AWS Security ChangesHomeSearch

AWS datazone documentation change

Service: datazone · 2025-05-13 · Documentation medium

File: datazone/latest/userguide/encryption-rest-datazone.md

Summary

Updated documentation about customer-managed key usage, reduced required KMS grants from 3 to 2, simplified grant structure, added new IAM policy examples, updated CloudTrail event examples with modern configurations

Security assessment

Changes focus on clarifying encryption configuration and tightening KMS permission requirements. While security-related through encryption controls, there's no evidence of addressing a specific vulnerability. The grant reduction from 3 to 2 suggests permission scope refinement rather than vulnerability patching.

Diff

diff --git a/datazone/latest/userguide/encryption-rest-datazone.md b/datazone/latest/userguide/encryption-rest-datazone.md
index d1027998b..e58a08b72 100644
--- a//datazone/latest/userguide/encryption-rest-datazone.md
+++ b//datazone/latest/userguide/encryption-rest-datazone.md
@@ -13 +13 @@ Amazon DataZone uses default AWS-owned keys to automatically encrypt your data a
-While you can't disable this layer of encryption or select an alternate encryption type, you can add a second layer of encryption over the existing AWS owned encryption keys by choosing a customer-managed key when you create your Amazon DataZone domains. Amazon DataZone supports the use of a symmetric customer managed keys that you can create, own, and manage to add a second layer of encryption over the existing AWS owned encryption. Because you have full control of this layer of encryption, in it you can perform the following tasks: 
+While you can't disable this layer of encryption or select an alternate encryption type, you can choose a customer-managed key when you create your Amazon DataZone domains. Amazon DataZone supports the use of a symmetric customer managed keys that you can create, own, and manage. Because you have full control of encryption, you can perform the following tasks: 
@@ -31,0 +32,2 @@ While you can't disable this layer of encryption or select an alternate encrypti
+To use your own key, choose a customer managed key when you create your Amazon DataZone domain.
+
@@ -42 +44 @@ AWS KMS charges apply for using a customer managed keys. For more information ab
-Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your customer managed key. When you create a Amazon DataZone domain encrypted with a customer managed key, Amazon DataZone creates grants and sub-grants on your behalf by sending [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) requests to AWS KMS. Grants in AWS KMS are used to give Amazon DataZone access to a KMS key in your account. Amazon DataZone creates the following grants to use your customer managed key for the following internal operations:
+Amazon DataZone requires two [grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) to use your customer managed key. When you create a Amazon DataZone domain encrypted with a customer managed key, Amazon DataZone creates grants on your behalf by sending [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) requests to AWS KMS. Grants in AWS KMS are used to give Amazon DataZone access to a KMS key in your account. Amazon DataZone creates the following grants to use your customer managed key for the following internal operations:
@@ -46 +48 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-  * Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed KMS key ID entered when creating a Amazon DataZone domain collection is valid.
+  * Send [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) requests to AWS KMS to verify that the symmetric customer managed KMS key ID entered when creating a Amazon DataZone domain is valid.
@@ -48 +50 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-  * Send [GenerateDataKeyrequests](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) to AWS KMS to generate data keys encrypted by your customer managed key.
+  * Send [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html) to AWS KMS to generate data keys encrypted by your customer managed key.
@@ -50 +52 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-  * Send [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) requests to AWS KMS to decrypt the encrypted data keys so that they can be used to encrypt your data.
+  * Send [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) request enables Amazon DataZone to decrypt stored data.
@@ -57,17 +59 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-**Two grants for search and discovery of your data:**
-
-  * ****Grant 2:
-
-    * [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html)
-
-    * [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)
-
-    * [Encrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Encrypt.html), [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html), [ReEncrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_ReEncrypt.html)
-
-    * [CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) to create child grants for AWS services used internally by DataZone.
-
-    * [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)
-
-  * **Grant 3:**
-
-    * [GenerateDataKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey.html)
+**One grant for search and discovery of your data:**
@@ -75 +61 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-    * [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html)
+  * [DescribeKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DescribeKey.html) \- provides the customer managed key details that allow Amazon DataZone to validate the key.
@@ -77 +63 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-    * [RetireGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_RetireGrant.html)
+  * [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html) \- allows Amazon DataZone to decrypt stored data.
@@ -82 +68 @@ Amazon DataZone requires three [grants](https://docs.aws.amazon.com/kms/latest/d
-You can revoke access to the grant, or remove the service's access to the customer managed key at any time. If you do, Amazon DataZone won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data. For example, if you attempt to get Data Asset details that Amazon DataZone can't access, then the operation would return an `AccessDeniedException` error.
+You can revoke access to the grant to the customer managed key at any time. If you do, Amazon DataZone won't be able to access any of the data encrypted by the customer managed key, which affects operations that are dependent on that data. 
@@ -108,0 +95,9 @@ The following are policy statement examples you can add for Amazon DataZone:
+        {
+          "Sid": "Enable IAM User Permissions for DescribeKey",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:root"
+          },
+          "Action": "kms:DescribeKey",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
+        },
@@ -113 +108 @@ The following are policy statement examples you can add for Amazon DataZone:
-            "AWS" : "arn:aws:iam::<account_id>:root"
+            "AWS": "arn:aws:iam::111122223333:root"
@@ -116,4 +111,2 @@ The following are policy statement examples you can add for Amazon DataZone:
-            "kms:DescribeKey", 
-            "kms:CreateGrant", 
-            "kms:GenerateDataKey", 
-            "kms:Decrypt"
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
@@ -121 +114,27 @@ The following are policy statement examples you can add for Amazon DataZone:
-          "Resource" : "arn:aws:kms:region:<account_id>:key/key_ID",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
+          "Condition": {
+            "ForAnyValue:StringEquals": {
+              "kms:EncryptionContextKeys": "aws:datazone:domainId"
+            }
+          }
+        },
+        {
+          "Sid": "Allow creating grants when creating an Amazon DataZone for all principals in the account that are authorized to manage Amazon DataZone",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:root"
+          },
+          "Action": "kms:CreateGrant",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
+          "Condition": {
+            "StringLike": {
+              "kms:CallerAccount": "111122223333",
+              "kms:ViaService": "datazone.region.amazonaws.com"
+            },
+            "Bool": {
+              "kms:GrantIsForAWSResource": "true"
+            },
+            "ForAnyValue:StringEquals": {
+              "kms:EncryptionContextKeys": "aws:datazone:domainId"
+            }
+          }
@@ -128 +147 @@ The following are policy statement examples you can add for Amazon DataZone:
-Deny on the KMS policy is not applied for the resources accessed through the Amazon DataZone data portal.
+The Amazon DataZone data portal is granted access to your customer managed key via the Domain Execution Role principal.
@@ -135,0 +155,2 @@ For more information about [troubleshooting key access](https://docs.aws.amazon.
+You can specify a customer managed key as a second layer encryption during [domain creation](./create-domain.html).
+
@@ -146 +167 @@ Amazon DataZone uses following encryption context:
-        "aws:datazone:domainId": "{root-domain-uuid}"
+        "aws:datazone:domainId": "{dzd_samleid}"
@@ -156 +177 @@ Amazon DataZone uses an encryption context constraint in grants to control acces
-The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context.
+The following are example key policy statements to grant access to a customer managed key for a specific encryption context. 
@@ -163 +184 @@ The following are example key policy statements to grant access to a customer ma
-            "AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
+            "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
@@ -166,3 +187,4 @@ The following are example key policy statements to grant access to a customer ma
-         "Resource": "*"
-    },{
-        "Sid": "Enable Decrypt, GenerateDataKey",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID"
+        },
+        {
+          "Sid": "Allow access to principal to manage an Amazon DataZone domain with the given domain id",
@@ -171 +193 @@ The following are example key policy statements to grant access to a customer ma
-            "AWS": "arn:aws:iam::111122223333:role/ExampleReadOnlyRole"
+            "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
@@ -177 +199 @@ The following are example key policy statements to grant access to a customer ma
-         "Resource": "*",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
@@ -180 +202,22 @@ The following are example key policy statements to grant access to a customer ma
-                "kms:EncryptionContext:aws:datazone:domainId": "{root-domain-uuid}"
+              "kms:EncryptionContext:aws:datazone:domainId": "dzd_sampleid"
+            }
+          }
+        },
+        {
+          "Sid": "Allow creating grants when creating an Amazon DataZone domain to principal",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:role/ExampleRole"
+          },
+          "Action": "kms:CreateGrant",
+          "Resource": "arn:aws:kms:region:111122223333:key/key_ID",
+          "Condition": {
+            "StringLike": {
+              "kms:CallerAccount": "111122223333",
+              "kms:ViaService": "datazone.region.amazonaws.com"
+            },
+            "Bool": {
+              "kms:GrantIsForAWSResource": "true"
+            },
+            "ForAnyValue:StringEquals": {
+              "kms:EncryptionContextKeys": "aws:datazone:domainId"
@@ -188 +231,8 @@ The following are example key policy statements to grant access to a customer ma
-When you use an AWS KMS customer managed key with your Amazon DataZone resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to track requests that Amazon DataZone sends to AWS KMS. The following examples are AWS CloudTrail events for `CreateGrant`, `GenerateDataKey`, `Decrypt`, and `DescribeKey` to monitor KMS operations called by Amazon DataZone to access data encrypted by your customer managed key. When you use an AWS KMS customer managed key to encrypt your Amazon DataZone domain, Amazon DataZone sends a `CreateGrant` request on your behalf to access the KMS key in your AWS account. Grants that Amazon DataZone creates are specific to the resource associated with the AWS KMS customer managed key. In addition, Amazon DataZone uses the `RetireGrant` operation to remove a grant when you delete a domain. The following example event records the `CreateGrant` operation: 
+When you use an AWS KMS customer managed key with your Amazon DataZone resources, you can use [AWS CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html) to track requests that Amazon DataZone sends to AWS KMS. The following examples are AWS CloudTrail events for `CreateGrant`, `GenerateDataKey`, `Decrypt`, and `RetireGrant` to monitor KMS operations called by Amazon DataZone to access data encrypted by your customer managed key.
+
+CreateGrant
+    
+
+When you use an AWS KMS customer managed key to encrypt your Amazon DataZone domain, Amazon DataZone sends a `CreateGrant` request on your behalf to access the KMS key in your AWS account. Grants that Amazon DataZone creates are specific to the resource associated with the AWS KMS customer managed key. In addition, Amazon DataZone uses the `RetireGrant` operation to remove a grant when you delete a domain.
+
+The following example event records the `CreateGrant` operation:
@@ -192 +242 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-        "eventVersion": "1.08",
+        "eventVersion": "1.11",
@@ -196 +246 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-            "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
+            "arn": "arn:aws:sts::111122223333:assumed-role/Example/Sampleuser01",
@@ -202,2 +252,2 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-                    "principalId": "AROAIGDTESTANDEXAMPLE:Sampleuser01",
-                    "arn": "arn:aws:sts::111122223333:assumed-role/Admin/Sampleuser01",
+                    "principalId": "AROAIGDTESTANDEXAMPLE",
+                    "arn": "arn:aws:iam::111122223333:role/Example",
@@ -205 +255 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-                    "userName": "Admin"
+                    "userName": "Example"
@@ -207 +256,0 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-                "webIdFederationData": {},
@@ -209,2 +258,2 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-                    "mfaAuthenticated": "false",
-                    "creationDate": "2021-04-22T17:02:00Z"
+                    "creationDate": "2024-04-22T17:02:00Z",
+                    "mfaAuthenticated": "false"
@@ -215 +264 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-        "eventTime": "2021-04-22T17:07:02Z",
+        "eventTime": "2024-04-22T17:02:00Z",
@@ -218,3 +267,3 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
-        "awsRegion": "us-west-2",
-        "sourceIPAddress": "172.12.34.56",
-        "userAgent": "ExampleDesktop/1.0 (V1; OS)",
+        "awsRegion": "us-east-2",
+        "sourceIPAddress": "datazone.amazonaws.com",
+        "userAgent": "datazone.amazonaws.com",
@@ -221,0 +271,8 @@ When you use an AWS KMS customer managed key with your Amazon DataZone resources
+            "retiringPrincipal": "datazone.us-east-2.amazonaws.com",
+            "operations": [
+                "GenerateDataKey",
+                "RetireGrant",
+                "DescribeKey",
+                "Decrypt"