AWS connect documentation change
Summary
Replaced 'Amazon Connect' with 'Connect Customer' in two instances regarding secret access
Security assessment
The change updates terminology but maintains identical security requirements for resource policies and KMS key conditions. No new security guidance or vulnerability fixes were introduced.
Diff
diff --git a/connect/latest/adminguide/managing-secrets-resource-policies.md b/connect/latest/adminguide/managing-secrets-resource-policies.md index 3a3bb1a91..83a4955fb 100644 --- a//connect/latest/adminguide/managing-secrets-resource-policies.md +++ b//connect/latest/adminguide/managing-secrets-resource-policies.md @@ -21 +21 @@ When you [configure a third-party speech provider](./configure-third-party-speec -These policies allow Amazon Connect to access to the API key within the secret. Note that you cannot use the default `aws/secretsmanager` KMS key; you will have to create a new key or use an existing customer-managed key. For more information about how KMS keys secure secrets, see [Secret encryption and decryption in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html). +These policies allow Connect Customer to access to the API key within the secret. Note that you cannot use the default `aws/secretsmanager` KMS key; you will have to create a new key or use an existing customer-managed key. For more information about how KMS keys secure secrets, see [Secret encryption and decryption in Secrets Manager](https://docs.aws.amazon.com/secretsmanager/latest/userguide/security-encryption.html). @@ -26 +26 @@ These policies allow Amazon Connect to access to the API key within the secret. -Make sure that the resource-based policy for the secret includes the `aws:SourceAccount` and `aws:SourceArn` confused deputy conditions (see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)) and that the resource-based policy for the KMS key includes the `kms:EncryptionContext:SecretARN` condition. This will ensure that Amazon Connect can only access your API key secret in context of a single specific instance, and can only access your KMS key in context of both that instance and the specific secret. +Make sure that the resource-based policy for the secret includes the `aws:SourceAccount` and `aws:SourceArn` confused deputy conditions (see [The confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html)) and that the resource-based policy for the KMS key includes the `kms:EncryptionContext:SecretARN` condition. This will ensure that Connect Customer can only access your API key secret in context of a single specific instance, and can only access your KMS key in context of both that instance and the specific secret.