AWS directoryservice medium security documentation change
Summary
Removed KMS key policy example containing specific role permissions
Security assessment
Removal of a policy example that granted broad kms:* permissions to a specific role reduces risk of over-permissive key policies being implemented
Diff
diff --git a/directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md b/directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md index 0ecc68a4c..99ab33c37 100644 --- a//directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md +++ b//directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md @@ -97,24 +96,0 @@ For **Encryption Key** , don't use the AWS default KMS key. Be sure to create th - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "Enable IAM User Permissions", - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::caller-account:role/role_used_to_create_directory" - }, - "Action": "kms:*", - "Resource": "*" - }, - { - "Sid": "Allow use of the KMS key on behalf of Directory Service", - "Effect": "Allow", - "Principal": { - "Service": "ds.amazonaws.com" - }, - "Action": "kms:Decrypt", - "Resource": "*" - } - ] - } -