AWS kms documentation change
Summary
Clarified that KMS keys with EXTERNAL origin become unusable if any associated key material is deleted or expires, even if multiple key materials exist.
Security assessment
This change improves operational documentation about key material management but does not address a security vulnerability or introduce new security features. It highlights a reliability consideration rather than a security risk.
Diff
diff --git a/kms/latest/developerguide/unusable-kms-keys.md b/kms/latest/developerguide/unusable-kms-keys.md index eb82a72d9..e7dd26af5 100644 --- a//kms/latest/developerguide/unusable-kms-keys.md +++ b//kms/latest/developerguide/unusable-kms-keys.md @@ -17 +17 @@ KMS keys can become unusable for a variety of reasons, including the following a - * [Deleting the key material](./importing-keys-delete-key-material.html) from a KMS key with imported key material, or allowing the imported key material to expire. + * [Deleting the key material](./importing-keys-delete-key-material.html) from a KMS key with imported key material, or allowing the imported key material to expire. If a KMS key with `EXTERNAL` origin has multiple key materials associated, the deletion or expiration of any key material will cause the key to become unusable.