AWS AmazonRDS documentation change
Summary
Added documentation for required KMS permissions when copying encrypted snapshots
Security assessment
Clarifies permissions needed for encryption operations but doesn't indicate a specific security vulnerability being addressed
Diff
diff --git a/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md b/AmazonRDS/latest/UserGuide/USER_CopySnapshot.md index 8b4aab32c..887a55761 100644 --- a//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md +++ b//AmazonRDS/latest/UserGuide/USER_CopySnapshot.md @@ -409,0 +410,23 @@ For more information about AWS KMS key management for Amazon RDS, see [AWS KMS k +#### Required permissions for copying encrypted snapshots + +To copy an encrypted DB snapshot, your user must have the following permissions to use Amazon RDS encryption. + + * `kms:DescribeKey` + + * `kms:CreateGrant` + + * `kms:Decrypt` + + * `kms:Encrypt` + + * `kms:GenerateDataKey` + + * `kms:GenerateDataKeyWithoutPlaintext` + + * `kms:ReEncrypt` + + + + +If you use IAM policy conditions to restrict AWS KMS grant operations, ensure your policy includes all operations required by Amazon RDS. If you receive a `KMSKeyNotAccessibleFault` error when copying an encrypted snapshot across Regions, verify that your IAM policy includes all required AWS KMS grant operations mentioned above. +