AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-08-28 · Documentation low

File: kms/latest/developerguide/encrypt_context.md

Summary

Added clarification about encryption context keys/values and their distinction from AWS-generated tags.

Security assessment

Enhances documentation about using encryption context for access control, a security feature, but does not address a specific vulnerability.

Diff

diff --git a/kms/latest/developerguide/encrypt_context.md b/kms/latest/developerguide/encrypt_context.md
index 192c83a57..83614b641 100644
--- a//kms/latest/developerguide/encrypt_context.md
+++ b//kms/latest/developerguide/encrypt_context.md
@@ -29 +29 @@ For example, when encrypting volumes and snapshots created with the [Amazon Elas
-You can also use the encryption context to refine or limit access to AWS KMS keys in your account. You can use the encryption context [as a constraint in grants](./grants.html) and as a _[condition in policy statements](./policy-conditions.html)_. 
+You can also use the encryption context to refine or limit access to AWS KMS keys in your account. You can use the encryption context [as a constraint in grants](./grants.html) and as a _[condition in policy statements](./policy-conditions.html)_. Encryption context keys and their values can be arbitrary strings with `aws`. These values contrasts [AWS generated tags](https://docs.aws.amazon.com/tag-editor/latest/userguide/best-practices-and-strats.html#tag-conventions) like [aws:cloudformation:stack-name](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-resource-tags.html). For more information, see [kms:EncryptionContext:context-key](./conditions-kms.html#conditions-kms-encryption-context)