AWS singlesignon medium security documentation change
Summary
Refined documentation for advanced KMS key policies with specific instructions on adding encryption context conditions
Security assessment
Changes provide concrete guidance on restricting KMS key usage through encryption context conditions (specifically naming AllowOrgPrincipalsViaIdentityCenterAndIdentityStore and AllowManagedApps statements). This addresses potential over-permission risks by enforcing granular access controls, directly impacting security posture.
Diff
diff --git a/singlesignon/latest/userguide/advanced-kms-policy.md b/singlesignon/latest/userguide/advanced-kms-policy.md index 4b0588c5e..2c7d232ed 100644 --- a//singlesignon/latest/userguide/advanced-kms-policy.md +++ b//singlesignon/latest/userguide/advanced-kms-policy.md @@ -11 +11 @@ Using encryption context to restrict accessPolicy templatesKMS policy statements -Use advanced KMS key policy statements to implement more granular access controls for your customer managed KMS key. These policies build on the [Baseline KMS key and IAM policy statements](./baseline-KMS-key-policy.html) by adding encryption context conditions and service-specific restrictions. Before deciding whether to use advanced KMS key policy statements, make sure to review the pertinent considerations. +Use advanced KMS key policy statements to implement more granular access controls for your customer managed KMS key. These policies build on the [Baseline KMS key policy](./baseline-KMS-key-policy.html) by adding encryption context conditions and service-specific restrictions. Before deciding whether to use advanced KMS key policy statements, make sure to review the pertinent considerations. @@ -15 +15 @@ Use advanced KMS key policy statements to implement more granular access control -You can restrict KMS key usage to a specific IAM Identity Center instance by specifying an encryption context condition in your key policy statements. The baseline key policy statements already include this context with a generic value. Replace the "*" wildcard with a specific Identity Center instance ARN and Identity Store ARN to ensure the key works only with your intended instance. You can also add the same encryption context conditions to the IAM policy configured for cross-account use of the KMS key. +You can restrict KMS key usage to a specific IAM Identity Center instance by adding encryption context conditions to the `AllowOrgPrincipalsViaIdentityCenterAndIdentityStore` and `AllowManagedApps` statements in your [Baseline KMS key policy](./baseline-KMS-key-policy.html). Add the following conditions with your specific Identity Center instance ARN and Identity Store ARN. You can also add the same encryption context conditions to the IAM policy configured for cross-account use of the KMS key. @@ -133 +133 @@ Some AWS managed applications cannot be used with IAM Identity Center configured -The [Baseline KMS key and IAM policy statements for use of AWS managed applications](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-use-of-aws-managed-applications) allow any AWS managed application from any account in the same AWS organization to use the KMS key. Use these refined policies to restrict access by: +The [Baseline KMS key policy](./baseline-KMS-key-policy.html) allows any AWS managed application from any account in the same AWS organization to use the KMS key. Use these refined policies to restrict access by: @@ -294 +294 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Baseline KMS key and IAM policy statements +Baseline KMS key policy