AWS neptune-analytics documentation change
Summary
Updated IAM policy requirements for KMS permissions, adding actions and specifying ARN format.
Security assessment
The changes enhance documentation around required encryption permissions for secure data import/export, improving security best practices without addressing a specific known vulnerability.
Diff
diff --git a/neptune-analytics/latest/userguide/import-export-permissions.md b/neptune-analytics/latest/userguide/import-export-permissions.md index 3b26e5354..f0d3e1a52 100644 --- a//neptune-analytics/latest/userguide/import-export-permissions.md +++ b//neptune-analytics/latest/userguide/import-export-permissions.md @@ -33,8 +33 @@ Neptune Analytics Export writes data into customer-owned Amazon S3 buckets. To d - "kms:DescribeKey" - ], - "Resource": "[KMS_KEY_IDENTIFER from the argument list]" - }, - { - "Sid": "VisualEditor0", - "Effect": "Allow", - "Action": [ + "kms:DescribeKey", @@ -44,9 +37 @@ Neptune Analytics Export writes data into customer-owned Amazon S3 buckets. To d - "Condition": { - "ForAllValues:StringEquals": { - "kms:EncryptionContextKeys": [ - "aws:neptune-graph:graphId", - "aws:neptune-graph:graphExportId" - ] - } - }, - "Resource": "[KMS_KEY_IDENTIFER from the argument list]" + "Resource": "[KMS_KEY_IDENTIFER from the argument list, in ARN form]" @@ -63,2 +48,2 @@ Neptune Analytics Export writes data into customer-owned Amazon S3 buckets. To d - "[DESTINATION_S3_URI]", - "[DESTINATION_S3_URI]/*" + "[DESTINATION_S3_ARN]", + "[DESTINATION_S3_ARN]/*"