AWS kms documentation change
Summary
Clarified VPC endpoint service permissions by changing 'external key store' to 'your account' in cross-account configuration
Security assessment
Corrects documentation about required principals for secure VPC endpoint configuration, preventing potential misconfigurations but does not address an active security issue.
Diff
diff --git a/kms/latest/developerguide/vpc-connectivity.md b/kms/latest/developerguide/vpc-connectivity.md index 148805432..c7d266736 100644 --- a//kms/latest/developerguide/vpc-connectivity.md +++ b//kms/latest/developerguide/vpc-connectivity.md @@ -203 +203 @@ Cross AWS account -When your VPC endpoint service is owned by another AWS account you must add both AWS KMS and your external key store to the **Allow principals** list. This allows AWS KMS and your external key store to create interface endpoints to your VPC endpoint service. If AWS KMS is not an allowed principal, attempts to create an external key store will fail with an `XksProxyVpcEndpointServiceNotFoundException` exception. You'll need to provide the AWS account ARN where the xks resides. +When your VPC endpoint service is owned by another AWS account you must add both AWS KMS and your account to the **Allow principals** list. This allows AWS KMS and your external key store to create interface endpoints to your VPC endpoint service. If AWS KMS is not an allowed principal, attempts to create an external key store will fail with an `XksProxyVpcEndpointServiceNotFoundException` exception. You'll need to provide the AWS account ARN where the external key store resides.