AWS Security ChangesHomeSearch

AWS mwaa documentation change

Service: mwaa · 2025-10-25 · Documentation low

File: mwaa/latest/userguide/encryption.md

Summary

Updated wording regarding KMS key grants and data in transit interception risk

Security assessment

Changed 'might' to 'can' in both sections to clarify behavior, but this is a documentation clarification rather than addressing a specific security vulnerability. The change emphasizes accurate technical descriptions of encryption grant management and data interception risks without introducing new security controls.

Diff

diff --git a/mwaa/latest/userguide/encryption.md b/mwaa/latest/userguide/encryption.md
index b7cb88e4d..37c183b3c 100644
--- a//mwaa/latest/userguide/encryption.md
+++ b//mwaa/latest/userguide/encryption.md
@@ -44 +44 @@ You specify the encryption artifacts used for at rest encryption by specifying a
-**Aurora PostgreSQL** – Amazon MWAA creates one PostgreSQL cluster for your environment. Aurora PostgreSQL encrypts the content with either an AWS owned or customer-managed KMS key using SSE. If you are using a customer-managed KMS key, Amazon RDS adds at least two grants to the key: one for the cluster and one for the database instance. Amazon RDS might create additional grants if you choose to use your customer-managed KMS key on multiple environments. For more information, refer to [Data protection in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/DataDurability.html).
+**Aurora PostgreSQL** – Amazon MWAA creates one PostgreSQL cluster for your environment. Aurora PostgreSQL encrypts the content with either an AWS owned or customer-managed KMS key using SSE. If you are using a customer-managed KMS key, Amazon RDS adds at least two grants to the key: one for the cluster and one for the database instance. Amazon RDS can create additional grants if you choose to use your customer-managed KMS key on multiple environments. For more information, refer to [Data protection in Amazon RDS](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/DataDurability.html).
@@ -48 +48 @@ You specify the encryption artifacts used for at rest encryption by specifying a
-Data in transit is referred to as data that might be intercepted as it travels the network.
+Data in transit is referred to as data that can be intercepted as it travels the network.