AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2025-12-10 · Documentation medium

File: kms/latest/developerguide/vpc-connectivity.md

Summary

Clarified VPC endpoint service permissions by changing 'external key store' to 'your account' in cross-account configuration

Security assessment

Corrects documentation about required principals for secure VPC endpoint configuration, preventing potential misconfigurations but does not address an active security issue.

Diff

diff --git a/kms/latest/developerguide/vpc-connectivity.md b/kms/latest/developerguide/vpc-connectivity.md
index 148805432..c7d266736 100644
--- a//kms/latest/developerguide/vpc-connectivity.md
+++ b//kms/latest/developerguide/vpc-connectivity.md
@@ -203 +203 @@ Cross AWS account
-When your VPC endpoint service is owned by another AWS account you must add both AWS KMS and your external key store to the **Allow principals** list. This allows AWS KMS and your external key store to create interface endpoints to your VPC endpoint service. If AWS KMS is not an allowed principal, attempts to create an external key store will fail with an `XksProxyVpcEndpointServiceNotFoundException` exception. You'll need to provide the AWS account ARN where the xks resides.
+When your VPC endpoint service is owned by another AWS account you must add both AWS KMS and your account to the **Allow principals** list. This allows AWS KMS and your external key store to create interface endpoints to your VPC endpoint service. If AWS KMS is not an allowed principal, attempts to create an external key store will fail with an `XksProxyVpcEndpointServiceNotFoundException` exception. You'll need to provide the AWS account ARN where the external key store resides.