AWS Security ChangesHomeSearch

AWS step-functions documentation change

Service: step-functions · 2025-08-28 · Documentation low

File: step-functions/latest/dg/encryption-at-rest.md

Summary

Updated example ARNs and policy statements with specific account/region values

Security assessment

Changes replace placeholder values (e.g., account IDs, regions) with concrete examples but do not introduce new security features or address vulnerabilities. These are documentation clarifications.

Diff

diff --git a/step-functions/latest/dg/encryption-at-rest.md b/step-functions/latest/dg/encryption-at-rest.md
index 2b389dcfd..949976fe2 100644
--- a//step-functions/latest/dg/encryption-at-rest.md
+++ b//step-functions/latest/dg/encryption-at-rest.md
@@ -103 +103 @@ The following is an example AWS KMS key policy from console, without **Key admin
-            "AWS": "arn:aws:iam::111122223333:root"
+            "AWS": "arn:aws:iam::123456789012:root"
@@ -138 +138 @@ If you enable state machine encryption with a AWS KMS key, and your state machin
-          "Resource": "arn:aws:kms:region:account-id:key/keyId",
+          "Resource": "arn:aws:kms:us-east-1:123456789012:key/keyId",
@@ -141 +141 @@ If you enable state machine encryption with a AWS KMS key, and your state machin
-              "kms:EncryptionContext:SourceArn": "arn:aws:logs:region:account-id:*"
+              "kms:EncryptionContext:SourceArn": "arn:aws:logs:us-east-1:123456789012:*"
@@ -165 +165 @@ You can choose the same or different AWS KMS keys to encrypt your logs and your
-            "Service": "logs.region.amazonaws.com"
+            "Service": "logs.us-east-1.amazonaws.com"
@@ -177 +177 @@ You can choose the same or different AWS KMS keys to encrypt your logs and your
-              "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:region:account-id:log-group:log-group-name"
+              "kms:EncryptionContext:aws:logs:arn": "arn:aws:logs:us-east-1:123456789012:log-group:LOG_GROUP_NAME"
@@ -220 +220 @@ The following is an example execution role policy:
-            "arn:aws:kms:region:account-id:key/keyId"
+            "arn:aws:kms:us-east-1:123456789012:key/keyId"
@@ -225 +225 @@ The following is an example execution role policy:
-                "arn:aws:states:region:account-id:stateMachine:stateMachineName"
+                "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"
@@ -257 +257 @@ When customer managed key encryption is enabled on an Activity Task, the state m
-            "arn:aws:kms:region:account-id:key/keyId"
+            "arn:aws:kms:us-east-1:123456789012:key/keyId"
@@ -262 +262 @@ When customer managed key encryption is enabled on an Activity Task, the state m
-                "arn:aws:states:region:account-id:activity:activityName"
+                "arn:aws:states:us-east-1:123456789012:activity:activityName"
@@ -295 +295 @@ The following example shows how to limit the use of a AWS KMS key for execution
-          "Sid": "Allow KMS Permissions for StepFunctionsWorkflowExecutions",
+          "Sid": "AllowKeyManagement",
@@ -302 +302 @@ The following example shows how to limit the use of a AWS KMS key for execution
-            "arn:aws:kms:region:account-id:key/keyId"
+            "arn:aws:kms:us-east-1:123456789012:key/keyId"
@@ -306 +306 @@ The following example shows how to limit the use of a AWS KMS key for execution
-              "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:region:account-id:stateMachine:stateMachineName"
+              "kms:EncryptionContext:aws:states:stateMachineArn": "arn:aws:states:us-east-1:123456789012:stateMachine:stateMachineName"
@@ -327 +327 @@ The following example policy uses the `kms:ViaService` condition to allow the AW
-            "AWS": "arn:aws:iam::account-id:role/ExampleRole"
+            "AWS": "arn:aws:iam::123456789012:role/ExampleRole"