AWS Security ChangesHomeSearch

AWS appconfig high security documentation change

Service: appconfig · 2025-07-25 · Security-related high

File: appconfig/latest/userguide/appconfig-security.md

Summary

Fixed KMS policy syntax errors and standardized account IDs

Security assessment

Added missing quotes in 'kms:GenerateDataKey' action and corrected account IDs. Syntax errors could have invalidated policies, leading to unintended KMS access.

Diff

diff --git a/appconfig/latest/userguide/appconfig-security.md b/appconfig/latest/userguide/appconfig-security.md
index bd5f81f17..70c395869 100644
--- a//appconfig/latest/userguide/appconfig-security.md
+++ b//appconfig/latest/userguide/appconfig-security.md
@@ -66,0 +67,6 @@ When creating a customer managed key, use the following key policy to ensure tha
+JSON
+    
+
+****
+    
+    
@@ -75 +81 @@ When creating a customer managed key, use the following key policy to ensure tha
-                "AWS": "arn:aws:iam::account_ID:role/role_name"
+                    "AWS": "arn:aws:iam::111122223333:role/role_name"
@@ -83,0 +90,2 @@ When creating a customer managed key, use the following key policy to ensure tha
+    }
+    
@@ -86,0 +95,6 @@ To encrypt hosted configuration data with a customer managed key, the identity c
+JSON
+    
+
+****
+    
+    
@@ -93 +107 @@ To encrypt hosted configuration data with a customer managed key, the identity c
-                "Action": "kms:GenerateDataKey,
+                "Action": "kms:GenerateDataKey",
@@ -144,0 +160,6 @@ When calling the AWS AppConfig [GetLatestConfiguration](https://docs.aws.amazon.
+JSON
+    
+
+****
+    
+    
@@ -151 +172 @@ When calling the AWS AppConfig [GetLatestConfiguration](https://docs.aws.amazon.
-                "Action": "kms:Decrypt,
+                "Action": "kms:Decrypt",