AWS datazone high security documentation change
Summary
Modified KMS policy to specify exact key ARN instead of wildcard
Security assessment
Changed KMS resource from '*' to specific ARN, enforcing least privilege access to encryption keys which prevents potential over-permissioning
Diff
diff --git a/datazone/latest/userguide/data-portal-permissions.md b/datazone/latest/userguide/data-portal-permissions.md index f6122a79a..91c858478 100644 --- a//datazone/latest/userguide/data-portal-permissions.md +++ b//datazone/latest/userguide/data-portal-permissions.md @@ -107,0 +108 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt + "Sid": "Statement1", @@ -111,2 +112,2 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt - "kms:GenerateDataKey", - "kms:DescribeKey" + "kms:DescribeKey", + "kms:GenerateDataKey" @@ -114 +115,3 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt - "Resource": "*" + "Resource": [ + "arn:<partition>:kms:<region>:<account-id>:key/<key-id>" + ]