AWS neptune high security documentation change
Summary
Removed root principal access from KMS key policy example and updated policy explanation
Security assessment
Eliminated overly permissive 'arn:aws:iam::123456789012:root' principal with full KMS access, which reduces potential privilege escalation risks. Tightened policy explanations emphasize least privilege.
Diff
diff --git a/neptune/latest/userguide/encrypt.md b/neptune/latest/userguide/encrypt.md index ca51435b3..593c6670e 100644 --- a//neptune/latest/userguide/encrypt.md +++ b//neptune/latest/userguide/encrypt.md @@ -59,9 +58,0 @@ Here is an example of a key policy that includes the necessary permissions: - { - "Sid": "Enable Permissions for root principal", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:root" - }, - "Action": "kms:*", - "Resource": "*" - }, @@ -110,3 +101 @@ Here is an example of a key policy that includes the necessary permissions: - * The first statement in this policy is optional. It gives access to the user's root principal. - - * The second statement provides access to all the required AWS KMS APIs for this role, scoped down to the RDS Service Principal. + * The first statement provides access to all the required AWS KMS APIs for this role, scoped down to the RDS Service Principal. @@ -114 +103 @@ Here is an example of a key policy that includes the necessary permissions: - * The third statement tightens the security more by enforcing that this key is not usable by this role for any other AWS service. + * The second statement tightens the security more by enforcing that this key is not usable by this role for any other AWS service.