AWS Security ChangesHomeSearch

AWS streams documentation change

Service: streams · 2026-03-16 · Documentation medium

File: streams/latest/dev/permissions-user-key-KMS.md

Summary

Added 'Kinesis Data Streams encryption context' section explaining ARN-based encryption context for KMS key policies

Security assessment

Documents how to use KMS encryption context for granular key policy conditions, improving security guidance but not resolving a specific security incident.

Diff

diff --git a/streams/latest/dev/permissions-user-key-KMS.md b/streams/latest/dev/permissions-user-key-KMS.md
index 3b469a499..870563704 100644
--- a//streams/latest/dev/permissions-user-key-KMS.md
+++ b//streams/latest/dev/permissions-user-key-KMS.md
@@ -5 +5 @@
-Example producer permissionsExample consumer permissionsStream administrator permissions
+Kinesis Data Streams encryption contextExample producer permissionsExample consumer permissionsStream administrator permissions
@@ -16,0 +17,13 @@ Before you use user-generated KMS master keys, ensure that your Kinesis stream p
+## Kinesis Data Streams encryption context
+
+When Amazon Kinesis Data Streams calls AWS KMS on your behalf, it passes an encryption context to AWS KMS that can be used as a condition for authorization in key policies and grants. Kinesis Data Streams uses the stream ARN as the encryption context in all AWS KMS calls.
+    
+    
+    "encryptionContext": {
+        "aws:kinesis:arn": "arn:aws:kinesis:region:account-id:stream/stream-name"
+    }
+
+You can use the encryption context to identify the use of your KMS key in audit records and logs. It also appears in plaintext in logs, such as AWS CloudTrail.
+
+To limit the use of your KMS key to requests from Kinesis Data Streams for a specific stream, use the `kms:EncryptionContext:aws:kinesis:arn` condition key in the KMS key policy or IAM policy.
+