AWS kms documentation change
Summary
Updated description of AWS KMS grants to emphasize managing access without modifying key policies, removed cross-account requirements and simplified grant management explanation.
Security assessment
This change refines documentation about existing security controls (grants) without addressing any specific vulnerability. It improves clarity on temporary access management which is security-relevant but doesn't fix a security flaw. The removal of cross-account policy requirements might confuse users about security boundaries.
Diff
diff --git a/kms/latest/developerguide/control-access.md b/kms/latest/developerguide/control-access.md index 5194fbf5e..170f22c9d 100644 --- a//kms/latest/developerguide/control-access.md +++ b//kms/latest/developerguide/control-access.md @@ -47 +47,3 @@ When writing policies, ensure that you have strong controls restricting who can -In addition to IAM and key policies, AWS KMS supports [grants](./grants.html). Grants provide a flexible and powerful way to delegate permissions. You can use grants to issue time-bound KMS key access to IAM principals in your AWS account, or in other AWS accounts. We recommend issuing time-bound access if you don't know the names of the principals at the time that the policies are created, or if the principals that require access frequently change. The [grantee principal](./grants.html#terms-grantee-principal) can be in the same account as the KMS key or a different account. If the principal and KMS key are in different accounts, then you must specify an IAM policy in addition to the grant. Grants require additional management because you must call an API to create the grant and to retire or revoke the grant when it is no longer needed. +In addition to IAM and key policies, AWS KMS supports [grants](./grants.html). Grants provide a flexible and powerful way to manage which IAM principals or AWS service principals can access a key without modifying a key policy. This can include use cases where permissions are only necessary for the duration of some other job or resource. You call an API to create the grant and to retire or revoke the grant when it is no longer needed. + +For more information, see [Grants in AWS KMS](./grants.html).