AWS Security ChangesHomeSearch

AWS govcloud-us high security documentation change

Service: govcloud-us · 2025-05-22 · Security-related high

File: govcloud-us/latest/UserGuide/govcloud-account-root-user.md

Summary

Updated root access key request process to require asymmetric KMS key generation and encryption/decryption steps. Added detailed CLI commands for KMS key creation and secret decryption.

Security assessment

The change introduces mandatory use of KMS encryption for root access keys, implements granular KMS key policies, and adds encryption workflow details. This directly addresses credential protection requirements by enforcing encryption of sensitive root credentials using asymmetric cryptography.

Diff

diff --git a/govcloud-us/latest/UserGuide/govcloud-account-root-user.md b/govcloud-us/latest/UserGuide/govcloud-account-root-user.md
index 0b671e54d..98b852d1f 100644
--- a//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
+++ b//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
@@ -206 +206,30 @@ Gather the following required information so you have it on hand when you open a
-  5. **Account Owner** – This is the full legal name (First, Middle, Last Name) of the account owner who is requesting AWS GovCloud (US) account root user access keys. Account owner is the individual creating the support case that meets the requirements outlined in the template found in Step 2.
+  5. **Asymmetric KMS key** – You need to provide an asymmetric KMS key when requesting root access keys for an AWS GovCloud (US) account. Generate the key in the standard AWS account associated with the AWS GovCloud (US) account and in `us-east-1`.
+
+To generate a KMS key, use the following AWS CLI command:
+    
+        aws kms create-key \
+        --region us-east-1 \
+        --key-usage ENCRYPT_DECRYPT \
+        --key-spec RSA_2048 \
+        --description "Asymmetric KMS key for encryption and decryption" \
+        --policy '{
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "Enable IAM User Permissions",
+                    "Effect": "Allow",
+                    "Principal": {"AWS": "arn:aws:iam::your-account-ID:root"},
+                    "Action": "kms:*",
+                    "Resource": "*"
+                },
+                {
+                    "Sid": "Allow external account to encrypt",
+                    "Effect": "Allow",
+                    "Principal": {"AWS": "arn:aws:iam::536883072436:root"},
+                    "Action": "kms:Encrypt",
+                    "Resource": "*"
+                }
+            ]
+        }'
+
+  6. **Account Owner** – This is the full legal name (First, Middle, Last Name) of the account owner who is requesting AWS GovCloud (US) account root user access keys. Account owner is the individual creating the support case that meets the requirements outlined in the template found in Step 2.
@@ -234,0 +264 @@ If you are having issues signing in to your standard AWS account as the root use
+        Asymmetric KMS key ARN: [Asymmetric KMS key ARN from Step 1]
@@ -310,3 +340,17 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-        $ aws secretsmanager get-secret-value 
-    --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF 
-    --region us-east-1 --version-stage AWSCURRENT --output text --query 'SecretString'
+        aws secretsmanager get-secret-value \
+        --secret-id 'RCR secret ARN' \
+        --region 'us-east-1' \
+        --version-stage 'AWSCURRENT' \
+        --output 'text' \
+        --query 'SecretString' \
+        --no-cli-pager
+
+Then decrypt the output of `get-secret-value` for the credentials using this AWS CLI command:
+    
+        aws kms decrypt \
+        --key-id 'KMS ARN GENERATED IN STEP 1' \
+        --region 'us-east-1' \
+        --encryption-algorithm RSAES_OAEP_SHA_256 \
+        --ciphertext-blob 'OUTPUT FROM get-secret-value' \
+        --output text \
+        --query Plaintext | base64 --decode
@@ -328 +372 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-  9. Paste the command into the AWS CloudShell terminal, then press enter. Your AWS GovCloud (US) root access keys will be output to the terminal.
+  9. Paste the following commands into the AWS CloudShell terminal, then press Enter. Your AWS GovCloud (US) root access keys will be output to the terminal.
@@ -332,4 +376,17 @@ Example
-        $ aws secretsmanager get-secret-value 
-    --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF --region us-east-1 
-    --version-stage AWSCURRENT --output text --query 'SecretString' {"SecretAccessKey": 
-    "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE"}
+        SECRET_ID="arn:aws:secretsmanager:us-east-1:536883072436:secret:rcr-example-02-0D3VUW"
+    BLOB=$(aws secretsmanager get-secret-value \
+        --secret-id "$SECRET_ID" \
+        --region 'us-east-1' \
+        --version-stage AWSCURRENT \
+        --output text \
+        --query 'SecretString' \
+        --no-cli-pager)
+    
+    KMS_ENCRYPTION_KEY='arn:aws:kms:us-east-1:536883072436:key/12345678-90ab-cdef-0123-4567-8example'
+    aws kms decrypt \
+        --region 'us-east-1' \
+        --key-id "$KMS_ENCRYPTION_KEY" \
+        --encryption-algorithm RSAES_OAEP_SHA_256 \
+        --ciphertext-blob "$(echo "$BLOB")" \
+        --output text \
+        --query Plaintext | base64 -d
@@ -417 +474 @@ The following example creates a profile named `govcloudroot` using sample values
-If using AWS CloudShell you must specify the >region in each command using the `--region` option.
+If using AWS CloudShell you must specify the region in each command using the `--region` option.