AWS kms documentation change
Summary
Clarified that Amazon S3 cross-Region replication re-encrypts data keys under the destination Region's KMS key, even for multi-Region keys.
Security assessment
Documentation clarification about how multi-Region keys behave in cross-region replication scenarios. No security issue addressed.
Diff
diff --git a/kms/latest/developerguide/multi-region-keys-overview.md b/kms/latest/developerguide/multi-region-keys-overview.md index 0c4825518..c599d7f09 100644 --- a//kms/latest/developerguide/multi-region-keys-overview.md +++ b//kms/latest/developerguide/multi-region-keys-overview.md @@ -41 +41 @@ You can use multi-Region keys with client-side encryption libraries, such as the -Most [AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. They might re-wrap or re-encrypt data moved between Regions. For example, Amazon S3 cross-Region replication decrypts and re-encrypts data under a KMS key in the destination Region, even when replicating objects protected by a multi-Region key. Refer to service-specific documentation to understand how a service replicates encrypted data and if it treats multi-Region keys differently. +Most [AWS services that integrate with AWS KMS](https://aws.amazon.com/kms/features/) for encryption at rest or digital signatures currently treat multi-Region keys as though they were single-Region keys. For example, Amazon S3 cross-Region replication decrypts and re-encrypts the data keys used to encrypt object data under the KMS key in the destination Region, even when the KMS key in both Regions is a related multi-Region key. Refer to service-specific documentation to understand how a service replicates encrypted data and if it treats multi-Region keys differently.