AWS kms documentation change
Summary
Added clarification that kms:ViaService condition key only applies to Forward access sessions and updated terminology links from 'customer-cmk'/'aws-managed-cmk' to 'customer-mgn-key'/'aws-managed-key'
Security assessment
The change adds reference to IAM forward access sessions which helps clarify security boundaries, but does not address a specific vulnerability. Terminology updates improve documentation accuracy but aren't security fixes.
Diff
diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md index 813ab8fe2..479582281 100644 --- a//kms/latest/developerguide/conditions-kms.md +++ b//kms/latest/developerguide/conditions-kms.md @@ -1745 +1745 @@ AWS KMS condition keys | Condition type | Value type | API operations | Policy t -The `kms:ViaService` condition key limits use of an KMS key to requests from specified AWS services. You can specify one or more services in each `kms:ViaService` condition key. The operation must be a _KMS key resource operation_ , that is, an operation that is authorized for a particular KMS key. To identify the KMS key resource operations, in the [Actions and Resources Table](./kms-api-permissions-reference.html#kms-api-permissions-reference-table), look for a value of `KMS key` in the `Resources` column for the operation. +The `kms:ViaService` condition key limits use of an KMS key to requests from specified AWS services. This condition key only applies for [Forward access sessions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_forward_access_sessions.html). You can specify one or more services in each `kms:ViaService` condition key. The operation must be a _KMS key resource operation_ , that is, an operation that is authorized for a particular KMS key. To identify the KMS key resource operations, in the [Actions and Resources Table](./kms-api-permissions-reference.html#kms-api-permissions-reference-table), look for a value of `KMS key` in the `Resources` column for the operation. @@ -1747 +1747 @@ The `kms:ViaService` condition key limits use of an KMS key to requests from spe -For example, the following key policy statement uses the `kms:ViaService` condition key to allow a [customer managed key](./concepts.html#customer-cmk) to be used for the specified actions only when the request comes from Amazon EC2 or Amazon RDS in the US West (Oregon) region on behalf of `ExampleRole`. +For example, the following key policy statement uses the `kms:ViaService` condition key to allow a [customer managed key](./concepts.html#customer-mgn-key) to be used for the specified actions only when the request comes from Amazon EC2 or Amazon RDS in the US West (Oregon) region on behalf of `ExampleRole`. @@ -1807 +1807 @@ When you use the `kms:ViaService` condition key, the service makes the request o -All [AWS managed keys](./concepts.html#aws-managed-cmk) use a `kms:ViaService` condition key in their key policy document. This condition allows the KMS key to be used only for requests that come from the service that created the KMS key. To see the key policy for an AWS managed key, use the [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) operation. +All [AWS managed keys](./concepts.html#aws-managed-key) use a `kms:ViaService` condition key in their key policy document. This condition allows the KMS key to be used only for requests that come from the service that created the KMS key. To see the key policy for an AWS managed key, use the [GetKeyPolicy](https://docs.aws.amazon.com/kms/latest/APIReference/API_GetKeyPolicy.html) operation.