AWS inspector medium security documentation change
Summary
Removed detailed KMS key policy JSON configuration for code security assessments
Security assessment
The removal of a specific KMS key policy configuration could indicate deprecation of insecure permissions or misconfiguration. The original policy granted encryption/decryption permissions to Inspector roles with specific conditions. Removing this without replacement might leave users without guidance for secure key management, potentially leading to misconfigurations.
Diff
diff --git a/inspector/latest/user/code-security-assessments-creating-a-key.md b/inspector/latest/user/code-security-assessments-creating-a-key.md index c2616973f..3e5bb93ad 100644 --- a//inspector/latest/user/code-security-assessments-creating-a-key.md +++ b//inspector/latest/user/code-security-assessments-creating-a-key.md @@ -13,87 +12,0 @@ When you [create your customer managed key](https://docs.aws.amazon.com/kms/late -JSON - - -**** - - - - { - "Version": "2012-10-17", - "Id": "key-policy", - "Statement": [ - { - "Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext", - "Effect": "Allow", - "Principal": { - "Service": "q.amazonaws.com" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "111122223333" - }, - "StringLike": { - "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" - }, - "ArnLike": { - "aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:codesecurity-integration/*" - } - } - }, - { - "Sid": "Allow Q to use DescribeKey", - "Effect": "Allow", - "Principal": { - "Service": "q.amazonaws.com" - }, - "Action": "kms:DescribeKey", - "Resource": "*" - }, - { - "Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::{111122223333}:role/inspectorCodeSecurity" - }, - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "inspector2.us-east-1.amazonaws.com" - }, - "StringLike": { - "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" - } - } - }, - { - "Sid": "Allow Inspector to use DescribeKey using FAS", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::{111122223333}:role/inspectorCodeSecurity" - }, - "Action": [ - "kms:DescribeKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "inspector2.us-east-1.amazonaws.com" - } - } - } - ] - } - -