AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-05-16 · Documentation low

File: amazonq/latest/qdeveloper-ug/data-encryption.md

Summary

Clarified behavior when changing KMS keys for encrypting conversations, emphasizing that previous conversations encrypted with old keys won't be retained

Security assessment

The change provides clearer documentation about encryption key rotation practices but does not indicate any security vulnerability being addressed. It reinforces proper security practices for data retention during key changes.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/data-encryption.md b/amazonq/latest/qdeveloper-ug/data-encryption.md
index 330fca9b9..b2c748072 100644
--- a//amazonq/latest/qdeveloper-ug/data-encryption.md
+++ b//amazonq/latest/qdeveloper-ug/data-encryption.md
@@ -38 +38 @@ When you use a customer managed key, Amazon Q Developer makes use of KMS grants,
-If you change the KMS key used to encrypt chats with Amazon Q in the AWS console, you must start a new conversation to begin using the new key to encrypt your data. Your conversation history that was encrypted with the previous key won’t be retained in future chats, and only future chats will be encrypted with the updated key. If you want to maintain your conversation history from a previous encryption method, you can revert to the key you were using during that conversation. If you change the KMS key used to encrypt diagnosing console error sessions, you must start a new diagnose session to being using the new key to encrypt your data.
+If you change the KMS key used to encrypt chats with Amazon Q in the AWS console, you must start a new conversation to begin using the new key to encrypt your data. Any conversations that were encrypted with the previous key won’t be retained, and only future conversations will be encrypted with the updated key. If you want to maintain your conversations from a previous encryption method, you can revert to the key you were using during those conversations. If you change the KMS key used to encrypt diagnosing console error sessions, you must start a new diagnose session to being using the new key to encrypt your data.