AWS kms documentation change
Summary
Updated CloudTrail log example for ReEncrypt operation with new eventVersion (1.11), added key material IDs in additionalEventData, managementEvent flag, TLS details, and future timestamp
Security assessment
Added TLS version/cipher suite documentation improves transparency about secure connections. Tracking key material IDs enhances audit capabilities. However, no evidence of addressing a specific vulnerability.
Diff
diff --git a/kms/latest/developerguide/ct-reencrypt.md b/kms/latest/developerguide/ct-reencrypt.md index 1669087a7..e0934c18d 100644 --- a//kms/latest/developerguide/ct-reencrypt.md +++ b//kms/latest/developerguide/ct-reencrypt.md @@ -11 +11 @@ The following example shows an AWS CloudTrail log entry for the [ReEncrypt](http - "eventVersion": "1.05", + "eventVersion": "1.11", @@ -20 +20 @@ The following example shows an AWS CloudTrail log entry for the [ReEncrypt](http - "eventTime": "2020-07-27T23:09:13Z", + "eventTime": "2025-05-22T19:34:55Z", @@ -38,0 +39,4 @@ The following example shows an AWS CloudTrail log entry for the [ReEncrypt](http + "additionalEventData": { + "destinationKeyMaterialId": "96083e4fb6dbc41d77578a213a6b6669c044dd4c143e96755396d2bf11fd6068", + "sourceKeyMaterialId": "123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0" + }, @@ -54,0 +59 @@ The following example shows an AWS CloudTrail log entry for the [ReEncrypt](http + "managementEvent": true, @@ -55,0 +61,6 @@ The following example shows an AWS CloudTrail log entry for the [ReEncrypt](http + "eventCategory": "Management", + "tlsDetails": { + "tlsVersion": "TLSv1.3", + "cipherSuite": "TLS_AES_256_GCM_SHA384", + "clientProvidedHostHeader": "kms.us-west-2.amazonaws.com" + }