AWS dms documentation change
Summary
Added 'Encryption for DMS Schema Conversion' section with details on customer-managed keys, required KMS policies, and encryption context constraints.
Security assessment
This change documents a new security feature (customer-managed encryption keys for Schema Conversion) but does not reference any fixed vulnerability. The added content explains encryption controls and key policies, enhancing security documentation without addressing a specific incident.
Diff
diff --git a/dms/latest/userguide/CHAP_Security.md b/dms/latest/userguide/CHAP_Security.md index 33befccdb..ac1189e29 100644 --- a//dms/latest/userguide/CHAP_Security.md +++ b//dms/latest/userguide/CHAP_Security.md @@ -7 +7 @@ -Encryption for migrationsSetting an encryption keyNetwork securityChanging the database password +Encryption for migrationsEncryption for DMS SCSetting an encryption keyNetwork securityChanging the database password @@ -56,0 +57,2 @@ For more information about available network configurations for AWS DMS, see [Se + * Encryption for DMS Schema Conversion + @@ -134,0 +137,75 @@ Additional encryption context constraints are not supported at this time. Includ +## Encryption for DMS Schema Conversion + +DMS Schema Conversion encrypts resources used for your schema conversions, including storage and other components. If you don't specify a customer managed key, DMS Schema Conversion automatically uses an AWS owned key to encrypt your resources. + +When you use a customer managed key, DMS Schema Conversion creates grants on your key which allow the service to configure an encrypted EBS volume and to encrypt and decrypt SQL statements temporarily preserved in internal storage during conversion. These grants are managed automatically as part of the migration project lifecycle. + +**Using a customer managed key with DMS Schema Conversion** + +DMS Schema Conversion creates a grant for accessing and managing the encryption keys during conversion. To use a customer managed key for your DMS Schema Conversion project, add the following to your customer managed key policy: + + + [ + { + "Sid": "Allow ExampleRole to Describe this key for DMS Schema Conversion", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": "kms:DescribeKey", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "dms.us-west-2.amazonaws.com" + } + } + }, + { + "Sid": "Allow ExampleRole to use key with DMS Schema Conversion", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "dms.us-west-2.amazonaws.com" + }, + "StringLike": { + "kms:EncryptionContext:aws:dms:migration-project-id": "*" + } + } + }, + { + "Sid": "Allow ExampleRole to CreateGrant for DMS Schema Conversion", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "ForAllValues:StringEquals": { + "kms:GrantOperations": [ + "CreateGrant", + "Decrypt", + "DescribeKey", + "GenerateDataKey", + "GenerateDataKeyWithoutPlaintext" + ] + }, + "StringEquals": { + "kms:ViaService": "dms.us-west-2.amazonaws.com" + } + } + } + ] + +###### Important + +Additional encryption context constraints are not supported at this time. Including such constraints will cause the schema conversion to fail. +