AWS securityagent medium security documentation change
Summary
Added kms:GenerateDataKeyWithoutPlaintext permission requirement and new IAM policy section for application role to support branch key rotation
Security assessment
This change explicitly addresses a security feature (key rotation) by adding required KMS permissions. The documentation warns that without these permissions, branch key rotation will fail, indicating this addresses a functional security requirement for proper key management. The addition of a complete IAM policy for application roles further documents security controls for data encryption and decryption.
Diff
diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md index 63e21b39b..c86aa2986 100644 --- a//securityagent/latest/userguide/customer-managed-keys.md +++ b//securityagent/latest/userguide/customer-managed-keys.md @@ -168,0 +169 @@ Replace the following placeholder values in the policy: + "kms:GenerateDataKeyWithoutPlaintext", @@ -184,0 +186,4 @@ Replace the following placeholder values in the policy: +###### Important + +To rotate branch keys, your KMS key policy must grant `kms:GenerateDataKeyWithoutPlaintext` and `kms:ReEncrypt*` permissions to the AWS Security Agent service principal (`securityagent.amazonaws.com`), or branch key rotation will fail. For more information about the required permissions, see [Rotate a branch key](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/rotate-branch-key.html). + @@ -252,0 +258,43 @@ You can combine the Agent Space and integration key policy statements into a sin +### IAM policy for the application role + +In addition to the KMS key policy, you must attach the following IAM policy to the application role created during AWS Security Agent setup. This identity-based policy grants the application role permission to use your customer managed keys for Agent Space data encryption and decryption across the AWS services used by AWS Security Agent. + +Replace the following placeholder values in the policy: + + * ` _111122223333_ ` – Your AWS account ID + + * ` _us-east-1_ ` – The AWS Region where you use AWS Security Agent + + * The KMS key ARNs in `Resource` – The ARNs of your KMS keys + + + + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowSynchronousDataAccessForAgentSpaces", + "Effect": "Allow", + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": [ + "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890cd" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333", + "kms:ViaService": "securityagent.us-east-1.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:securityagent:agent-space": "arn:aws:securityagent:us-east-1:111122223333:agent-space/*" + } + } + } + ] + } +