AWS Security ChangesHomeSearch

AWS amazonq documentation change

Service: amazonq · 2025-07-18 · Documentation low

File: amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md

Summary

Added KMS key policy requirements for encrypted S3 buckets and clarified Referer header formatting

Security assessment

Documents proper encryption configuration and access control policies without evidence of patching vulnerabilities. Enhances security configuration guidance.

Diff

diff --git a/amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md b/amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md
index c6f8d7ce4..445735fa6 100644
--- a//amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md
+++ b//amazonq/latest/qbusiness-ug/customizing-web-experience-themes.md
@@ -52,0 +53,24 @@ To allow Amazon Q Business to access web customization artifacts from your priva
+       * If your Amazon S3 bucket is encrypted using AWS KMS Key instead of Amazon S3 managed key, a similar resource policy to the sample bucket policy below must be added to AWS KMS key.
+            
+                                                                {
+                "Version": "2012-10-17",
+                "Statement": [{
+                    "Sid": "PolicyForAmazonQWebAccessForWebExperienceArtifacts",
+                    "Effect": "Allow",
+                    "Principal": {
+                        "Service": "application.qbusiness.amazonaws.com"
+                    },
+                    "Action": ["kms:Decrypt"],
+                    "Resource": ["your-kms-key-arn"],
+                    "Condition": {
+                        "StringLike": {
+                            "aws:Referer": ["your-webexperience-domain-without-https://"]
+                        },
+                        "Bool": {
+                            "aws:SecureTransport": "true"
+                        }
+                    }
+                }]
+            }
+                                                
+
@@ -54,0 +79,4 @@ To allow Amazon Q Business to access web customization artifacts from your priva
+###### Note
+
+The value of "`aws:Referer"` cannot contain `"https://"` or end with `"/"`. 
+