AWS imagebuilder documentation change
Summary
Added two detailed KMS key policy examples for Image Builder workflow encryption
Security assessment
Introduces new security documentation showing how to properly configure KMS policies for encryption scenarios, enhancing data protection guidance without addressing a specific vulnerability.
Diff
diff --git a/imagebuilder/latest/userguide/data-protection.md b/imagebuilder/latest/userguide/data-protection.md index 23d31e118..5a88d34ec 100644 --- a//imagebuilder/latest/userguide/data-protection.md +++ b//imagebuilder/latest/userguide/data-protection.md @@ -64,0 +65,41 @@ For more information about customer managed keys, see [ Managing access to custo +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Allow access to build images with encrypted workflow", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/YourImageBuilderExecutionRole" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:EncryptionContext:aws:imagebuilder:arn": "arn:aws:imagebuilder:*:111122223333:workflow/*" + } + } + }, + { + "Sid": "Allow access for key administrators", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": [ + "kms:*" + ], + "Resource": "arn:aws:kms:*:111122223333:key/*" + } + ] + } + @@ -71,0 +113,27 @@ Edit the policy for your workflow execution role to add the following policy sta +JSON + + +**** + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowAccessToWorkflowKey", + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "arn:aws:kms:us-west-2:111122223333:key/key_ID", + "Condition": { + "StringLike": { + "kms:EncryptionContext:aws:imagebuilder:arn": "arn:aws:imagebuilder:*:111122223333:workflow/*" + } + } + } + ] + } +