AWS Security ChangesHomeSearch

AWS inspector medium security documentation change

Service: inspector · 2025-10-07 · Security-related medium

File: inspector/latest/user/code-security-assessments-creating-a-key.md

Summary

Added detailed KMS key policy JSON template with conditional permissions for Inspector code security

Security assessment

Introduces security-focused IAM policy with least-privilege permissions, encryption context validation, and service-specific access controls. Helps prevent unauthorized KMS operations by enforcing source account, ARN, and service constraints.

Diff

diff --git a/inspector/latest/user/code-security-assessments-creating-a-key.md b/inspector/latest/user/code-security-assessments-creating-a-key.md
index 08baa47e1..fae6b1d44 100644
--- a//inspector/latest/user/code-security-assessments-creating-a-key.md
+++ b//inspector/latest/user/code-security-assessments-creating-a-key.md
@@ -16,0 +17,87 @@ The [FAS permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_fo
+JSON
+    
+
+****
+    
+    
+    
+    {
+      "Version":"2012-10-17",		 	 	 
+      "Id": "key-policy",
+      "Statement": [
+        {
+          "Sid": "Allow Q to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "q.amazonaws.com"
+          },
+          "Action": [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:GenerateDataKey",
+            "kms:GenerateDataKeyWithoutPlaintext"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+            "aws:SourceAccount": "111122223333"
+            },
+            "StringLike": {
+            "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
+            },
+            "ArnLike": {
+            "aws:SourceArn": "arn:aws:inspector2:us-east-1:111122223333:codesecurity-integration/*"
+            }
+          }
+        },
+        {
+          "Sid": "Allow Q to use DescribeKey",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "q.amazonaws.com"
+          },
+          "Action": "kms:DescribeKey",
+          "Resource": "*"
+        },
+        {
+          "Sid": "Allow Inspector to use Encrypt Decrypt GenerateDataKey and GenerateDataKeyWithoutPlaintext using FAS",
+          "Effect": "Allow",
+          "Principal": {
+          "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity"
+          },
+          "Action": [
+            "kms:Encrypt",
+            "kms:Decrypt",
+            "kms:GenerateDataKey",
+            "kms:GenerateDataKeyWithoutPlaintext"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:ViaService": "inspector2.us-east-1.amazonaws.com"
+            },
+            "StringLike": {
+            "kms:EncryptionContext:aws:qdeveloper:codesecurity-scope": "111122223333"
+            }
+          }
+        },
+        {
+          "Sid": "Allow Inspector to use DescribeKey using FAS",
+          "Effect": "Allow",
+          "Principal": {
+          "AWS": "arn:aws:iam::111122223333:role/inspectorCodeSecurity"
+          },
+          "Action": [
+            "kms:DescribeKey"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:ViaService": "inspector2.us-east-1.amazonaws.com"
+            }
+          }
+        }
+      ]
+    }
+    
+