AWS amazonq documentation change
Summary
Added KMS key policy requirements for encrypted S3 buckets and clarified Referer header formatting
Security assessment
Documents proper encryption configuration and access control policies without evidence of patching vulnerabilities. Enhances security configuration guidance.
Diff
diff --git a/amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md b/amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md index c6f8d7ce4..445735fa6 100644 --- a//amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md +++ b//amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md @@ -52,0 +53,24 @@ To allow Amazon Q Business to access web customization artifacts from your priva + * If your Amazon S3 bucket is encrypted using AWS KMS Key instead of Amazon S3 managed key, a similar resource policy to the sample bucket policy below must be added to AWS KMS key. + + { + "Version": "2012-10-17", + "Statement": [{ + "Sid": "PolicyForAmazonQWebAccessForWebExperienceArtifacts", + "Effect": "Allow", + "Principal": { + "Service": "application.qbusiness.amazonaws.com" + }, + "Action": ["kms:Decrypt"], + "Resource": ["your-kms-key-arn"], + "Condition": { + "StringLike": { + "aws:Referer": ["your-webexperience-domain-without-https://"] + }, + "Bool": { + "aws:SecureTransport": "true" + } + } + }] + } + + @@ -54,0 +79,4 @@ To allow Amazon Q Business to access web customization artifacts from your priva +###### Note + +The value of "`aws:Referer"` cannot contain `"https://"` or end with `"/"`. +