AWS kms documentation change
Summary
Added note about default key policies and least-privilege permissions
Security assessment
Emphasizes security best practices (least privilege) but doesn't address a specific security incident.
Diff
diff --git a/kms/latest/developerguide/conditions-nitro-enclaves.md b/kms/latest/developerguide/conditions-nitro-enclaves.md index 474712748..59debcd18 100644 --- a//kms/latest/developerguide/conditions-nitro-enclaves.md +++ b//kms/latest/developerguide/conditions-nitro-enclaves.md @@ -12,0 +13,4 @@ When you call the [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/ +###### Note + +If you don't provide a key policy when you create an AWS KMS key, AWS creates one for you. This [default key policy](./key-policy-default.html) grants the AWS accounts that own the KMS key full access to the key and allows the account to use IAM policies to allow access to the key. This policy allows all actions like [Decrypt](https://docs.aws.amazon.com/kms/latest/APIReference/API_Decrypt.html). AWS recommends applying principal of [Least-privilege permissions](./least-privilege.html) to your KMS key policies. You can also restrict access by [modifying the KMS key policy](./key-policy-modifying.html) action for `kms:*` to `[NotAction:](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_notaction.html)kms:Decrypt`. +