AWS securityagent documentation change
Summary
Added new KMS policy statement allowing 'securityagent.amazonaws.com' to perform Decrypt and GenerateDataKey operations for code remediation.
Security assessment
Documents required cryptographic permissions for security agent operations. Enhances CMK documentation for a security feature (remediation workflows) but doesn't address a vulnerability.
Diff
diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md index 3ce87d0bc..c5998b90d 100644 --- a//securityagent/latest/userguide/customer-managed-keys.md +++ b//securityagent/latest/userguide/customer-managed-keys.md @@ -200,0 +201,12 @@ Replace the following placeholder values in the policy: + }, + { + "Sid": "AllowAsynchronousDataAccessForCodeRemediation", + "Effect": "Allow", + "Principal": { + "Service": "securityagent.amazonaws.com" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*"