AWS Security ChangesHomeSearch

AWS AmazonRDS high security documentation change

Service: AmazonRDS · 2025-06-25 · Security-related high

File: AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md

Summary

Added important note about explicit deny statements in KMS key policies requiring account conditions

Security assessment

Same security-relevant KMS policy guidance as in Aurora documentation, critical for proper access control.

Diff

diff --git a/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md b/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md
index c992ba9e0..0a43e302e 100644
--- a//AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md
+++ b//AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md
@@ -36,0 +37,4 @@ You can specify these required permissions in a key policy, or in an IAM policy
+###### Important
+
+When you use explicit deny statements for all resources (*) in AWS KMS key policies with managed services like Amazon RDS, you must specify a condition to allow the resource owning account. Operations might fail without this condition, even if the deny rule includes exceptions for your IAM user.
+