AWS Security ChangesHomeSearch

AWS directoryservice medium security documentation change

Service: directoryservice · 2025-10-01 · Security-related medium

File: directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md

Summary

Removed KMS key policy example containing specific role permissions

Security assessment

Removal of a policy example that granted broad kms:* permissions to a specific role reduces risk of over-permissive key policies being implemented

Diff

diff --git a/directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md b/directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md
index 0ecc68a4c..99ab33c37 100644
--- a//directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md
+++ b//directoryservice/latest/admin-guide/create_hybrid_directory_prereqs.md
@@ -97,24 +96,0 @@ For **Encryption Key** , don't use the AWS default KMS key. Be sure to create th
-        {
-      "Version": "2012-10-17",
-      "Statement": [
-        {
-          "Sid": "Enable IAM User Permissions",
-          "Effect": "Allow",
-          "Principal": {
-            "AWS": "arn:aws:iam::caller-account:role/role_used_to_create_directory"
-          },
-          "Action": "kms:*",
-          "Resource": "*"
-        },
-        { 
-           "Sid": "Allow use of the KMS key on behalf of Directory Service", 
-           "Effect": "Allow", 
-           "Principal": {
-             "Service": "ds.amazonaws.com"
-           }, 
-           "Action": "kms:Decrypt", 
-           "Resource": "*"
-        }
-      ]
-    }
-