AWS Security ChangesHomeSearch

AWS securityagent documentation change

Service: securityagent · 2026-05-07 · Documentation low

File: securityagent/latest/userguide/customer-managed-keys.md

Summary

Added new KMS policy statement allowing 'securityagent.amazonaws.com' to perform Decrypt and GenerateDataKey operations for code remediation.

Security assessment

Documents required cryptographic permissions for security agent operations. Enhances CMK documentation for a security feature (remediation workflows) but doesn't address a vulnerability.

Diff

diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md
index 3ce87d0bc..c5998b90d 100644
--- a//securityagent/latest/userguide/customer-managed-keys.md
+++ b//securityagent/latest/userguide/customer-managed-keys.md
@@ -200,0 +201,12 @@ Replace the following placeholder values in the policy:
+        },
+        {
+          "Sid": "AllowAsynchronousDataAccessForCodeRemediation",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "securityagent.amazonaws.com"
+          },
+          "Action": [
+            "kms:Decrypt",
+            "kms:GenerateDataKey"
+          ],
+          "Resource": "*"