AWS aws-backup high security documentation change
Summary
Corrected and clarified encryption options for DynamoDB restores, including AWS-owned, AWS-managed, and customer-managed keys
Security assessment
The changes explicitly document encryption options during restores, which is a critical security control. The correction of encryption types (including KMS key management) directly impacts data protection. Evidence: Added specific encryptionType parameters and KMS key ARN examples.
Diff
diff --git a/aws-backup/latest/devguide/restoring-dynamodb.md b/aws-backup/latest/devguide/restoring-dynamodb.md index 47bd4534a..9bbb550a6 100644 --- a//aws-backup/latest/devguide/restoring-dynamodb.md +++ b//aws-backup/latest/devguide/restoring-dynamodb.md @@ -77 +77 @@ The following is an example of the `restoreMetadata` argument for a `StartRestor -The preceding example encrypts the restored table using an AWS-owned key. The part of the restore metadata that specifies encryption using the AWS-owned key is: `\"encryptionType\":\"Default\","kmsMasterKeyArn\":\"Not Applicable\"`. +The preceding example encrypts the restored table using a customer-managed key. @@ -79 +79 @@ The preceding example encrypts the restored table using an AWS-owned key. The pa -To encrypt your restored table using an AWS-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"Not Applicable\"`. +To encrypt your restored table using an AWS-owned key, specify the following restore metadata: `"encryptionType\":\"Default\"`. @@ -81 +81,3 @@ To encrypt your restored table using an AWS-managed key, specify the following r -To encrypt your restored table using an customer-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"`arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\"`. +To encrypt your restored table using an AWS-managed key, omit the `kmsMasterKeyArn` parameter and specify: `"encryptionType\":\"KMS\"`. + +To encrypt your restored table using a customer-managed key, specify the following restore metadata: `"encryptionType\":\"KMS\",\"kmsMasterKeyArn\":\"`arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab`\"`.