AWS managedservices medium security documentation change
Summary
Updated KMS key ARN format and clarified EC2 references
Security assessment
Correction of KMS ARN pattern ensures proper encryption key access control. Using explicit 'arn:aws:kms' format prevents potential misconfigurations that could lead to unauthorized decryption operations.
Diff
diff --git a/managedservices/latest/userguide/defaults-instance-profile.md b/managedservices/latest/userguide/defaults-instance-profile.md index bafa6a400..0bb5fbdc0 100644 --- a//managedservices/latest/userguide/defaults-instance-profile.md +++ b//managedservices/latest/userguide/defaults-instance-profile.md @@ -62 +62 @@ Explicitly Deny List Bucket S3 | Deny | ListBucket | Disallows you listing any e -Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*` +Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows Amazon EC2 to access secrets for Trend Cloud One migration: `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `arn:aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-activation-token*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-id*`, `aws:secretsmanager:*:*:secret:/ams/eps/cloud-one-agent-tenant-guid*` @@ -64 +64 @@ Trend Cloud One Secrets Access | Allow | GetSecretValue | Allows EC2 to access s -Trend Cloud One Decryption Key | Allow | Decrypt | Allow EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `aws:kms:*:*:key/*` +Trend Cloud One Decryption Key | Allow | Decrypt | Allow Amazon EC2 to decrypt the AWS KMS key with alias name /ams/eps/cloudone-migration `arn:aws:kms:*:*:alias/ams/eps/cloudone-migration`