AWS waf documentation change
Summary
Added KMS actions (GenerateDataKey, Decrypt) to service-linked role permissions for customer-managed key support.
Security assessment
This enables encryption using customer-managed keys, enhancing data security capabilities. However, it documents feature enablement rather than addressing a specific vulnerability.
Diff
diff --git a/waf/latest/developerguide/using-service-linked-roles.md b/waf/latest/developerguide/using-service-linked-roles.md index df09c8f55..e1bec3f44 100644 --- a//waf/latest/developerguide/using-service-linked-roles.md +++ b//waf/latest/developerguide/using-service-linked-roles.md @@ -38,0 +39,2 @@ The permissions policies of the role allow AWS WAF to complete the following act + * AWS Key Management Service actions: `GenerateDataKey` and `Decrypt` to allow Amazon Data Firehose to use customer managed AWS KMS keys to encrypt data. +