AWS Security ChangesHomeSearch

AWS singlesignon documentation change

Service: singlesignon · 2026-05-04 · Documentation low

File: singlesignon/latest/userguide/identity-center-customer-managed-keys.md

Summary

Restructured KMS key policy setup instructions with simplified baseline-first approach

Security assessment

Reorganizes existing security documentation to prioritize baseline policies. Changes improve usability but don't fix vulnerabilities or add new security features.

Diff

diff --git a/singlesignon/latest/userguide/identity-center-customer-managed-keys.md b/singlesignon/latest/userguide/identity-center-customer-managed-keys.md
index 170c0fb2f..f659967de 100644
--- a//singlesignon/latest/userguide/identity-center-customer-managed-keys.md
+++ b//singlesignon/latest/userguide/identity-center-customer-managed-keys.md
@@ -84 +84 @@ Multiple IAM principals listed in the table require AWS KMS API permissions. How
-After identifying the use cases relevant to your organization, you can prepare the corresponding KMS key policy statements.
+Start with the [Baseline KMS key policy](./baseline-KMS-key-policy.html) and customize it for your organization. If you need more specific policies based on your security requirements, you can modify the policy statements using the examples in [Advanced KMS key policy statements](./advanced-kms-policy.html). For guidance on this decision, see [Considerations for choosing baseline vs. advanced KMS key policy statements](./considerations-for-customer-managed-kms-keys-advanced.html#kms-policy-considerations-advanced-vs-baseline).
@@ -86 +86 @@ After identifying the use cases relevant to your organization, you can prepare t
-  1. Choose the KMS key policy statements that match the use cases for your organization. Begin with the baseline policy templates. If you need more specific policies based on your security requirements, you can modify the policy statements using the examples in [Advanced KMS key policy statements](./advanced-kms-policy.html). For guidance on this decision, see [Considerations for choosing baseline vs. advanced KMS key policy statements](./considerations-for-customer-managed-kms-keys-advanced.html#kms-policy-considerations-advanced-vs-baseline). In addition, each baseline section in [Baseline KMS key and IAM policy statements](./baseline-KMS-key-policy.html) includes relevant considerations. 
+  1. Copy the baseline policy to an editor and insert the required identifiers and IAM principal names in the KMS key policy statements. For help finding the values of the referenced identifiers, see Where to find the required identifiers. 
@@ -88,16 +88 @@ After identifying the use cases relevant to your organization, you can prepare t
-  2. Copy the relevant policies to an editor and insert the required identifiers and IAM principal names in the KMS key policy statements. For help finding the values of the referenced identifiers, see Where to find the required identifiers. 
-
-
-
-
-Following are baseline policy templates for each use case. Only the first set of permissions for AWS IAM Identity Center is required to use a KMS key. We recommend that you review the applicable subsections for additional use case-specific information.
-
-  * [Baseline KMS key policy statements for use of IAM Identity Center (required)](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-use-of-iam-identity-center-mandatory)
-
-  * [Baseline KMS key and IAM policy statements for use of AWS managed applications](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-use-of-aws-managed-applications)
-
-  * [Baseline KMS key statement for use of AWS Control Tower](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-specific-use-cases)
-
-  * [Baseline KMS key and IAM policy statements for use of IAM Identity Center to Amazon EC2 instances](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-use-of-sso-to-amazon-ec2-windows-instances)
-
-  * [Baseline KMS key and IAM policy statements for use of custom workflows with IAM Identity Center](./baseline-KMS-key-policy.html#baseline-kms-key-policy-statements-for-use-of-custom-workflows-with-iam-identity-center)
+  2. If your security requirements call for it, refine the policy statements using the examples in [Advanced KMS key policy statements](./advanced-kms-policy.html). 
@@ -311 +296 @@ Encryption at rest
-Baseline KMS key and IAM policy statements
+Baseline KMS key policy