AWS kms documentation change
Summary
Added clarification about encryption context keys/values and their distinction from AWS-generated tags.
Security assessment
Enhances documentation about using encryption context for access control, a security feature, but does not address a specific vulnerability.
Diff
diff --git a/kms/latest/developerguide/encrypt_context.md b/kms/latest/developerguide/encrypt_context.md index 192c83a57..83614b641 100644 --- a//kms/latest/developerguide/encrypt_context.md +++ b//kms/latest/developerguide/encrypt_context.md @@ -29 +29 @@ For example, when encrypting volumes and snapshots created with the [Amazon Elas -You can also use the encryption context to refine or limit access to AWS KMS keys in your account. You can use the encryption context [as a constraint in grants](./grants.html) and as a _[condition in policy statements](./policy-conditions.html)_. +You can also use the encryption context to refine or limit access to AWS KMS keys in your account. You can use the encryption context [as a constraint in grants](./grants.html) and as a _[condition in policy statements](./policy-conditions.html)_. Encryption context keys and their values can be arbitrary strings with `aws`. These values contrasts [AWS generated tags](https://docs.aws.amazon.com/tag-editor/latest/userguide/best-practices-and-strats.html#tag-conventions) like [aws:cloudformation:stack-name](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/aws-properties-resource-tags.html). For more information, see [kms:EncryptionContext:context-key](./conditions-kms.html#conditions-kms-encryption-context)