AWS transform medium security documentation change
Summary
Removed example KMS policy configuration for AWSTransform Connector Service permissions
Security assessment
The removed KMS policy previously enforced security controls by limiting encryption operations to specific roles and resources. Its removal could indicate a change in security posture, though no explicit vulnerability is mentioned. The policy had security-focused conditions (PrincipalArn and EncryptionContext constraints), so its deletion might impact access control documentation.
Diff
diff --git a/transform/latest/userguide/transform-vmware-connect-discovery-account.md b/transform/latest/userguide/transform-vmware-connect-discovery-account.md index d1c6c210f..35148db09 100644 --- a//transform/latest/userguide/transform-vmware-connect-discovery-account.md +++ b//transform/latest/userguide/transform-vmware-connect-discovery-account.md @@ -34,41 +33,0 @@ AWS Transform will create an Amazon S3 bucket on your behalf in this discovery A -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Allow encryption operations for AWSTransform Connector Service", - "Effect": "Allow", - "Principal": {"AWS": "*"}, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": {"kms:ViaService": "s3.discovery-AWS Region.amazonaws.com"}, - "StringLike": { - "aws:PrincipalArn": "arn:aws:iam::source-account-ID:role/service-role/AWSTransform-Connector-*", - "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::transform-vmware*" - } - } - }, - { - "Sid": "Allow DescribeKey for AWSTransform Connector Service", - "Effect": "Allow", - "Principal": {"AWS": "*"}, - "Action": "kms:DescribeKey", - "Resource": "*", - "Condition": { - "StringEquals": {"kms:ViaService": "s3.discovery-AWS Region.amazonaws.com"}, - "StringLike": {"aws:PrincipalArn": "arn:aws:iam::source-account-ID:role/service-role/AWSTransform-Connector-*"} - } - } - ] - } - -