AWS securityhub medium security documentation change
Summary
Added clarification that KMS key policy conditions with wildcards/variables cause FAILED findings and require fixed values for PASSED status
Security assessment
The change explicitly warns about security risks from permissive policy conditions using wildcards/variables, which could lead to overprivileged access. This addresses a potential misconfiguration vulnerability in KMS key policies.
Diff
diff --git a/securityhub/latest/userguide/kms-controls.md b/securityhub/latest/userguide/kms-controls.md index 3ca2e3e1e..71e6574bc 100644 --- a//securityhub/latest/userguide/kms-controls.md +++ b//securityhub/latest/userguide/kms-controls.md @@ -9,3 +9 @@ -These AWS Security Hub controls evaluate the AWS Key Management Service (AWS KMS) service and resources. - -These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). +These AWS Security Hub controls evaluate the AWS Key Management Service (AWS KMS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support). @@ -172,0 +171,2 @@ This control also returns a `FAILED` finding for an AWS KMS key if your configur +In addition, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the key policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_. +