AWS Security ChangesHomeSearch

AWS managedservices medium security documentation change

Service: managedservices · 2025-07-04 · Security-related medium

File: managedservices/latest/userguide/defaults-instance-profile.md

Summary

Updated KMS key ARN format and clarified EC2 references

Security assessment

Correction of KMS ARN pattern ensures proper encryption key access control. Using explicit 'arn:aws:kms' format prevents potential misconfigurations that could lead to unauthorized decryption operations.

Diff

diff --git a/managedservices/latest/userguide/defaults-instance-profile.md b/managedservices/latest/userguide/defaults-instance-profile.md
index bafa6a400..0bb5fbdc0 100644
--- a//managedservices/latest/userguide/defaults-instance-profile.md
+++ b//managedservices/latest/userguide/defaults-instance-profile.md
@@ -62 +62 @@ Explicitly Deny List Bucket S3 | Deny | ListBucket | Disallows you listing any e
-Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*`  
+Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows Amazon EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*`  
@@ -64 +64 @@ Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows EC2 to access s
-Trend Cloud One Decryption Key | Allow | Decrypt | Allow EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `aws:kms:*:*:key/*`  
+Trend Cloud One Decryption Key | Allow | Decrypt | Allow Amazon EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `arn:aws:kms:*:*:alias/ams/eps/cloudone-migration`