AWS AmazonRDS high security documentation change
Summary
Added important note about KMS deny statements affecting snapshot copy operations
Security assessment
Addresses potential failure scenarios in snapshot operations due to overly restrictive KMS policies, which could impact disaster recovery capabilities.
Diff
diff --git a/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md b/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md index e06350cb1..088755e42 100644 --- a//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md +++ b//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md @@ -399,0 +400,4 @@ You can also encrypt a copy of an unencrypted snapshot. This way, you can quickl +###### Important + +When you use explicit deny statements for all resources (*) in AWS KMS key policies with managed services like Amazon RDS, you must specify a condition to allow the resource owning account. The copy operation might fail without this condition, even if the deny rule includes exceptions for your IAM user. +