AWS AmazonRDS medium security documentation change
Summary
Updated KMS key policy example with corrected JSON syntax, removed instructional comments, and specified 'us-east-1' region in kms:ViaService condition
Security assessment
The change enforces stricter regional specificity in KMS policies (via 'rds.us-east-1.amazonaws.com') and removes ambiguous placeholder text, improving security posture by demonstrating proper service-linked resource policies. This directly impacts access control for encrypted Performance Insights data.
Diff
diff --git a/AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.access-control.cmk-policy.md b/AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.access-control.cmk-policy.md index 33ee83a6e..57b20f7a7 100644 --- a//AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.access-control.cmk-policy.md +++ b//AmazonRDS/latest/AuroraUserGuide/USER_PerfInsights.access-control.cmk-policy.md @@ -23,0 +24,6 @@ The following example shows how to add statements to your KMS key policy. These +JSON + + +**** + + @@ -28,6 +34 @@ The following example shows how to add statements to your KMS key policy. These - "Statement" : [ { - //This represents a statement that currently exists in your policy. - } - ...., - //Starting here, add new statement to your policy for Performance Insights. - //We recommend that you add one new statement for every RDS instance + "Statement" : [ @@ -35 +36 @@ The following example shows how to add statements to your KMS key policy. These - "Sid" : "Allow viewing RDS Performance Insights", + "Sid" : "AllowViewingRDSPerformanceInsights", @@ -39 +39,0 @@ The following example shows how to add statements to your KMS key policy. These - //One or more principals allowed to access Performance Insights @@ -50,4 +50 @@ The following example shows how to add statements to your KMS key policy. These - //Restrict access to only RDS APIs (including Performance Insights). - //Replace region with your AWS Region. - //For example, specify us-west-2. - "kms:ViaService" : "rds.region.amazonaws.com" + "kms:ViaService" : "rds.us-east-1.amazonaws.com" @@ -56 +52,0 @@ The following example shows how to add statements to your KMS key policy. These - //Restrict access to only data encrypted by Performance Insights. @@ -59,3 +54,0 @@ The following example shows how to add statements to your KMS key policy. These - - //Restrict access to a specific RDS instance. - //The value is a DbiResourceId. @@ -65,0 +59,3 @@ The following example shows how to add statements to your KMS key policy. These + ] + } +