AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-03-13 · Documentation low

File: kms/latest/developerguide/conditions-kms.md

Summary

Added EXTERNAL_KEY_STORE as a valid key origin type in policy condition examples.

Security assessment

This is a routine documentation update to reflect new key origin types without any security-specific context or vulnerability mitigation mentioned in the change.

Diff

diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md
index 20569ef14..8805fda8a 100644
--- a//kms/latest/developerguide/conditions-kms.md
+++ b//kms/latest/developerguide/conditions-kms.md
@@ -1036 +1036 @@ The `kms:KeyOrigin` condition key controls access to operations based on the val
-You can use this condition key to control access to the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation based on the value of the [Origin](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html#KMS-CreateKey-request-Origin) parameter in the request. Valid values for `Origin` are `AWS_KMS`, `AWS_CLOUDHSM`, and `EXTERNAL`. 
+You can use this condition key to control access to the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation based on the value of the [Origin](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html#KMS-CreateKey-request-Origin) parameter in the request. Valid values for `Origin` are `AWS_KMS`, `AWS_CLOUDHSM`, `EXTERNAL_KEY_STORE`, and `EXTERNAL`. 
@@ -1038 +1038 @@ You can use this condition key to control access to the [CreateKey](https://docs
-For example, you can to create a KMS key only when the key material is generated in AWS KMS (`AWS_KMS`), only when the key material is generated in an AWS CloudHSM cluster that is associated with a [custom key store](./key-store-overview.html#custom-key-store-overview) (`AWS_CLOUDHSM`), or only when the [key material is imported](./importing-keys.html) from an external source (`EXTERNAL`). 
+For example, you can create a KMS key only when the key material is generated in AWS KMS (`AWS_KMS`), only when the key material is generated in an AWS CloudHSM cluster that is associated with a [CloudHSM custom key store](./key-store-overview.html#custom-key-store-overview) (`AWS_CLOUDHSM`), only when the key material is generated in an [external key store](./key-store-overview.html#custom-key-store-overview) (`EXTERNAL_KEY_STORE`), or only when the [key material is imported](./importing-keys.html) from an external source (`EXTERNAL`). 
@@ -1040 +1040 @@ For example, you can to create a KMS key only when the key material is generated
-The following example key policy statement uses the `kms:KeyOrigin` condition key to to create a KMS key only when AWS KMS creates the key material.
+The following example key policy statement uses the `kms:KeyOrigin` condition key to create a KMS key only when AWS KMS creates the key material.