AWS singlesignon high security documentation change
Summary
Modified KMS key policy statement to restrict access to IAM Identity Center instances within a specific AWS account
Security assessment
The change tightens KMS key policies by limiting access to specific AWS accounts rather than any instance, directly addressing potential over-permission security risks. This demonstrates a security-focused configuration improvement.
Diff
diff --git a/singlesignon/latest/userguide/baseline-KMS-key-policy.md b/singlesignon/latest/userguide/baseline-KMS-key-policy.md index 036b88c14..0b54d250d 100644 --- a//singlesignon/latest/userguide/baseline-KMS-key-policy.md +++ b//singlesignon/latest/userguide/baseline-KMS-key-policy.md @@ -50 +50 @@ Using the wildcard (`*`) prevents access loss if the permission set is deleted a - * These policy statements allow any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](./advanced-kms-policy.html). + * These policy statements allow your IAM Identity Center instances in a specific AWS account to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](./advanced-kms-policy.html). You can have only one IAM Identity Center instance for each AWS account.