AWS config high security documentation change
Summary
Added note requiring fixed values in KMS key policies to prevent public access
Security assessment
Explicitly prevents insecure configurations that could lead to public access through policy variables or wildcards
Diff
diff --git a/config/latest/developerguide/kms-key-policy-no-public-access.md b/config/latest/developerguide/kms-key-policy-no-public-access.md index 89abb57bd..f7b461909 100644 --- a//config/latest/developerguide/kms-key-policy-no-public-access.md +++ b//config/latest/developerguide/kms-key-policy-no-public-access.md @@ -10,0 +11,4 @@ Checks if the AWS KMS key policy allows public access. The rule is NON_COMPLIANT +###### Note + +To be considered non-public, a KMS key policy must grant access only to fixed values. This means values that don't contain a wildcard or the following IAM policy element: [Variables](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#policy-vars-using-variables). +