AWS Security ChangesHomeSearch

AWS config high security documentation change

Service: config · 2025-05-31 · Security-related high

File: config/latest/developerguide/kms-key-policy-no-public-access.md

Summary

Added note requiring fixed values in KMS key policies to prevent public access

Security assessment

Explicitly prevents insecure configurations that could lead to public access through policy variables or wildcards

Diff

diff --git a/config/latest/developerguide/kms-key-policy-no-public-access.md b/config/latest/developerguide/kms-key-policy-no-public-access.md
index 89abb57bd..f7b461909 100644
--- a//config/latest/developerguide/kms-key-policy-no-public-access.md
+++ b//config/latest/developerguide/kms-key-policy-no-public-access.md
@@ -10,0 +11,4 @@ Checks if the AWS KMS key policy allows public access. The rule is NON_COMPLIANT
+###### Note
+
+To be considered non-public, a KMS key policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables).
+