AWS systems-manager high security documentation change
Summary
Updated KMS key policy requirements with account/region placeholders and source validation guidance
Security assessment
Introduces explicit security controls for KMS key policies used in session recording storage, requiring account/region validation to prevent unauthorized access. Adds guidance about using organizational controls (aws:SourceOrgID)
Diff
diff --git a/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md b/systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md index 49e37265a..8dd89f62e 100644 --- a//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md +++ b//systems-manager/latest/userguide/systems-manager-just-in-time-node-access-rdp-recording.md @@ -19,2 +18,0 @@ If you use a KMS key as the default encryption mechanism for the S3 bucket (SSE- -Following is an example of a customer managed key policy which can be used to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. - @@ -26,0 +25,15 @@ For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.a +Use the following customer managed key policy to allow the `ssm-guiconnect` service access to the KMS key for S3 storage. For information about updating a customer managed key, see [Change a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-modifying.html) in the _AWS Key Management Service Developer Guide_. + +Replace each `example resource placeholder` with your own information: + + * `account-id` represents the ID of the AWS account that initiates the connection. + + * `region` represents the AWS Region where the S3 bucket is located . (You can use `*` if the bucket will receive recordings from multiple Regions. Example: `s3.*.amazonaws.com`.) + + + + +###### Note + +You can use `aws:SourceOrgID` in the policy instead of `aws:SourceAccount` if the account belongs to an organization in AWS Organizations. + @@ -40 +53,4 @@ For information about tagging KMS keys, see [Tags in AWS KMS](https://docs.aws.a - "kms:ViaService": "s3.us-east-1.amazonaws.com" + "aws:SourceAccount": "account-id" + }, + "StringLike": { + "kms:ViaService": "s3.region.amazonaws.com"