AWS Security ChangesHomeSearch

AWS connect high security documentation change

Service: connect · 2025-06-16 · Security-related high

File: connect/latest/adminguide/enable-live-media-streams.md

Summary

Added detailed encryption requirements for Kinesis Video Streams, including KMS key restrictions and warnings about grant management.

Security assessment

Explicitly warns against using the default 'aws/connect' KMS key and revoking grants, which could prevent encryption misconfigurations leading to data exposure. Provides critical guidance to avoid insecure setups, addressing potential security risks.

Diff

diff --git a/connect/latest/adminguide/enable-live-media-streams.md b/connect/latest/adminguide/enable-live-media-streams.md
index 32798b383..8bb04292e 100644
--- a//connect/latest/adminguide/enable-live-media-streams.md
+++ b//connect/latest/adminguide/enable-live-media-streams.md
@@ -21 +21,13 @@ Live media streaming (customer audio streams) is not enabled by default. You can
-  6. Choose the KMS key to use to encrypt the data sent to Kinesis. The KMS key must be in the same Region as the instance. 
+  6. Data is encrypted before it's written to the Kinesis Video Streams stream storage layer, and it's decrypted after it's retrieved from storage. As a result, your data is always encrypted at rest within the Kinesis Video Streams service. Choose the KMS key used to encrypt the data within Kinesis Video Streams as shown in the following image.
+
+![The Encryption section where you choose the KMS key.](/images/connect/latest/adminguide/images/streaming-encryption.png)
+
+When you choose to enter your own key, make note of the following restrictions:
+
+    1. The KMS key must be in the same Region as the instance.
+
+    2. The KMS key should not be the same as `aws/connect` key listed in your KMS console.
+
+    3. The grant provisioned for the key by Amazon Connect shouldn't be revoked. These grants would have `GranteePrincipal` of the format:
+        
+                arn:aws:iam::customer-account-id:role/aws-service-role/connect.amazonaws.com/AWSServiceRoleForAmazonConnect_hash_suffix