AWS AmazonRDS high security documentation change
Summary
Added important note about explicit deny statements in KMS key policies requiring account conditions
Security assessment
Addresses potential misconfigurations in KMS policies that could block legitimate RDS operations. This is a security-relevant configuration guidance update.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md b/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md index 4c75058ef..b672173a2 100644 --- a//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md +++ b//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md @@ -36,0 +37,4 @@ You can specify these required permissions in a key policy, or in an IAM policy +###### Important + +When you use explicit deny statements for all resources (*) in AWS KMS key policies with managed services like Amazon RDS, you must specify a condition to allow the resource owning account. Operations might fail without this condition, even if the deny rule includes exceptions for your IAM user. +