AWS codebuild high security documentation change
Summary
Simplified KMS key policy by removing placeholder statements and adding concrete service/account restrictions
Security assessment
Removed wildcard Principal ('AWS': '*') and replaced with explicit kms:CallerAccount restrictions. This hardens KMS key policies by eliminating broad access permissions, directly addressing potential unauthorized access vulnerabilities.
Diff
diff --git a/codebuild/latest/userguide/setting-up-kms.md b/codebuild/latest/userguide/setting-up-kms.md index fea77d0f3..aadafcc3d 100644 --- a//codebuild/latest/userguide/setting-up-kms.md +++ b//codebuild/latest/userguide/setting-up-kms.md @@ -26 +25,0 @@ JSON - "Id": "...", @@ -28 +26,0 @@ JSON - ### BEGIN ADDING STATEMENTS HERE ### @@ -30 +27,0 @@ JSON - "Sid": "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3", @@ -32,3 +28,0 @@ JSON - "Principal": { - "AWS": "*" - }, @@ -45,2 +39,2 @@ JSON - "kms:ViaService": "s3.region-ID.amazonaws.com", - "kms:CallerAccount": "account-ID" + "kms:ViaService": "s3.us-east-1.amazonaws.com", + "kms:CallerAccount": "111122223333" @@ -52,3 +45,0 @@ JSON - "Principal": { - "AWS": "arn:aws:iam::account-ID:role/-service-role" - }, @@ -63,17 +53,0 @@ JSON - }, - ### END ADDING STATEMENTS HERE ### - { - "Sid": "Enable IAM User Permissions", - ... - }, - { - "Sid": "Allow access for Key Administrators", - ... - }, - { - "Sid": "Allow use of the key", - ... - }, - { - "Sid": "Allow attachment of persistent resources", - ...