AWS managed-flink documentation change
Summary
Removed detailed KMS key policy and IAM policy JSON examples, replacing them with placeholder content
Security assessment
While the changes involve encryption key management documentation, there is no evidence of a specific security vulnerability being addressed. The removal of detailed policy examples appears to be a content restructuring rather than a security fix, though it reduces explicit security guidance.
Diff
diff --git a/managed-flink/latest/java/manage-cmk-api.md b/managed-flink/latest/java/manage-cmk-api.md index d850223b8..6483b7242 100644 --- a//managed-flink/latest/java/manage-cmk-api.md +++ b//managed-flink/latest/java/manage-cmk-api.md @@ -70,0 +71,7 @@ The following key policy statements are large because they are intended to be ex +JSON + + +**** + + + @@ -72,157 +78,0 @@ The following key policy statements are large because they are intended to be ex - { - "Version": "2012-10-17", - "Id": "MyMsfCmkApplicationKeyPolicy", - "Statement": [ - { - "Sid": "AllowOperatorToDescribeKey", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:role/Operator" - }, - "Action": "kms:DescribeKey", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" - } - } - }, - { - "Sid": "AllowOperatorToConfigureAppToUseKeyForApplicationState", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:role/Operator" - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com" - } - } - }, - { - "Sid": "AllowOperatorToConfigureAppToCreateGrantForRunningState", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::123456789012:role/Operator" - }, - "Action": "kms:CreateGrant", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "kms:ViaService": "kinesisanalytics.us-east-1.amazonaws.com", - "kms:GrantConstraintType": "EncryptionContextSubset" - }, - "ForAllValues:StringEquals": { - "kms:GrantOperations": "Decrypt" - } - } - }, - { - "Sid": "AllowMSFServiceToDescribeKey", - "Effect": "Allow", - "Principal": { - "Service": [ - "kinesisanalytics.amazonaws.com", - "infrastructure.kinesisanalytics.amazonaws.com" - ] - }, - "Action": "kms:DescribeKey", - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:SourceArn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "aws:SourceAccount": "123456789012" - } - } - }, - { - "Sid": "AllowMSFServiceToGenerateDataKeyForDurableState", - "Effect": "Allow", - "Principal": { - "Service": "kinesisanalytics.amazonaws.com" - }, - "Action": [ - "kms:GenerateDataKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:SourceArn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "aws:SourceAccount": "123456789012" - } - } - }, - { - "Sid": "AllowMSFServiceToDecryptForDurableState", - "Effect": "Allow", - "Principal": { - "Service": "kinesisanalytics.amazonaws.com" - }, - "Action": [ - "kms:Decrypt" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" - } - } - }, - { - "Sid": "AllowMSFServiceToUseKeyForRunningState", - "Effect": "Allow", - "Principal": { - "Service": [ - "infrastructure.kinesisanalytics.amazonaws.com" - ] - }, - "Action": [ - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication" - } - } - }, - { - "Sid": "AllowMSFServiceToCreateGrantForRunningState", - "Effect": "Allow", - "Principal": { - "Service": [ - "infrastructure.kinesisanalytics.amazonaws.com" - ] - }, - "Action": "kms:CreateGrant", - "Resource": "*", - "Condition": { - "StringEquals": { - "kms:EncryptionContext:aws:kinesisanalytics:arn": - "arn:aws:kinesisanalytics:us-east-1:123456789012:application/MyCmkApplication", - "kms:GrantConstraintType": "EncryptionContextSubset" - }, - "ForAllValues:StringEquals": { - "kms:GrantOperations": "Decrypt" - } - } - } - ] - } @@ -235,0 +86,7 @@ The following IAM policy ensures that the application lifecycle operator has the +JSON + + +**** + + + @@ -237,81 +93,0 @@ The following IAM policy ensures that the application lifecycle operator has the - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowMSFAPICalls", - "Effect": "Allow", - "Action": "kinesisanalytics:*", - "Resource": "*" - }, - { - "Sid": "AllowPassingServiceExecutionRole", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": "arn:aws:iam::123456789012:role/MyCmkApplicationRole" - }, - { - "Sid": "AllowDescribeKey", - "Effect": "Allow", - "Action": [