AWS transcribe documentation change
Summary
Added detailed JSON examples for key policy, IAM policy, and trust policy to configure customer-managed encryption keys for HealthScribe.
Security assessment
This change enhances documentation by providing concrete policy examples for encrypting HealthScribe data with customer-managed keys. It supports security best practices (encryption) but does not indicate a security issue fix; it adds guidance on using security features.
Diff
diff --git a/transcribe/latest/dg/health-scribe-encryption-customer.md b/transcribe/latest/dg/health-scribe-encryption-customer.md index 2734b5ed5..42b2b3bfe 100644 --- a//transcribe/latest/dg/health-scribe-encryption-customer.md +++ b//transcribe/latest/dg/health-scribe-encryption-customer.md @@ -27,0 +28,52 @@ The following is an example key policy you can use to grant your ResourceAccessR +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement":[ + { + "Sid": "AllowAccessForKeyAdministrators", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:root" + }, + "Action": [ + "kms:*" + ], + "Resource": "*" + }, + { + "Sid": "AllowAccessToResourceAccessRoleForMedicalScribe", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole" + }, + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:EncryptionContext:aws:us-east-1:transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE" + } + } + }, + { + "Sid": "AllowAccessToResourceAccessRoleForDescribeKey", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ResourceAccessRole" + }, + "Action": "kms:DescribeKey", + "Resource": "*" + } + ] + } + + @@ -33,0 +86,41 @@ The following IAM policy example shows how to grant a ResourceAccessRole permiss +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKey*" + ], + "Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId", + "Condition": { + "StringEquals": { + "kms:ViaService": "transcribe.streaming.amazonaws.com", + "kms:EncryptionContext:aws:us-east-1:transcribe:medical-scribe:session-id": "1234abcd-12ab-34cd-56ef-123456SAMPLE" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "arn:aws:kms:us-west-2:111122223333:key/KMS-Example-KeyId", + "Condition": { + "StringEquals": { + "kms:ViaService": "transcribe.streaming.amazonaws.com" + } + } + } + ] + } + + @@ -35,0 +129,29 @@ The following is trust policy example for the ResourceAccessRole. For DataAccess +JSON + + +**** + + + + { + "Version":"2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "transcribe.streaming.amazonaws.com" + }, + "Action": "sts:AssumeRole", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "111122223333" + }, + "ArnLike": { + "aws:SourceArn": "arn:aws:transcribe:us-west-2:111122223333:*" + } + } + } + ] + } + +