AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-05-07 · Documentation low

File: aws-backup/latest/devguide/create-report-plan-api.md

Summary

Removed 'kms:Decrypt' requirement from KMS key policy for encrypted report buckets.

Security assessment

This change reduces required KMS permissions but shows no evidence of addressing a specific security vulnerability. It's a permission refinement without security incident context.

Diff

diff --git a/aws-backup/latest/devguide/create-report-plan-api.md b/aws-backup/latest/devguide/create-report-plan-api.md
index 6f54e3a30..b03849a5e 100644
--- a//aws-backup/latest/devguide/create-report-plan-api.md
+++ b//aws-backup/latest/devguide/create-report-plan-api.md
@@ -22 +22 @@ If you encrypt your bucket using a custom KMS key, the KMS key policy must meet
-  * The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
+  * The `Action` attribute must include `kms:GenerateDataKey` at minimum.