AWS Security ChangesHomeSearch

AWS securityhub medium security documentation change

Service: securityhub · 2025-06-04 · Security-related medium

File: securityhub/latest/userguide/kms-controls.md

Summary

Added clarification that KMS key policy conditions with wildcards/variables cause FAILED findings and require fixed values for PASSED status

Security assessment

The change explicitly warns about security risks from permissive policy conditions using wildcards/variables, which could lead to overprivileged access. This addresses a potential misconfiguration vulnerability in KMS key policies.

Diff

diff --git a/securityhub/latest/userguide/kms-controls.md b/securityhub/latest/userguide/kms-controls.md
index 3ca2e3e1e..71e6574bc 100644
--- a//securityhub/latest/userguide/kms-controls.md
+++ b//securityhub/latest/userguide/kms-controls.md
@@ -9,3 +9 @@
-These AWS Security Hub controls evaluate the AWS Key Management Service (AWS KMS) service and resources.
-
-These controls may not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
+These AWS Security Hub controls evaluate the AWS Key Management Service (AWS KMS) service and resources. The controls might not be available in all AWS Regions. For more information, see [Availability of controls by Region](./securityhub-regions.html#securityhub-regions-control-support).
@@ -172,0 +171,2 @@ This control also returns a `FAILED` finding for an AWS KMS key if your configur
+In addition, this control doesn't evaluate policy conditions that use wildcard characters or variables. To produce a `PASSED` finding, conditions in the key policy must only use fixed values, which are values that don't contain wildcard characters or policy variables. For information about policy variables, see [Variables and tags](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html) in the _AWS Identity and Access Management User Guide_.
+