets created in a specific Region in AWS Secrets Manager
+  * Allow read access to all secrets created in a specific AWS Region in Secrets Manager
@@ -17 +23 @@ During setup, [you create an IAM policy](./encryption-static-key-set-up.html#enc
-  * Allow read access to all resources in AWS Secrets Manager
+  * Allow read access to all resources in Secrets Manager
@@ -22 +28 @@ During setup, [you create an IAM policy](./encryption-static-key-set-up.html#enc
-## Allow read access to specific secrets in AWS Secrets Manager
+## Allow read access to specific secrets in Secrets Manager
@@ -24 +30,3 @@ During setup, [you create an IAM policy](./encryption-static-key-set-up.html#enc
-The following IAM policy allows read access to specific resources (secrets) that you create in AWS Secrets Manager.
+The following example IAM policy allows read access to specific resources (secrets) that you create in Secrets Manager.
+
+Replace the `placeholder text` in the ARNs with your own information. The ARNs should represent the secrets that store the encryption keys you want to use with MediaConnect.
@@ -52 +60,3 @@ The following IAM policy allows read access to specific resources (secrets) that
-## Allow read access to all secrets created in a specific Region in AWS Secrets Manager
+## Allow read access to all secrets created in a specific AWS Region in Secrets Manager
+
+The following IAM policy allows read access to all secrets that you create in a specific AWS Region in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future in the specified Region. This might be useful when managing multiple encrypted MediaConnect flows within the same Region.
@@ -54 +64 @@ The following IAM policy allows read access to specific resources (secrets) that
-The following IAM policy allows read access to all secrets that you create in a specific AWS Region in AWS Secrets Manager. This policy applies to resources that you have created already and all resources that you create in the future in the specified Region.
+Replace the `placeholder text` in the ARNs with your own information. The Region and account ID should represent where your secrets are stored.
@@ -78 +88 @@ The following IAM policy allows read access to all secrets that you create in a
-## Allow read access to all resources in AWS Secrets Manager
+## Allow read access to all resources in Secrets Manager
@@ -80 +90 @@ The following IAM policy allows read access to all secrets that you create in a
-The following IAM policy allows read access to all resources that you create in AWS Secrets Manager. This policy applies to resources that you have created already and all resources that you create in the future.
+The following IAM policy allows read access to all resources that you create in Secrets Manager, including any encryption keys used for MediaConnect. This policy applies to resources that you have created already and all resources that you create in the future. This broader access might be needed when managing encrypted MediaConnect flows across multiple regions.
@@ -101,0 +112,2 @@ The following IAM policy allows read access to all resources that you create in
+For more information on setting up encryption for your MediaConnect flows, see [Data protection](https://docs.aws.amazon.com/mediaconnect/latest/ug/data-protection.html) in this guide. For general information about using Secrets Manager, refer to the [AWS Secrets Manager User Guide](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html).
+