AWS Security ChangesHomeSearch

AWS inspector medium security documentation change

Service: inspector · 2025-08-28 · Security-related medium

File: inspector/latest/user/code-security-assessments-creating-a-key.md

Summary

Removed detailed KMS key policy JSON configuration for code security assessments

Security assessment

The removal of a specific KMS key policy configuration could indicate deprecation of insecure permissions or misconfiguration. The original policy granted encryption/decryption permissions to Inspector roles with specific conditions. Removing this without replacement might leave users without guidance for secure key management, potentially leading to misconfigurations.

Diff

diff --git a/inspector/latest/user/code-security-assessments-creating-a-key.md b/inspector/latest/user/code-security-assessments-creating-a-key.md
index c2616973f..3e5bb93ad 100644
--- a//inspector/latest/user/code-security-assessments-creating-a-key.md
+++ b//inspector/latest/user/code-security-assessments-creating-a-key.md
@@ -13,87 +12,0 @@ When you [create your customer managed key](https://docs.aws.amazon.com/kms/late
-JSON
-    
-
-****
-    
-    
-    
-    {
-        "Version": "2012-10-17",
-        "Id": "key-policy",
-        "Statement": [
-            {
-                "Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext",
-                "Effect": "Allow",
-                "Principal": {
-                    "Service": "q.amazonaws.com"
-                },
-                "Action": [
-                    "kms:Encrypt",
-                    "kms:Decrypt",
-                    "kms:GenerateDataKey",
-                    "kms:GenerateDataKeyWithoutPlaintext"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "aws:SourceAccount": "111122223333"
-                    },
-                    "StringLike": {
-                        "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
-                    },
-                    "ArnLike": {
-                        "aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:codesecurity-integration/*"
-                    }
-                }
-            },
-            {
-                "Sid": "Allow Q to use DescribeKey",
-                "Effect": "Allow",
-                "Principal": {
-                    "Service": "q.amazonaws.com"
-                },
-                "Action": "kms:DescribeKey",
-                "Resource": "*"
-            },
-            {
-                "Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::{111122223333}:role/inspectorCodeSecurity"
-                },
-                "Action": [
-                    "kms:Encrypt",
-                    "kms:Decrypt",
-                    "kms:GenerateDataKey",
-                    "kms:GenerateDataKeyWithoutPlaintext"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "kms:ViaService": "inspector2.us-east-1.amazonaws.com"
-                    },
-                    "StringLike": {
-                        "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
-                    }
-                }
-            },
-            {
-                "Sid": "Allow Inspector to use DescribeKey using FAS",
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "arn:aws:iam::{111122223333}:role/inspectorCodeSecurity"
-                },
-                "Action": [
-                    "kms:DescribeKey"
-                ],
-                "Resource": "*",
-                "Condition": {
-                    "StringEquals": {
-                        "kms:ViaService": "inspector2.us-east-1.amazonaws.com"
-                    }
-                }
-            }
-        ]
-    }
-    
-