AWS Security ChangesHomeSearch

AWS singlesignon high security documentation change

Service: singlesignon · 2025-10-16 · Security-related high

File: singlesignon/latest/userguide/baseline-KMS-key-policy.md

Summary

Modified KMS key policy statement to restrict access to IAM Identity Center instances within a specific AWS account

Security assessment

The change tightens KMS key policies by limiting access to specific AWS accounts rather than any instance, directly addressing potential over-permission security risks. This demonstrates a security-focused configuration improvement.

Diff

diff --git a/singlesignon/latest/userguide/baseline-KMS-key-policy.md b/singlesignon/latest/userguide/baseline-KMS-key-policy.md
index 036b88c14..0b54d250d 100644
--- a//singlesignon/latest/userguide/baseline-KMS-key-policy.md
+++ b//singlesignon/latest/userguide/baseline-KMS-key-policy.md
@@ -50 +50 @@ Using the wildcard (`*`) prevents access loss if the permission set is deleted a
-  * These policy statements allow any of your IAM Identity Center instances to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](./advanced-kms-policy.html).
+  * These policy statements allow your IAM Identity Center instances in a specific AWS account to use the KMS key. To restrict access to a specific IAM Identity Center instance, see [Advanced KMS key policy statements](./advanced-kms-policy.html). You can have only one IAM Identity Center instance for each AWS account.