AWS Security ChangesHomeSearch

AWS datazone high security documentation change

Service: datazone · 2025-05-31 · Security-related high

File: datazone/latest/userguide/data-portal-permissions.md

Summary

Modified KMS policy to specify exact key ARN instead of wildcard

Security assessment

Changed KMS resource from '*' to specific ARN, enforcing least privilege access to encryption keys which prevents potential over-permissioning

Diff

diff --git a/datazone/latest/userguide/data-portal-permissions.md b/datazone/latest/userguide/data-portal-permissions.md
index f6122a79a..91c858478 100644
--- a//datazone/latest/userguide/data-portal-permissions.md
+++ b//datazone/latest/userguide/data-portal-permissions.md
@@ -107,0 +108 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt
+          "Sid": "Statement1",
@@ -111,2 +112,2 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt
-                    "kms:GenerateDataKey",
-                    "kms:DescribeKey"
+            "kms:DescribeKey",
+            "kms:GenerateDataKey"
@@ -114 +115,3 @@ If you create your Amazon DataZone domain with your own KMS key for data encrypt
-                "Resource": "*"
+          "Resource": [
+            "arn:<partition>:kms:<region>:<account-id>:key/<key-id>"
+          ]