AWS securityagent documentation change
Summary
Updated IAM policy documentation for AWS Security Agent application role, adding a new policy statement for KMS key access when creating secrets in Secrets Manager, and added explanatory notes.
Security assessment
This change adds detailed security documentation about required IAM permissions for using customer managed keys with AWS Security Agent, specifically for encrypting secrets and log data. It clarifies security configuration but does not address a specific security vulnerability.
Diff
diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md index c86aa2986..dfcb58745 100644 --- a//securityagent/latest/userguide/customer-managed-keys.md +++ b//securityagent/latest/userguide/customer-managed-keys.md @@ -260 +260 @@ You can combine the Agent Space and integration key policy statements into a sin -In addition to the KMS key policy, you must attach the following IAM policy to the application role created during AWS Security Agent setup. This identity-based policy grants the application role permission to use your customer managed keys for Agent Space data encryption and decryption across the AWS services used by AWS Security Agent. +In addition to the KMS key policy, attach the following IAM policy to the application role specified during AWS Security Agent setup. This policy grants the role permissions to use your customer managed keys for encrypting and decrypting Agent Space data and creating secrets in AWS Secrets Manager. @@ -296,0 +297,21 @@ Replace the following placeholder values in the policy: + }, + { + "Sid": "AllowKmsKeyAccessForCreatingSecrets", + "Effect": "Allow", + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": [ + "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "arn:aws:kms:us-east-1:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890cd" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "111122223333" + }, + "StringLike": { + "kms:ViaService": "secretsmanager.*.amazonaws.com", + "kms:EncryptionContext:SecretARN": "arn:aws:secretsmanager:us-east-1:111122223333:secret:*" + } + } @@ -300,0 +322,8 @@ Replace the following placeholder values in the policy: +###### Note + +The application role is an IAM role that you specify or that the console creates during AWS Security Agent setup. The web application assumes this role to retrieve penetration test execution logs and create Secrets Manager secrets on your behalf. + +The `AllowKmsKeyAccessForCreatingSecrets` statement is required if you configure authentication resources for penetration tests and choose to enter credentials directly instead of specifying an existing secret. The web application creates a secret on your behalf, and the application role needs the permissions in this statement to encrypt the secret with the customer managed key specified for your Agent Space. Update the `Resource` ARNs in this statement to match the KMS key used for your Agent Space. + +If your CloudWatch Logs log group for storing penetration test execution logs is encrypted with a customer managed key, you must update the KMS key policy to allow CloudWatch Logs to decrypt log events. Otherwise, the web application cannot display log events. For instructions, see [Encrypt log data in CloudWatch Logs using AWS KMS](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/encrypt-log-data-kms.html). +