AWS singlesignon high security documentation change
Summary
Clarified KMS policy configuration requirements and fixed policy syntax (aws:SourceAccount capitalization)
Security assessment
Corrects security-critical IAM policy syntax (aws:SourceAccount vs aws:sourceAccount) and improves guidance for encryption context enforcement - misconfigured policies could lead to unauthorized access
Diff
diff --git a/singlesignon/latest/userguide/advanced-kms-policy.md b/singlesignon/latest/userguide/advanced-kms-policy.md index 3101bcade..50c82a92e 100644 --- a//singlesignon/latest/userguide/advanced-kms-policy.md +++ b//singlesignon/latest/userguide/advanced-kms-policy.md @@ -13 +13 @@ Use advanced KMS key policy statements to implement more granular access control -You can restrict KMS key usage to a specific IAM Identity Center instance by adding an encryption context condition to your key policy statements. This condition uses the IAM Identity Center instance ARN and Identity Store ARN to ensure the key works only with your intended instance. Add this condition to any of the baseline policy statements: +You can restrict KMS key usage to a specific IAM Identity Center instance by adding an encryption context condition to your key policy statements. Add this condition to the KMS key policy, or add the same encryption context condition to the IAM policy configured for cross-account use of the KMS key. This condition uses the IAM Identity Center instance ARN and Identity Store ARN to ensure the key works only with your intended instance. Add this condition to any of the baseline policy statements: @@ -304 +304 @@ To use this policy: - 2. Replace the example account IDs with your actual account IDs + 2. Replace the example account IDs with the actual account IDs where your AWS managed applications are deployed @@ -326 +326 @@ To use this policy: - "aws:sourceAccount": [ + "aws:SourceAccount": [ @@ -350 +350 @@ To use this policy: - "aws:sourceAccount": [ + "aws:SourceAccount": [