AWS Security ChangesHomeSearch

AWS securityagent medium security documentation change

Service: securityagent · 2026-04-01 · Security-related medium

File: securityagent/latest/userguide/customer-managed-keys.md

Summary

Added kms:GenerateDataKeyWithoutPlaintext permission requirement and new IAM policy section for application role to support branch key rotation

Security assessment

This change explicitly addresses a security feature (key rotation) by adding required KMS permissions. The documentation warns that without these permissions, branch key rotation will fail, indicating this addresses a functional security requirement for proper key management. The addition of a complete IAM policy for application roles further documents security controls for data encryption and decryption.

Diff

diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md
index 63e21b39b..c86aa2986 100644
--- a//securityagent/latest/userguide/customer-managed-keys.md
+++ b//securityagent/latest/userguide/customer-managed-keys.md
@@ -168,0 +169 @@ Replace the following placeholder values in the policy:
+            "kms:GenerateDataKeyWithoutPlaintext",
@@ -184,0 +186,4 @@ Replace the following placeholder values in the policy:
+###### Important
+
+To rotate branch keys, your KMS key policy must grant `kms:GenerateDataKeyWithoutPlaintext` and `kms:ReEncrypt*` permissions to the AWS Security Agent service principal (`securityagent.amazonaws.com`), or branch key rotation will fail. For more information about the required permissions, see [Rotate a branch key](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/rotate-branch-key.html).
+
@@ -252,0 +258,43 @@ You can combine the Agent Space and integration key policy statements into a sin
+### IAM policy for the application role
+
+In addition to the KMS key policy, you must attach the following IAM policy to the application role created during AWS Security Agent setup. This identity-based policy grants the application role permission to use your customer managed keys for Agent Space data encryption and decryption across the AWS services used by AWS Security Agent.
+
+Replace the following placeholder values in the policy:
+
+  * ` _111122223333_ ` – Your AWS account ID
+
+  * ` _us-east-1_ ` – The AWS Region where you use AWS Security Agent
+
+  * The KMS key ARNs in `Resource` – The ARNs of your KMS keys
+
+
+
+    
+    
+    {
+      "Version": "2012-10-17",		 	 	 
+      "Statement": [
+        {
+          "Sid": "AllowSynchronousDataAccessForAgentSpaces",
+          "Effect": "Allow",
+          "Action": [
+            "kms:GenerateDataKey",
+            "kms:Decrypt"
+          ],
+          "Resource": [
+            "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+            "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890cd"
+          ],
+          "Condition": {
+            "StringEquals": {
+              "aws:ResourceAccount": "111122223333",
+              "kms:ViaService": "securityagent.us-east-1.amazonaws.com"
+            },
+            "StringLike": {
+              "kms:EncryptionContext:aws:securityagent:agent-space": "arn:aws:securityagent:us-east-1:111122223333:agent-space/*"
+            }
+          }
+        }
+      ]
+    }
+