AWS Security ChangesHomeSearch

AWS amazonq medium security documentation change

Service: amazonq · 2025-06-28 · Security-related medium

File: amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md

Summary

Added kms:Decrypt, kms:GenerateDataKey, kms:Encrypt, and kms:DescribeKey actions to KMS policy requirements

Security assessment

Expanding required KMS permissions directly enhances cryptographic controls by ensuring proper key management operations are authorized. This change explicitly documents necessary security-related permissions for encryption/decryption operations.

Diff

diff --git a/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md b/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md
index 4aa4e515b..c52b850b3 100644
--- a//amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md
+++ b//amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md
@@ -30,0 +31 @@ With KMS encryption context, you have an optional set of key-value pairs that ca
+            "kms:Decrypt",
@@ -33 +34,3 @@ With KMS encryption context, you have an optional set of key-value pairs that ca
-            "kms:Decrypt"
+            "kms:GenerateDataKey", 
+            "kms:Encrypt", 
+            "kms:DescribeKey"