AWS Security ChangesHomeSearch

AWS dms documentation change

Service: dms · 2025-11-22 · Documentation medium

File: dms/latest/userguide/zero-etl.md

Summary

Added comprehensive documentation for setting up IAM permissions, KMS encryption keys, and resource policies required for zero-ETL integrations. Includes CLI examples for KMS key creation, key policy configuration, IAM policy creation, and Redshift resource policies.

Security assessment

The changes add security documentation about encryption (KMS), IAM permissions, and resource policies but do not address a specific disclosed vulnerability. The documentation proactively explains security controls rather than responding to a known issue.

Diff

diff --git a/dms/latest/userguide/zero-etl.md b/dms/latest/userguide/zero-etl.md
index 7a23d0670..30adb7e91 100644
--- a//dms/latest/userguide/zero-etl.md
+++ b//dms/latest/userguide/zero-etl.md
@@ -5 +5 @@
-How zero-ETL integration works for self-managed database sources
+How zero-ETL integration works for self-managed database sourcesSetting up IAM permissions and encryption for zero-ETL integration
@@ -46,0 +47,409 @@ You can create an Amazon Redshift event notification subscriptions to be automat
+## Setting up IAM permissions and encryption for zero-ETL integration
+
+To create and manage zero-ETL integrations, you need to configure appropriate IAM permissions, AWS Key Management Service (AWS KMS) encryption keys, and resource policies. This section provides guidance on setting up the required security components. 
+
+### Prerequisites
+
+Before creating a zero-ETL integration, ensure you have the following:
+
+  * An IAM user or role with appropriate permissions to create and manage integrations
+
+  * Existing AWS DMS source endpoints for your self-managed databases
+
+  * An Amazon Redshift provisioned cluster or serverless namespace as the target
+
+  * Network configuration including VPC subnets and security groups
+
+
+
+
+### Creating a KMS key
+
+First, create a customer managed AWS KMS key to encrypt data in your zero-ETL integration. The following example creates a symmetric encryption key: 
+    
+    
+    aws kms create-key \
+      --description "On-prem Zero-ETL Integration Encryption Key" \
+      --key-usage ENCRYPT_DECRYPT \
+      --key-spec SYMMETRIC_DEFAULT \
+      --region region
+
+Note the `KeyId` and `Arn` from the response, as you will need them when configuring the key policy and creating the integration. 
+
+Example output:
+    
+    
+    {
+        "KeyMetadata": {
+            "AWSAccountId": "account-id",
+            "KeyId": "4e2c14f8-7abe-4aec-851a-379f6ed973a8",
+            "Arn": "arn:aws:kms:region:account-id:key/4e2c14f8-7abe-4aec-851a-379f6ed973a8",
+            "CreationDate": 1763155061.148,
+            "Enabled": true,
+            "Description": "Zero-ETL Integration Encryption Key",
+            "KeyUsage": "ENCRYPT_DECRYPT",
+            "KeyState": "Enabled",
+            "Origin": "AWS_KMS",
+            "KeyManager": "CUSTOMER",
+            "CustomerMasterKeySpec": "SYMMETRIC_DEFAULT",
+            "KeySpec": "SYMMETRIC_DEFAULT",
+            "EncryptionAlgorithms": [
+                "SYMMETRIC_DEFAULT"
+            ],
+            "MultiRegion": false
+        }
+    }
+
+### Configuring the KMS key policy
+
+After creating the KMS key, configure the key policy to allow Amazon Redshift and AWS Glue services to use the key for encryption and decryption operations. The key policy must grant the necessary permissions to the service principals and include the encryption context that will be used during integration creation. 
+
+The following example shows a key policy for zero-ETL integrations:
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Id": "key-default-1",
+        "Statement": [
+            {
+                "Sid": "Enable IAM User Permissions",
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "arn:aws:iam::account-id:root"
+                },
+                "Action": "kms:*",
+                "Resource": "*"
+            },
+            {
+                "Sid": "Allows the Redshift and glue service principal to add a grant to a KMS key",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": [
+                        "redshift.amazonaws.com",
+                        "glue.amazonaws.com"
+                    ]
+                },
+                "Action": "kms:CreateGrant",
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+    	              "kms:EncryptionContext:context-key": "context-value"
+                    },
+                    "ForAllValues:StringEquals": {
+                        "kms:GrantOperations": [
+                            "Decrypt",
+                            "GenerateDataKey",
+                            "CreateGrant",
+                            "GenerateDataKeyWithoutPlaintext",
+                            "ReEncryptTo"
+                        ]
+                    }
+                }
+            }
+        ]
+    }
+
+The `kms:EncryptionContext` condition must match the additional encryption context you specify when creating the integration. You can update the key policy using the AWS KMS console or the following CLI command: 
+    
+    
+    aws kms put-key-policy \
+      --key-id key-id \
+      --policy-name default \
+      --policy file://kms-key-policy.json
+
+### Creating an IAM user and configuring AWS CLI
+
+Create an IAM user that will be used to manage zero-ETL integrations and configure the AWS CLI with appropriate credentials. 
+
+  1. Create an IAM user:
+    
+        aws iam create-user --user-name cli-user
+
+  2. Create access keys for the user:
+    
+        aws iam create-access-key --user-name cli-user
+
+Save the `AccessKeyId` and `SecretAccessKey` from the output, as you will need them to configure the AWS CLI. 
+
+
+
+
+### Creating and attaching an IAM policy
+
+Create an IAM policy that grants permissions for zero-ETL integration operations. The policy should include permissions for AWS Glue, AWS DMS, Amazon Redshift, AWS KMS, and . 
+
+Save the following policy to a file (for example, `/tmp/zetl-policy.json`):
+    
+    
+    {
+        "Version": "2012-10-17",		 	 	 
+        "Statement": [
+            {
+                "Sid": "ZetlGlueIntegrationAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "glue:CreateIntegration",
+                    "glue:ModifyIntegration",
+                    "glue:DeleteIntegration",
+                    "glue:DescribeIntegrations",
+                    "glue:DescribeInboundIntegrations"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "DMSIntegrationAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "dms:CreateOutboundIntegration",
+                    "dms:ModifyOutboundIntegration",
+                    "dms:CreateEndpoint",
+                    "dms:DescribeEndpoints",
+                    "dms:ModifyEndpoint",
+                    "dms:DeleteEndpoint",
+                    "dms:TestConnection"
+                ],
+                "Resource": "*"
+            },
+            {
+                "Sid": "ZetlRedshiftFullAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "redshift:*",
+                    "redshift-serverless:*",
+                    "ec2:DescribeAccountAttributes",
+                    "ec2:DescribeAddresses",
+                    "ec2:DescribeAvailabilityZones",
+                    "ec2:DescribeSecurityGroups",
+                    "ec2:DescribeSubnets",
+                    "ec2:DescribeVpcs",
+                    "ec2:DescribeInternetGateways",
+                    "sns:CreateTopic",
+                    "sns:Get*",
+                    "sns:List*",
+                    "cloudwatch:Describe*",
+                    "cloudwatch:Get*",
+                    "cloudwatch:List*",
+                    "cloudwatch:PutMetricAlarm",
+                    "cloudwatch:EnableAlarmActions",
+                    "cloudwatch:DisableAlarmActions",
+                    "tag:GetResources",
+                    "tag:UntagResources",
+                    "tag:GetTagValues",
+                    "tag:GetTagKeys",