AWS workspaces documentation change
Summary
Updated KMS permissions in IAM policy example from kms:ReEncrypt to kms:ReEncryptFrom and kms:ReEncryptTo
Security assessment
The change splits a broad KMS re-encryption permission into more granular actions (From/To), which improves security through better adherence to least-privilege principles. However, there's no evidence this addresses an active security vulnerability.
Diff
diff --git a/workspaces/latest/adminguide/encrypt-workspaces.md b/workspaces/latest/adminguide/encrypt-workspaces.md index d10fc131e..32d0294a9 100644 --- a//workspaces/latest/adminguide/encrypt-workspaces.md +++ b//workspaces/latest/adminguide/encrypt-workspaces.md @@ -234 +234,2 @@ JSON - "kms:ReEncrypt", + "kms:ReEncryptFrom", + "kms:ReEncryptTo",