AWS aws-backup documentation change
Summary
Removed 'kms:Decrypt' and 'kms:Encrypt' requirements from KMS policy documentation for report buckets. Updated policy examples accordingly.
Security assessment
Simplifies required KMS actions without indicating a security fix. Permission reduction suggests optimization rather than vulnerability remediation.
Diff
diff --git a/aws-backup/latest/devguide/create-report-plan-console.md b/aws-backup/latest/devguide/create-report-plan-console.md index d9c90d1df..f1d2fa40d 100644 --- a//aws-backup/latest/devguide/create-report-plan-console.md +++ b//aws-backup/latest/devguide/create-report-plan-console.md @@ -71 +71 @@ If you encrypt your bucket using a customer managed KMS key, the KMS key policy - * The `Action` attribute must include `kms:GenerateDataKey` and `kms:Decrypt` at minimum. + * The `Action` attribute must include `kms:GenerateDataKey` at minimum. @@ -130 +130 @@ JSON -If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following actions in your policy: +If you use a custom AWS Key Management Service to encrypt your target S3 bucket that stores the reports, include the following action in your policy: @@ -134,2 +134 @@ If you use a custom AWS Key Management Service to encrypt your target S3 bucket - "kms:GenerateDataKey", - "kms:Encrypt" + "kms:GenerateDataKey"