AWS Security ChangesHomeSearch

AWS AWSEC2 documentation change

Service: AWSEC2 · 2025-10-25 · Documentation low

File: AWSEC2/latest/UserGuide/prepare-attestation-service.md

Summary

Updated AWS KMS condition key names from PCR4/PCR7 to NitroTPMPCR4/NitroTPMPCR7 and adjusted related documentation links

Security assessment

The change clarifies the use of NitroTPM-specific condition keys for KMS key policies, which are security-related features for attestation. However, there's no indication of addressing a specific vulnerability.

Diff

diff --git a/AWSEC2/latest/UserGuide/prepare-attestation-service.md b/AWSEC2/latest/UserGuide/prepare-attestation-service.md
index 358fc5a21..2d38bb0bc 100644
--- a//AWSEC2/latest/UserGuide/prepare-attestation-service.md
+++ b//AWSEC2/latest/UserGuide/prepare-attestation-service.md
@@ -15 +15 @@ For the AWS KMS key that you used to encrypt your secret data, add a key policy
-AWS KMS provides `kms:RecipientAttestation:PCR4` and `kms:RecipientAttestation:PCR7` condition keys that enable you to create attestation-based conditions for KMS key policies. For more information, see [AWS KMS condition keys for AWS Nitro Enclaves and NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-attestation.html).
+AWS KMS provides `kms:RecipientAttestation:NitroTPMPCR4` and `kms:RecipientAttestation:NitroTPMPCR7` condition keys that enable you to create attestation-based conditions for NitroTPM KMS key policies. For more information, see [Condition keys for NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html).
@@ -37,2 +37,2 @@ For example, the following AWS KMS key policy allows key access only if the requ
-              "kms:RecipientAttestation:PCR4":"EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE",
-              "kms:RecipientAttestation:PCR7":"EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE"
+              "kms:RecipientAttestation:NitroTPMPCR4":"EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE",
+              "kms:RecipientAttestation:NitroTPMPCR7":"EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE"
@@ -45,2 +44,0 @@ For example, the following AWS KMS key policy allows key access only if the requ
-For more information, see [AWS KMS condition keys for NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-attestation.html).
-