AWS Security ChangesHomeSearch

AWS payment-cryptography medium security documentation change

Service: payment-cryptography · 2025-08-01 · Security-related medium

File: payment-cryptography/latest/userguide/vpc-endpoint.md

Summary

Updated VPC endpoint policies with improved IAM syntax and security practices

Security assessment

Changes implement security best practices by: 1) Using full ARN format for principals 2) Restricting wildcard resources to specific key ARNs 3) Using more precise action names (EncryptData/DecryptData) 4) Implementing least-privilege permissions. These changes demonstrate improved security controls for payment cryptography operations.

Diff

diff --git a/payment-cryptography/latest/userguide/vpc-endpoint.md b/payment-cryptography/latest/userguide/vpc-endpoint.md
index 1be492827..6b7f864f2 100644
--- a//payment-cryptography/latest/userguide/vpc-endpoint.md
+++ b//payment-cryptography/latest/userguide/vpc-endpoint.md
@@ -246,0 +247,6 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
+JSON
+    
+
+****
+    
+    
@@ -253 +259 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Sid": "Enable IAM policies",
+                "Sid": "EnableIAMPolicies",
@@ -255,2 +261,8 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Principal": {"AWS":["111122223333"]},
-                "Action": ["payment-cryptography:*"],
+                "Principal": {
+                    "AWS": [ 
+                        "arn:aws:iam::111122223333:root"
+                    ]
+                },
+                "Action": [
+                    "payment-cryptography:*"
+                ],
@@ -260 +272 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Sid": "Restrict usage to my VPC endpoint",
+                "Sid": "RestrictUsageToMyVPCEndpoint",
@@ -264,2 +276,2 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                    "payment-cryptography:Encrypt",
-                    "payment-cryptography:Decrypt"
+                    "payment-cryptography:EncryptData",
+                    "payment-cryptography:DecryptData"
@@ -267 +279 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Resource": "*",
+                "Resource": "arn:aws:payment-cryptography:us-east-1:111122223333:key/*",
@@ -283,0 +297,6 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
+JSON
+    
+
+****
+    
+    
@@ -290 +309 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Sid": "Allow administrative actions from vpc-12345678",
+                "Sid": "AllowAdminActionsFromVPC12345678",
@@ -292 +311,3 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Principal": {"AWS": "111122223333"},
+                "Principal": {
+                    "AWS": "111122223333"
+                },
@@ -294,2 +315,6 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                    "payment-cryptography:Create*","payment-cryptography:Encrypt*","payment-cryptography:ImportKey*","payment-cryptography:GetParametersForImport*",
-                    "payment-cryptography:TagResource", "payment-cryptography:UntagResource"
+                   "payment-cryptography:Create*",
+                   "payment-cryptography:Encrypt*",
+                   "payment-cryptography:ImportKey*",
+                   "payment-cryptography:GetParametersForImport*",
+                   "payment-cryptography:TagResource",
+                   "payment-cryptography:UntagResource"
@@ -305 +330 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Sid": "Allow key usage from vpc-2b2b2b2b",
+                "Sid": "AllowKeyUsageFromVPC2b2b2b2b",
@@ -307 +332,3 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Principal": {"AWS": "111122223333"},
+                "Principal": {
+                    "AWS": "111122223333"
+                },
@@ -309 +336,2 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                    "payment-cryptography:Encrypt","payment-cryptography:Decrypt"
+                    "payment-cryptography:Encrypt*",
+                    "payment-cryptography:Decrypt*"
@@ -319 +347 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Sid": "Allow list/read actions from everywhere",
+                "Sid": "AllowListReadActionsFromEverywhere",
@@ -321 +349,3 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Principal": {"AWS": "111122223333"},
+                "Principal": {
+                    "AWS": "111122223333"
+                },
@@ -323 +353,2 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                    "payment-cryptography:List*","payment-cryptography:Get*"
+                    "payment-cryptography:List*",
+                    "payment-cryptography:Get*"
@@ -325 +356 @@ To use a policy like this one, replace the placeholder AWS account ID and VPC en
-                "Resource": "*",
+                "Resource": "*"