AWS singlesignon medium security documentation change
Summary
Added guidance about encryption context for IAM policies, expanded KMS key policy conditions with SourceOrgID, and clarified requirements for AWS managed applications
Security assessment
Added encryption context guidance helps restrict KMS key usage to specific Identity Center instances, improving access control. The addition of aws:SourceOrgID condition in KMS policies enforces organization-level restrictions. These changes directly enhance security controls around KMS key usage patterns.
Diff
diff --git a/singlesignon/latest/userguide/baseline-KMS-key-policy.md b/singlesignon/latest/userguide/baseline-KMS-key-policy.md index 05d3d8602..bcd5ae047 100644 --- a//singlesignon/latest/userguide/baseline-KMS-key-policy.md +++ b//singlesignon/latest/userguide/baseline-KMS-key-policy.md @@ -146 +146,3 @@ Use the following IAM policy statement template in [Step 4: Configure IAM polici - * Replace the example key ARN in the Resource element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Find the required identifiers](./identity-center-customer-managed-keys.html#insert-the-required-identifiers). + * Replace the example key ARN in the `Resource` element with your actual KMS key ARN. For help finding the values of the referenced identifiers, see [Find the required identifiers](./identity-center-customer-managed-keys.html#insert-the-required-identifiers). + + * These IAM policy statements grant KMS key access to the IAM principal but don't restrict which AWS service can make the request. The KMS key policy typically provides these service restrictions. However, you can add encryption context to this IAM policy to limit usage to a specific Identity Center instance. For details, refer to [Advanced KMS key policy statements](./advanced-kms-policy.html). @@ -184 +186 @@ Use the following KMS key policy statement template in [Step 2: Prepare KMS key - * Insert your AWS Organizations ID in the PrincipalOrgID condition. For help finding the values of the referenced identifiers, see [Find the required identifiers](./identity-center-customer-managed-keys.html#insert-the-required-identifiers). + * Insert your AWS Organizations ID in the PrincipalOrgID condition and SourceOrgId conditions. For help finding the values of the referenced identifiers, see [Find the required identifiers](./identity-center-customer-managed-keys.html#insert-the-required-identifiers). @@ -240,0 +243,3 @@ KMS key policy statements + }, + "StringEquals": { + "aws:SourceOrgID": "${organization_ID}" @@ -256,0 +262,3 @@ KMS key policy statements + }, + "StringEquals": { + "aws:SourceOrgID": "${organization_ID}" @@ -267 +275 @@ Use the following IAM policy statement template in [Step 4: Configure IAM polici - * Some AWS managed applications require you to configure permissions for IAM Identity Center and Identity Store APIs. Before you configure a customer managed key in your IAM Identity Center, ensure that these permissions also allow use of the KMS key. For specific KMS key permission requirements, see the documentation for each AWS managed application you've deployed. + * Some AWS managed applications require you to configure permissions for IAM Identity Center and Identity Store APIs. Before you configure a customer managed key in IAM Identity Center, verify that these permissions also allow use of the KMS key. For specific KMS key permission requirements, see the documentation for each AWS managed application you've deployed. @@ -425 +433 @@ Permission set IAM policy: -Use the following KMS key policy statement templates in [Step 2: Prepare KMS key policy statements](./identity-center-customer-managed-keys.html#choose-kms-key-policy-statements) to allow custom workflows in the AWS Organizations management account or delegated administration account to use the KMS key. +Use the following KMS key policy statement templates in [Step 2: Prepare KMS key policy statements](./identity-center-customer-managed-keys.html#choose-kms-key-policy-statements) to allow custom workflows, such as customer managed applications, in the AWS Organizations management account or delegated administration account to use the KMS key. @@ -485 +493 @@ IAM policy statement (required only for cross-account use): - "Sid": "AllowIAMIdentityCenterAdminToUseTheKMSKeyViaIdentityCenterAndIdentityStore", + "Sid": "AllowCustomWorkflowToUseTheKMSKeyViaIdentityCenterAndIdentityStore",