AWS Security ChangesHomeSearch

AWS kms documentation change

Service: kms · 2026-05-22 · Documentation low

File: kms/latest/developerguide/determining-access-grants.md

Summary

Added documentation for identifying grants created with GranteeServicePrincipal and included new example with SourceArn constraint.

Security assessment

This clarifies how to audit service principal grants and resource-based constraints, enhancing security posture documentation. No vulnerability remediation is indicated.

Diff

diff --git a/kms/latest/developerguide/determining-access-grants.md b/kms/latest/developerguide/determining-access-grants.md
index 19cc6c42a..fbc41db2d 100644
--- a//kms/latest/developerguide/determining-access-grants.md
+++ b//kms/latest/developerguide/determining-access-grants.md
@@ -11 +11,3 @@ Grants are advanced mechanisms for specifying permissions that you or an AWS ser
-To get a list of grants for a KMS key, use the AWS KMS [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation. You can examine the grants for a KMS key to determine who or what currently has access to use the KMS key via those grants. For example, the following is a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI.
+To get a list of grants for a KMS key, use the AWS KMS [ListGrants](https://docs.aws.amazon.com/kms/latest/APIReference/API_ListGrants.html) operation. You can examine the grants for a KMS key to determine who or what currently has access to use the KMS key via those grants. For grants created with `GranteePrincipal`, look for the `"GranteePrincipal"` field in `ListGrants` response. For grants created with `GranteeServicePrincipal`, look for the `"GranteeServicePrincipal"` field in `ListGrants` response.
+
+For example, the following is a JSON representation of a grant that was obtained from the [list-grants](https://docs.aws.amazon.com/cli/latest/reference/kms/list-grants.html) command in the AWS CLI.
@@ -40,0 +43,17 @@ The following is another example of a JSON representation of a grant that was ob
+The following example shows a grant created with `GranteeServicePrincipal`. Notice that the response includes a `GranteeServicePrincipal` field instead of `GranteePrincipal`, and the `Constraints` field contains a `SourceArn` value that restricts the grant to a specific AWS resource.
+    
+    
+    {"Grants": [{
+      "Operations": ["Encrypt", "Decrypt", "GenerateDataKey", "DescribeKey"],
+      "KeyId": "arn:aws:kms:us-west-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab",
+      "Name": "",
+      **"GranteeServicePrincipal": "service-name.amazonaws.com",**
+      "GrantId": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2",
+      "IssuingAccount": "arn:aws:iam::111122223333:root",
+      "RetiringServicePrincipal": "service-name.amazonaws.com",
+      **"Constraints":{
+        "SourceArn": "arn:aws:dynamodb:us-east-1:111122223333:table/ExampleTable"
+      },**
+      "CreationDate": 1.718567315E9
+    }]}
+