AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2025-06-25 · Security-related high

File: AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md

Summary

Added important note about explicit deny statements in KMS key policies requiring account conditions

Security assessment

Addresses potential misconfigurations in KMS policies that could block legitimate RDS operations. This is a security-relevant configuration guidance update.

Diff

diff --git a/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md b/AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md
index 4c75058ef..b672173a2 100644
--- a//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md
+++ b//AmazonRDS/latest/AuroraUserGuide/Overview.Encryption.Keys.md
@@ -36,0 +37,4 @@ You can specify these required permissions in a key policy, or in an IAM policy
+###### Important
+
+When you use explicit deny statements for all resources (*) in AWS KMS key policies with managed services like Amazon RDS, you must specify a condition to allow the resource owning account. Operations might fail without this condition, even if the deny rule includes exceptions for your IAM user.
+