AWS eventbridge documentation change
Summary
Expanded documentation about encrypting event buses with KMS keys, including encryption scope, required permissions, key policy examples, and operational recommendations
Security assessment
The changes add detailed guidance about using customer-managed KMS keys for encryption, including required permissions and security best practices. While this improves security documentation, there is no evidence of addressing a specific existing vulnerability.
Diff
diff --git a/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md b/eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md index c13586f72..dfd6ddf64 100644 --- a//eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md +++ b//eventbridge/latest/userguide/eb-encryption-event-bus-cmkey.md @@ -5 +5,22 @@ -Event bus encryption contextEvent bus key policy +Event bus encryption contextEvent bus key policyAWS KMS key permissions for event bus actions + +# Encrypting EventBridge event buses with AWS KMS keys + +You can specify that EventBridge use an AWS KMS to encrypt your data stored on an event bus, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update an event bus. You can also update the default event bus to use a customer managed key for encryption as well. For more information, see [KMS key options](./eb-encryption-at-rest-key-options.html). + +When you specify a customer managed key for an event bus, EventBridge uses that key to encrypt the following: + + * [Custom](./eb-putevents.html) and [partner](./eb-saas.html) events stored on the event bus. + +Events from AWS service are encrypted using an AWS owned key. + +EventBridge does not encrypt event metadata. For more information on event metadata, see [AWS service event metadata](https://docs.aws.amazon.com/eventbridge/latest/ref/events-structure.html) in the _Events Reference_. + + * For each [rule](./eb-rules.html) on the bus: + + * The rule [event pattern](./eb-event-patterns.html). + + * [Target](./eb-targets.html) information, including target input, [input transformers](./eb-transform-target-input.html), and [configuration parameters](./eb-create-rule.html#eb-create-rule-target). + + * If [event bus logging](./eb-event-bus-logs.html) is enabled, the `detail` and `error` sections of log records. + @@ -7 +27,0 @@ Event bus encryption contextEvent bus key policy -# Encrypting events with AWS KMS keys in EventBridge @@ -9 +28,0 @@ Event bus encryption contextEvent bus key policy -You can specify that EventBridge use a AWS KMS to encrypt your data (custom and partner events) stored on an event bus, rather than use an AWS owned key as is the default. You can specify a customer managed key when you create or update an event bus. You can also update the default event bus to use a customer managed key for custom and partner events as well. For more information, see [KMS key options](./eb-encryption-at-rest-key-options.html). @@ -14,0 +34,6 @@ If you specify a customer managed key for an event bus, you have the option of s +We strongly recommend specifying a DLQ for event buses, to ensure events are preserved if encryption or decryption errors occur. + +You can also specify using customer managed keys for encrypting event bus archives. For more information, see [Encrypting archives](./encryption-archives.html). + +###### Note + @@ -49 +74,4 @@ As a security best practice, we recommend you include condition keys in the key - "Sid": "Allow EventBridge to validate key permission", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowEventBridgeToValidateKeyPermission", @@ -56 +84 @@ As a security best practice, we recommend you include condition keys in the key - ] + ], @@ -60 +88 @@ As a security best practice, we recommend you include condition keys in the key - "Sid": "Allow EventBridge to encrypt events", + "Sid": "AllowEventBridgeToEncryptEvents", @@ -68 +96 @@ As a security best practice, we recommend you include condition keys in the key - ] + ], @@ -72,2 +100,2 @@ As a security best practice, we recommend you include condition keys in the key - "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:region:account-id:event-bus/event-bus-arn", - "aws:SourceArn": "arn:aws:events:region:account-id:event-bus/event-bus-name" + "kms:EncryptionContext:aws:events:event-bus:arn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-arn", + "aws:SourceArn": "arn:aws:events:us-east-1:123456789012:event-bus/event-bus-name" @@ -76,0 +105,41 @@ As a security best practice, we recommend you include condition keys in the key + ] } + +## AWS KMS key permissions for event bus actions + +To create or update an event bus encrypted using a customer managed key, you must have the following permissions to the specified customer managed key: + + * `kms:GenerateDataKeyWithoutPlaintext` + + * `kms:Decrypt` + + * `kms:Encrypt` + + * `kms:ReEncryptFrom` + + * `kms:ReEncryptTo` + + * `kms:DescribeKey` + + + + +In addition, to perform certain event bus actions on an event bus encrypted using a customer managed key, you must have `kms:Decrypt` permission for the specified customer managed key. These actions include: + + * `[DescribeRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DescribeRule.html)` + + * `[DisableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_DisableRule.html)` + + * `[EnableRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_EnableRule.html)` + + * `[ListRules](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListRules.html)` + + * `[ListTargetsByRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListTargetsByRule.html)` + + * `[PutRule](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutRule.html)` + + * `[ListRuleNamesByTarget](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_ListRuleNamesByTarget.html)` + + * `[PutTargets](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutTargets.html)` + + +