AWS imagebuilder documentation change
Summary
Added permissions for accessing encrypted values via KMS and Secrets Manager
Security assessment
Documents required permissions for secure handling of encrypted parameters, improving clarity on security best practices but not fixing a specific vulnerability.
Diff
diff --git a/imagebuilder/latest/userguide/toe-user-defined-variables.md b/imagebuilder/latest/userguide/toe-user-defined-variables.md index fa056547e..b2b8dcf8f 100644 --- a//imagebuilder/latest/userguide/toe-user-defined-variables.md +++ b//imagebuilder/latest/userguide/toe-user-defined-variables.md @@ -296,0 +297,9 @@ To use Systems Manager parameters in your components, your instance role must ha +To access encrypted values, you'll also need the following permissions: + + * Add `kms:Decrypt` for `SecureString` parameters or AWS Secrets Manager values that are encrypted with a customer managed AWS KMS key. + + * Add `secretsmanager:GetSecretValue` if you reference a Secrets Manager secret. + + + +