AWS Security ChangesHomeSearch

AWS aws-backup documentation change

Service: aws-backup · 2026-05-07 · Documentation low

File: aws-backup/latest/devguide/create-report-plan-console.md

Summary

Removed 'kms:Decrypt' and 'kms:Encrypt' requirements from KMS policy documentation for report buckets. Updated policy examples accordingly.

Security assessment

Simplifies required KMS actions without indicating a security fix. Permission reduction suggests optimization rather than vulnerability remediation.

Diff

diff --git a/aws-backup/latest/devguide/create-report-plan-console.md b/aws-backup/latest/devguide/create-report-plan-console.md
index d9c90d1df..f1d2fa40d 100644
--- a//aws-backup/latest/devguide/create-report-plan-console.md
+++ b//aws-backup/latest/devguide/create-report-plan-console.md
@@ -71 +71 @@ If you encrypt your bucket using a customer managed KMS key, the KMS key policy
-  * The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum.
+  * The `Action` attribute must include `kms:GenerateDataKey` at minimum.
@@ -130 +130 @@ JSON
-If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following actions in your policy:
+If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following action in your policy:
@@ -134,2 +134 @@ If you use a custom AWS Key Management Service to encrypt your target S3 bucket
-            "kms:GenerateDataKey",
-            "kms:Encrypt"
+            "kms:GenerateDataKey"