AWS transform medium security documentation change
Summary
Removed target account KMS policy example that enforced role-based encryption permissions
Security assessment
Eliminated a security-sensitive IAM policy that controlled KMS operations with conditional access restrictions. The policy previously implemented security boundaries by limiting actions to specific service roles. Removal suggests potential changes to security configuration requirements, though no direct vulnerability is stated.
Diff
diff --git a/transform/latest/userguide/transform-vmware-connect-target-account.md b/transform/latest/userguide/transform-vmware-connect-target-account.md index a6bddfcb7..167314405 100644 --- a//transform/latest/userguide/transform-vmware-connect-target-account.md +++ b//transform/latest/userguide/transform-vmware-connect-target-account.md @@ -47,51 +46,0 @@ If you specify a target AWS Region that is different from the discovery AWS Regi -JSON - - -**** - - - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowEncryptionOperationForAWSTransformConnectorService", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "s3.arn:aws:.amazonaws.com" - }, - "ArnLike": { - "aws:PrincipalArn": "arn:aws:iam::123456789012:role/service-role/AWSTransform-Connector-*", - "kms:EncryptionContext:aws:s3:arn": "arn:aws:s3:::transform-vmware*" - } - } - }, - { - "Sid": "AllowDescribeKeyforAWSTransformConnectorService", - "Effect": "Allow", - "Principal": { - "AWS": "*" - }, - "Action": "kms:DescribeKey", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "s3.arn:aws:.amazonaws.com" - }, - "ArnLike": { - "aws:PrincipalArn": "arn:aws:iam::123456789012:role/service-role/AWSTransform-Connector-*" - } - } - } - ] - } - -