AWS cloudhsm documentation change
Summary
Added 'derive, or wrap' to the list of operations that users with shared keys cannot perform
Security assessment
This change clarifies security restrictions for shared keys in CloudHSM by explicitly stating that users with shared keys cannot derive or wrap keys. This enhances security documentation by providing more complete information about key access controls, but there's no evidence it addresses a specific security vulnerability.
Diff
diff --git a/cloudhsm/latest/userguide/cloudhsm_cli-key-share.md b/cloudhsm/latest/userguide/cloudhsm_cli-key-share.md index fb1f1b6ef..6b23552b8 100644 --- a//cloudhsm/latest/userguide/cloudhsm_cli-key-share.md +++ b//cloudhsm/latest/userguide/cloudhsm_cli-key-share.md @@ -13 +13 @@ Use the **key share** command in CloudHSM CLI to share a key with other CUs in y -Only the CU who created the key and consequently owns it can share the key. Users with whom a key is shared can use the key in cryptographic operations, but they cannot delete, export, share, or unshare the key. Additionally, these users cannot change [key attributes](./cloudhsm_cli-key-attributes.html). +Only the CU who created the key and consequently owns it can share the key. Users with whom a key is shared can use the key in cryptographic operations, but they cannot delete, export, share, unshare, derive, or wrap the key. Additionally, these users cannot change [key attributes](./cloudhsm_cli-key-attributes.html).