AWS inspector medium security documentation change
Summary
Added detailed KMS key policy JSON template with conditional permissions for Inspector code security
Security assessment
Introduces security-focused IAM policy with least-privilege permissions, encryption context validation, and service-specific access controls. Helps prevent unauthorized KMS operations by enforcing source account, ARN, and service constraints.
Diff
diff --git a/inspector/latest/user/code-security-assessments-creating-a-key.md b/inspector/latest/user/code-security-assessments-creating-a-key.md index 08baa47e1..fae6b1d44 100644 --- a//inspector/latest/user/code-security-assessments-creating-a-key.md +++ b//inspector/latest/user/code-security-assessments-creating-a-key.md @@ -16,0 +17,87 @@ The [FAS permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_fo +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Id": "key-policy", + "Statement": [ + { + "Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext", + "Effect": "Allow", + "Principal": { + "Service": "q.amazonaws.com" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "StringLike": { + "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:codesecurity-integration/*" + } + } + }, + { + "Sid": "Allow Q to use DescribeKey", + "Effect": "Allow", + "Principal": { + "Service": "q.amazonaws.com" + }, + "Action": "kms:DescribeKey", + "Resource": "*" + }, + { + "Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "inspector2.us-east-1.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333" + } + } + }, + { + "Sid": "Allow Inspector to use DescribeKey using FAS", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity" + }, + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "inspector2.us-east-1.amazonaws.com" + } + } + } + ] + } + +