AWS Security ChangesHomeSearch

AWS codebuild high security documentation change

Service: codebuild · 2025-08-13 · Security-related high

File: codebuild/latest/userguide/setting-up-kms.md

Summary

Simplified KMS key policy by removing placeholder statements and adding concrete service/account restrictions

Security assessment

Removed wildcard Principal ('AWS': '*') and replaced with explicit kms:CallerAccount restrictions. This hardens KMS key policies by eliminating broad access permissions, directly addressing potential unauthorized access vulnerabilities.

Diff

diff --git a/codebuild/latest/userguide/setting-up-kms.md b/codebuild/latest/userguide/setting-up-kms.md
index fea77d0f3..aadafcc3d 100644
--- a//codebuild/latest/userguide/setting-up-kms.md
+++ b//codebuild/latest/userguide/setting-up-kms.md
@@ -26 +25,0 @@ JSON
-      "Id": "...",
@@ -28 +26,0 @@ JSON
-        ### BEGIN ADDING STATEMENTS HERE ###
@@ -30 +27,0 @@ JSON
-          "Sid": "Allow access through Amazon S3 for all principals in the account that are authorized to use Amazon S3",
@@ -32,3 +28,0 @@ JSON
-          "Principal": {
-            "AWS": "*"
-          },
@@ -45,2 +39,2 @@ JSON
-              "kms:ViaService": "s3.region-ID.amazonaws.com",
-              "kms:CallerAccount": "account-ID"
+              "kms:ViaService": "s3.us-east-1.amazonaws.com",
+              "kms:CallerAccount": "111122223333"
@@ -52,3 +45,0 @@ JSON
-          "Principal": {
-            "AWS": "arn:aws:iam::account-ID:role/-service-role"
-          },
@@ -63,17 +53,0 @@ JSON
-        },
-        ### END ADDING STATEMENTS HERE ###
-        {
-          "Sid": "Enable IAM User Permissions",
-          ...
-        },
-        {
-          "Sid": "Allow access for Key Administrators",
-          ...
-        },
-        {
-          "Sid": "Allow use of the key",
-          ...
-        },
-        {
-          "Sid": "Allow attachment of persistent resources",
-          ...