AWS streams documentation change
Summary
Added 'Kinesis Data Streams encryption context' section explaining ARN-based encryption context for KMS key policies
Security assessment
Documents how to use KMS encryption context for granular key policy conditions, improving security guidance but not resolving a specific security incident.
Diff
diff --git a/streams/latest/dev/permissions-user-key-KMS.md b/streams/latest/dev/permissions-user-key-KMS.md index 3b469a499..870563704 100644 --- a//streams/latest/dev/permissions-user-key-KMS.md +++ b//streams/latest/dev/permissions-user-key-KMS.md @@ -5 +5 @@ -Example producer permissionsExample consumer permissionsStream administrator permissions +Kinesis Data Streams encryption contextExample producer permissionsExample consumer permissionsStream administrator permissions @@ -16,0 +17,13 @@ Before you use user-generated KMS master keys, ensure that your Kinesis stream p +## Kinesis Data Streams encryption context + +When Amazon Kinesis Data Streams calls AWS KMS on your behalf, it passes an encryption context to AWS KMS that can be used as a condition for authorization in key policies and grants. Kinesis Data Streams uses the stream ARN as the encryption context in all AWS KMS calls. + + + "encryptionContext": { + "aws:kinesis:arn": "arn:aws:kinesis:region:account-id:stream/stream-name" + } + +You can use the encryption context to identify the use of your KMS key in audit records and logs. It also appears in plaintext in logs, such as AWS CloudTrail. + +To limit the use of your KMS key to requests from Kinesis Data Streams for a specific stream, use the `kms:EncryptionContext:aws:kinesis:arn` condition key in the KMS key policy or IAM policy. +