AWS AmazonRDS high security documentation change
Summary
Added important note about explicit deny statements in KMS key policies requiring account conditions
Security assessment
Same security-relevant KMS policy guidance as in Aurora documentation, critical for proper access control.
Diff
diff --git a/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md b/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md index c992ba9e0..0a43e302e 100644 --- a//AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md +++ b//AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.md @@ -36,0 +37,4 @@ You can specify these required permissions in a key policy, or in an IAM policy +###### Important + +When you use explicit deny statements for all resources (*) in AWS KMS key policies with managed services like Amazon RDS, you must specify a condition to allow the resource owning account. Operations might fail without this condition, even if the deny rule includes exceptions for your IAM user. +