AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-08-28 · Documentation low

File: kms/latest/developerguide/key-policy-services.md

Summary

Added structured list of service-specific documentation links for KMS key policy permissions

Security assessment

The change improves documentation by explicitly listing services and their KMS key policy requirements. While it enhances security guidance, there is no evidence of addressing a specific vulnerability.

Diff

diff --git a/kms/latest/developerguide/key-policy-services.md b/kms/latest/developerguide/key-policy-services.md
index 1c3f6c80a..10e960149 100644
--- a//kms/latest/developerguide/key-policy-services.md
+++ b//kms/latest/developerguide/key-policy-services.md
@@ -11 +11,18 @@ However, when you use a [customer managed key](./concepts.html#customer-mgn-key)
-To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. For example, for the permissions that Amazon Elastic Block Store (Amazon EBS) requires, see _Permissions for IAM users_ in the [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-permissions) and [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSEncryption.html#ebs-encryption-permissions). For the permissions that Secrets Manager requires, see [Authorizing use of the KMS key](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-authz) in the _AWS Secrets Manager User Guide_.
+To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. The following list includes links to some services documentation:
+
+  * **AWS CloudTrail** permissions - [Configure AWS KMS key policies for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html#create-kms-key-policy-for-cloudtrail-decrypt)
+
+  * **Amazon Elastic Block Store** permissions - [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-permissions) and [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSEncryption.html#ebs-encryption-permissions)
+
+  * **AWS Lambda** permissions - [Data encryption at rest for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html)
+
+  * **Amazon Q** permissions - [Data encryption for Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/data-encryption.html)
+
+  * **Amazon Relational Database Service** permissions - [AWS KMS key management](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html)
+
+  * **AWS Secrets Manager** permissions - [Authorizing use of the KMS key](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-authz)
+
+  * **Amazon Simple Queue Service** permissions - [Amazon SQS Key management](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html)
+
+
+