AWS grafana documentation change
Summary
Enhanced documentation on customer managed key usage, including key deletion consequences, access restoration procedures, and grant management details
Security assessment
These changes significantly expand security documentation by clarifying critical key management risks (permanent data loss from key deletion/grant revocation) and recovery procedures. The additions provide explicit warnings about security implications of key mismanagement but don't indicate a specific security issue was fixed.
Diff
diff --git a/grafana/latest/userguide/AMG-encryption-at-rest.md b/grafana/latest/userguide/AMG-encryption-at-rest.md index 74a4c0e2c..200ef301c 100644 --- a//grafana/latest/userguide/AMG-encryption-at-rest.md +++ b//grafana/latest/userguide/AMG-encryption-at-rest.md @@ -54 +54 @@ Choose whether to use customer managed keys or AWS owned keys carefully. Workspa - * If you disable or delete the customer managed key, your workspace will become inaccessible. The workspace will remain in an `ACTIVE` state but will be functionally unavailable for 7 days. After 7 days, the workspace will transition to a `FAILED` state and can only be deleted. + * If you disable the customer managed key or remove Amazon Managed Grafana access in the key policy, your workspace will become inaccessible. The workspace will remain in an `ACTIVE` state but will be functionally unavailable. You have 7 days to restore access by re-enabling the key or restoring the key policy. After 7 days, the workspace will transition to a `FAILED` state and can only be deleted. @@ -56 +56 @@ Choose whether to use customer managed keys or AWS owned keys carefully. Workspa - * Customer managed key encryption is only available for new workspaces. Existing workspaces cannot be converted to use customer managed keys. + * Scheduling a key for deletion in AWS KMS has a minimum waiting period of 7 days before the key is deleted. Once a key is deleted, it cannot be restored, and any workspace encrypted with that key will permanently lose access to its data. @@ -58 +58,3 @@ Choose whether to use customer managed keys or AWS owned keys carefully. Workspa - * You cannot update the customer managed key for a workspace after creation. + * Customer managed key encryption is only available when creating new workspaces. Existing workspaces cannot be converted to use customer managed keys. + + * You cannot modify a workspace's customer managed key after creation. @@ -92 +94 @@ Amazon Managed Grafana creates grants to the AWS KMS key that allow Amazon Manag -If you remove access to any of the grants in any way, Amazon Managed Grafana won't be able to access any of the data encrypted by the customer managed key, nor store new data sent to the workspace, which affects operations that are dependent on that data. New update to the workspace will not be accessible and may be permanently lost. +If you remove access to any of the grants in any way, Amazon Managed Grafana won't be able to access any of the data encrypted by the customer managed key, nor store new data sent to the workspace, which affects operations that are dependent on that data. New updates to the workspace will not be accessible and may be permanently lost. @@ -96 +98,3 @@ If you remove access to any of the grants in any way, Amazon Managed Grafana won - * If you disable the key, or remove Amazon Managed Grafana access in the key policy, the workspace data is no longer accessible. The workspace will remain in an `ACTIVE` state but will be functionally unavailable. New update being sent to the workspace will not be accessible and may be permanently lost. You can get access to the workspace data and start receiving new data again by restoring Amazon Managed Grafana access to the key within 7 days. After 7 days, the workspace will transition to a `FAILED` state. + * If you disable the key, or remove Amazon Managed Grafana access in the key policy, the workspace data is no longer accessible. The workspace will remain in an `ACTIVE` state but will be functionally unavailable. New updates being sent to the workspace will not be accessible and may be permanently lost. You can restore access to the workspace data and resume receiving new data by re-enabling the key or restoring Amazon Managed Grafana access to the key within 7 days. After 7 days without access, the workspace will transition to a `FAILED` state. + + * If you schedule the key for deletion in AWS KMS, the key will be deleted after the mandatory 7-day waiting period. Once deleted, the key cannot be restored, and the workspace data will be permanently inaccessible. @@ -98 +102 @@ If you remove access to any of the grants in any way, Amazon Managed Grafana won - * If you revoke a grant, it can't be recreated, and the data in the workspace is lost permanently. + * If you _revoke_ a grant, it can't be recreated, and the data in the workspace is lost permanently. @@ -122 +126 @@ To use your customer managed key with your Amazon Managed Grafana workspaces, th - * [kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) – Adds a grant to a customer managed key. Grants control access to a specified KMS key, which allows access to grant operations Amazon Managed Grafana requires. For more information, see [Using Grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the _AWS KMS Developer Guide_. This allows Amazon Managed Grafana to do the following: + * [kms:CreateGrant](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html) – Adds a grant to a customer managed key. Grants control access to a specified KMS key, which allows access to [grant operations](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) Amazon Managed Grafana requires. For more information, see [Using Grants](https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) in the _AWS KMS Developer Guide_. This allows Amazon Managed Grafana to do the following: @@ -124 +128 @@ To use your customer managed key with your Amazon Managed Grafana workspaces, th - * Call `GenerateDataKey` to generate an encrypted data key and store it, because the data key isn't immediately used to encrypt. + * Call `GenerateDataKey` to generate an encrypted data key and store it.