AWS kms documentation change
Summary
Clarified that most AWS services treat multi-Region keys as single-Region keys and added note to check service-specific documentation for replication behavior
Security assessment
This is a clarification about multi-Region key behavior and doesn't address security issues or add security documentation. It's a feature clarification update.
Diff
diff --git a/kms/latest/developerguide/multi-region-keys-overview.md b/kms/latest/developerguide/multi-region-keys-overview.md index 5cf73138c..a12e82c97 100644 --- a//kms/latest/developerguide/multi-region-keys-overview.md +++ b//kms/latest/developerguide/multi-region-keys-overview.md @@ -39 +39 @@ You can use multi-Region keys with client-side encryption libraries, such as the -[AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. +Most [AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-Region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. Refer to service-specific documentation to understand how a service replicates encrypted data and if it treats multi-Region keys differently.