AWS kms documentation change
Summary
Added documentation for identifying grants created with GranteeServicePrincipal and included new example with SourceArn constraint.
Security assessment
This clarifies how to audit service principal grants and resource-based constraints, enhancing security posture documentation. No vulnerability remediation is indicated.
Diff
diff --git a/kms/latest/developerguide/determining-access-grants.md b/kms/latest/developerguide/determining-access-grants.md index 19cc6c42a..fbc41db2d 100644 --- a//kms/latest/developerguide/determining-access-grants.md +++ b//kms/latest/developerguide/determining-access-grants.md @@ -11 +11,3 @@ Grants are advanced mechanisms for specifying permissions that you or an AWS ser -To get a list of grants for a KMS key, use the AWS KMS [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation. You can examine the grants for a KMS key to determine who or what currently has access to use the KMS key via those grants. For example, the following is a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI. +To get a list of grants for a KMS key, use the AWS KMS [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation. You can examine the grants for a KMS key to determine who or what currently has access to use the KMS key via those grants. For grants created with `GranteePrincipal`, look for the `"GranteePrincipal"` field in `ListGrants` response. For grants created with `GranteeServicePrincipal`, look for the `"GranteeServicePrincipal"` field in `ListGrants` response. + +For example, the following is a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI. @@ -40,0 +43,17 @@ The following is another example of a JSON representation of a grant that was ob +The following example shows a grant created with `GranteeServicePrincipal`. Notice that the response includes a `GranteeServicePrincipal` field instead of `GranteePrincipal`, and the `Constraints` field contains a `SourceArn` value that restricts the grant to a specific AWS resource. + + + {"Grants": [{ + "Operations": ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey"], + "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab", + "Name": "", + **"GranteeServicePrincipal": "service-name.amazonaws.com",** + "GrantId": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", + "IssuingAccount": "arn:aws:iam::111122223333:root", + "RetiringServicePrincipal": "service-name.amazonaws.com", + **"Constraints":{ + "SourceArn": "arn:aws:dynamodb:us-east-1:111122223333:table/ExampleTable" + },** + "CreationDate": 1.718567315E9 + }]} +