AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-04-19 · Documentation medium

File: kms/latest/developerguide/conditions-kms.md

Summary

Added 'EXTERNAL_MU' as a valid value for the kms:MessageType condition key in Sign and Verify operations.

Security assessment

Expands documentation for IAM condition keys to include a new message type value, which is related to access control policies for cryptographic operations. This adds to security documentation but does not indicate a security issue.

Diff

diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md
index f05083f95..9f37956cb 100644
--- a//kms/latest/developerguide/conditions-kms.md
+++ b//kms/latest/developerguide/conditions-kms.md
@@ -1318 +1318 @@ AWS KMS condition keys | Condition type | Value type | API operations | Policy t
-The `kms:MessageType` condition key controls access to the [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) and [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) operations based on the value of the `MessageType` parameter in the request. Valid values for `MessageType` are `RAW` and `DIGEST`. 
+The `kms:MessageType` condition key controls access to the [Sign](https://docs.aws.amazon.com/kms/latest/APIReference/API_Sign.html) and [Verify](https://docs.aws.amazon.com/kms/latest/APIReference/API_Verify.html) operations based on the value of the `MessageType` parameter in the request. Valid values for `MessageType` are `RAW`, `DIGEST` and `EXTERNAL_MU`.