AWS kms documentation change
Summary
Added structured list of service-specific documentation links for KMS key policy permissions
Security assessment
The change improves documentation by explicitly listing services and their KMS key policy requirements. While it enhances security guidance, there is no evidence of addressing a specific vulnerability.
Diff
diff --git a/kms/latest/developerguide/key-policy-services.md b/kms/latest/developerguide/key-policy-services.md index 1c3f6c80a..10e960149 100644 --- a//kms/latest/developerguide/key-policy-services.md +++ b//kms/latest/developerguide/key-policy-services.md @@ -11 +11,18 @@ However, when you use a [customer managed key](./concepts.html#customer-mgn-key) -To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. For example, for the permissions that Amazon Elastic Block Store (Amazon EBS) requires, see _Permissions for IAM users_ in the [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-permissions) and [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSEncryption.html#ebs-encryption-permissions). For the permissions that Secrets Manager requires, see [Authorizing use of the KMS key](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-authz) in the _AWS Secrets Manager User Guide_. +To find the permissions that the service requires on a customer managed key, see the encryption documentation for the service. The following list includes links to some services documentation: + + * **AWS CloudTrail** permissions - [Configure AWS KMS key policies for CloudTrail](https://docs.aws.amazon.com/awscloudtrail/latest/userguide/create-kms-key-policy-for-cloudtrail.html#create-kms-key-policy-for-cloudtrail-decrypt) + + * **Amazon Elastic Block Store** permissions - [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html#ebs-encryption-permissions) and [Amazon EC2 User Guide](https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/EBSEncryption.html#ebs-encryption-permissions) + + * **AWS Lambda** permissions - [Data encryption at rest for Lambda](https://docs.aws.amazon.com/lambda/latest/dg/security-encryption-at-rest.html) + + * **Amazon Q** permissions - [Data encryption for Amazon Q](https://docs.aws.amazon.com/amazonq/latest/qbusiness-ug/data-encryption.html) + + * **Amazon Relational Database Service** permissions - [AWS KMS key management](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.Encryption.Keys.html) + + * **AWS Secrets Manager** permissions - [Authorizing use of the KMS key](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html#security-encryption-authz) + + * **Amazon Simple Queue Service** permissions - [Amazon SQS Key management](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/sqs-key-management.html) + + +