AWS Security ChangesHomeSearch

AWS govcloud-us high security documentation change

Service: govcloud-us · 2025-06-13 · Security-related high

File: govcloud-us/latest/UserGuide/govcloud-account-root-user.md

Summary

Added asymmetric KMS key requirement and encryption workflow for AWS GovCloud root access key requests

Security assessment

Introduces mandatory encryption of root access keys using KMS, including policy examples and decryption steps. This directly addresses credential security by enforcing encryption at rest and in transit for sensitive root credentials.

Diff

diff --git a/govcloud-us/latest/UserGuide/govcloud-account-root-user.md b/govcloud-us/latest/UserGuide/govcloud-account-root-user.md
index 0b671e54d..98b852d1f 100644
--- a//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
+++ b//govcloud-us/latest/UserGuide/govcloud-account-root-user.md
@@ -206 +206,30 @@ Gather the following required information so you have it on hand when you open a
-  5. **Account Owner** – This is the full legal name (First, Middle, Last Name) of the account owner who is requesting AWS GovCloud (US) account root user access keys. Account owner is the individual creating the support case that meets the requirements outlined in the template found in Step 2.
+  5. **Asymmetric KMS key** – You need to provide an asymmetric KMS key when requesting root access keys for an AWS GovCloud (US) account. Generate the key in the standard AWS account associated with the AWS GovCloud (US) account and in `us-east-1`.
+
+To generate a KMS key, use the following AWS CLI command:
+    
+        aws kms create-key \
+        --region us-east-1 \
+        --key-usage ENCRYPT_DECRYPT \
+        --key-spec RSA_2048 \
+        --description "Asymmetric KMS key for encryption and decryption" \
+        --policy '{
+            "Version": "2012-10-17",
+            "Statement": [
+                {
+                    "Sid": "Enable IAM User Permissions",
+                    "Effect": "Allow",
+                    "Principal": {"AWS": "arn:aws:iam::your-account-ID:root"},
+                    "Action": "kms:*",
+                    "Resource": "*"
+                },
+                {
+                    "Sid": "Allow external account to encrypt",
+                    "Effect": "Allow",
+                    "Principal": {"AWS": "arn:aws:iam::536883072436:root"},
+                    "Action": "kms:Encrypt",
+                    "Resource": "*"
+                }
+            ]
+        }'
+
+  6. **Account Owner** – This is the full legal name (First, Middle, Last Name) of the account owner who is requesting AWS GovCloud (US) account root user access keys. Account owner is the individual creating the support case that meets the requirements outlined in the template found in Step 2.
@@ -234,0 +264 @@ If you are having issues signing in to your standard AWS account as the root use
+        Asymmetric KMS key ARN: [Asymmetric KMS key ARN from Step 1]
@@ -310,3 +340,17 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-        $ aws secretsmanager get-secret-value 
-    --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF 
-    --region us-east-1 --version-stage AWSCURRENT --output text --query 'SecretString'
+        aws secretsmanager get-secret-value \
+        --secret-id 'RCR secret ARN' \
+        --region 'us-east-1' \
+        --version-stage 'AWSCURRENT' \
+        --output 'text' \
+        --query 'SecretString' \
+        --no-cli-pager
+
+Then decrypt the output of `get-secret-value` for the credentials using this AWS CLI command:
+    
+        aws kms decrypt \
+        --key-id 'KMS ARN GENERATED IN STEP 1' \
+        --region 'us-east-1' \
+        --encryption-algorithm RSAES_OAEP_SHA_256 \
+        --ciphertext-blob 'OUTPUT FROM get-secret-value' \
+        --output text \
+        --query Plaintext | base64 --decode
@@ -328 +372 @@ If you are having issues signing in to your [standard AWS account](https://docs.
-  9. Paste the command into the AWS CloudShell terminal, then press enter. Your AWS GovCloud (US) root access keys will be output to the terminal.
+  9. Paste the following commands into the AWS CloudShell terminal, then press Enter. Your AWS GovCloud (US) root access keys will be output to the terminal.
@@ -332,4 +376,17 @@ Example
-        $ aws secretsmanager get-secret-value 
-    --secret-id arn:aws:secretsmanager:us-east-1:536883072436:secret:abcDEfgHiJKLMno-abcDeF --region us-east-1 
-    --version-stage AWSCURRENT --output text --query 'SecretString' {"SecretAccessKey": 
-    "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY", "AccessKeyId": "AKIAIOSFODNN7EXAMPLE"}
+        SECRET_ID="arn:aws:secretsmanager:us-east-1:536883072436:secret:rcr-example-02-0D3VUW"
+    BLOB=$(aws secretsmanager get-secret-value \
+        --secret-id "$SECRET_ID" \
+        --region 'us-east-1' \
+        --version-stage AWSCURRENT \
+        --output text \
+        --query 'SecretString' \
+        --no-cli-pager)
+    
+    KMS_ENCRYPTION_KEY='arn:aws:kms:us-east-1:536883072436:key/12345678-90ab-cdef-0123-4567-8example'
+    aws kms decrypt \
+        --region 'us-east-1' \
+        --key-id "$KMS_ENCRYPTION_KEY" \
+        --encryption-algorithm RSAES_OAEP_SHA_256 \
+        --ciphertext-blob "$(echo "$BLOB")" \
+        --output text \
+        --query Plaintext | base64 -d
@@ -417 +474 @@ The following example creates a profile named `govcloudroot` using sample values
-If using AWS CloudShell you must specify the >region in each command using the `--region` option.
+If using AWS CloudShell you must specify the region in each command using the `--region` option.