AWS aws-backup documentation change
Summary
Removed 'kms:Decrypt' requirement from KMS key policy for encrypted report buckets.
Security assessment
This change reduces required KMS permissions but shows no evidence of addressing a specific security vulnerability. It's a permission refinement without security incident context.
Diff
diff --git a/aws-backup/latest/devguide/create-report-plan-api.md b/aws-backup/latest/devguide/create-report-plan-api.md index 6f54e3a30..b03849a5e 100644 --- a//aws-backup/latest/devguide/create-report-plan-api.md +++ b//aws-backup/latest/devguide/create-report-plan-api.md @@ -22 +22 @@ If you encrypt your bucket using a custom KMS key, the KMS key policy must meet - * The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum. + * The `Action` attribute must include `kms:GenerateDataKey` at minimum.