AWS AWSEC2 documentation change
Summary
Updated AWS KMS condition key names from PCR4/PCR7 to NitroTPMPCR4/NitroTPMPCR7 and adjusted related documentation links
Security assessment
The change clarifies the use of NitroTPM-specific condition keys for KMS key policies, which are security-related features for attestation. However, there's no indication of addressing a specific vulnerability.
Diff
diff --git a/AWSEC2/latest/UserGuide/prepare-attestation-service.md b/AWSEC2/latest/UserGuide/prepare-attestation-service.md index 358fc5a21..2d38bb0bc 100644 --- a//AWSEC2/latest/UserGuide/prepare-attestation-service.md +++ b//AWSEC2/latest/UserGuide/prepare-attestation-service.md @@ -15 +15 @@ For the AWS KMS key that you used to encrypt your secret data, add a key policy -AWS KMS provides `kms:RecipientAttestation:PCR4` and `kms:RecipientAttestation:PCR7` condition keys that enable you to create attestation-based conditions for KMS key policies. For more information, see [AWS KMS condition keys for AWS Nitro Enclaves and NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-attestation.html). +AWS KMS provides `kms:RecipientAttestation:NitroTPMPCR4` and `kms:RecipientAttestation:NitroTPMPCR7` condition keys that enable you to create attestation-based conditions for NitroTPM KMS key policies. For more information, see [Condition keys for NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-nitro-tpm.html). @@ -37,2 +37,2 @@ For example, the following AWS KMS key policy allows key access only if the requ - "kms:RecipientAttestation:PCR4":"EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE", - "kms:RecipientAttestation:PCR7":"EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE" + "kms:RecipientAttestation:NitroTPMPCR4":"EXAMPLE6b9b3d89a53b13f5dfd14a1049ec0b80a9ae4b159adde479e9f7f512f33e835a0b9023ca51ada02160EXAMPLE", + "kms:RecipientAttestation:NitroTPMPCR7":"EXAMPLE34a884328944cd806127c7784677ab60a154249fd21546a217299ccfa1ebfe4fa96a163bf41d3bcfaeEXAMPLE" @@ -45,2 +44,0 @@ For example, the following AWS KMS key policy allows key access only if the requ -For more information, see [AWS KMS condition keys for NitroTPM](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-attestation.html). -