AWS amazonq medium security documentation change
Summary
Added kms:Decrypt, kms:GenerateDataKey, kms:Encrypt, and kms:DescribeKey actions to KMS policy requirements
Security assessment
Expanding required KMS permissions directly enhances cryptographic controls by ensuring proper key management operations are authorized. This change explicitly documents necessary security-related permissions for encryption/decryption operations.
Diff
diff --git a/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md b/amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md index 4aa4e515b..c52b850b3 100644 --- a//amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md +++ b//amazonq/latest/qdeveloper-ug/security_iam_manage-access-with-kms-policies.md @@ -30,0 +31 @@ With KMS encryption context, you have an optional set of key-value pairs that ca + "kms:Decrypt", @@ -33 +34,3 @@ With KMS encryption context, you have an optional set of key-value pairs that ca - "kms:Decrypt" + "kms:GenerateDataKey", + "kms:Encrypt", + "kms:DescribeKey"