AWS Route53 documentation change
Summary
Added requirement to update KMS key policies for SSE-KMS encryption
Security assessment
Documents security best practice for proper encryption configuration, preventing potential misconfigurations that could lead to data exposure
Diff
diff --git a/Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.md b/Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.md index 9274ef9f6..17ebaaece 100644 --- a//Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.md +++ b//Route53/latest/DeveloperGuide/resolver-query-logs-choosing-target-resource.md @@ -26,0 +27,2 @@ All S3 server-side encryption options are supported. For more information, see [ +If you choose Server-Side Encryption with AWS KMS Keys (SSE-KMS), you must update the key policy for your customer managed key so that the log delivery account can write to your Amazon S3 bucket. For more information about the required key policy for use with SSE-KMS, see [Amazon S3 bucket server-side encryption](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AWS-logs-infrastructure-V2-S3.html#AWS-logs-SSE-KMS-S3-V2) in the _Amazon CloudWatch User Guide_. +