AWS managedservices medium security documentation change
Summary
Modified KMS key ARN pattern from specific alias to wildcard key reference in Trend Cloud One Decryption Key policy
Security assessment
Changed KMS key reference from 'alias/ams/eps/cloudone-migration' to wildcard 'key/*' expands decryption permissions beyond specific alias. This could potentially allow decryption of any KMS key if misconfigured, increasing risk of excessive permissions.
Diff
diff --git a/managedservices/latest/onboardingguide/defaults-instance-profile.md b/managedservices/latest/onboardingguide/defaults-instance-profile.md index 805e6d18f..492412248 100644 --- a//managedservices/latest/onboardingguide/defaults-instance-profile.md +++ b//managedservices/latest/onboardingguide/defaults-instance-profile.md @@ -62 +62 @@ Explicitly Deny List Bucket S3 | Deny | ListBucket | Disallows you listing any e -Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows Amazon EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*` +Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*` @@ -64 +64 @@ Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows Amazon EC2 to a -Trend Cloud One Decryption Key | Allow | Decrypt | Allow Amazon EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `arn:aws:kms:*:*:alias/ams/eps/cloudone-migration` +Trend Cloud One Decryption Key | Allow | Decrypt | Allow EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `aws:kms:*:*:key/*`