AWS kms documentation change
Summary
Added warning about key deletion practices and updated service name reference
Security assessment
The change adds a security warning advising against sole reliance on last usage metrics for key deletion, recommending disabling keys first and monitoring CloudTrail for usage attempts. This improves security documentation but doesn't address a specific vulnerability.
Diff
diff --git a/kms/latest/developerguide/conditions-kms.md b/kms/latest/developerguide/conditions-kms.md index 14363852f..5754f7085 100644 --- a//kms/latest/developerguide/conditions-kms.md +++ b//kms/latest/developerguide/conditions-kms.md @@ -1897 +1897 @@ AWS KMS condition keys | Condition type | Value type | API operations | Policy t -The `kms:TrailingDaysWithoutKeyUsage` condition key represents the number of trailing days without cryptographic operations on a KMS key, calculated from the last successful cryptographic operation, or from the KMS key's creation date or `TrackingStartDate` if the key has never been used. For more information about the tracking start date, see [Understanding the usage tracking period](./monitoring-keys-determining-usage.html#understanding-tracking-period). You can use this condition key in key policies and IAM policies to control access to the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) and [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operations. +The `kms:TrailingDaysWithoutKeyUsage` condition key represents the number of trailing days without cryptographic operations on a KMS key, calculated from the last successful cryptographic operation, or from the KMS key's creation date or `TrackingStartDate` if the key has never been used. For more information about the tracking start date and how its behavior can affect this condition key, see [Understanding the usage tracking period](./monitoring-keys-determining-usage.html#understanding-tracking-period). You can use this condition key in key policies and IAM policies to control access to the [ScheduleKeyDeletion](https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) and [DisableKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_DisableKey.html) operations. @@ -1939,0 +1940,4 @@ The following example key policy statement denies the `ScheduleKeyDeletion` and +###### Warning + +Do not solely rely on last usage information when deleting unused keys. Instead, [disable the key](./enabling-keys.html) first and monitor AWS CloudTrail for `DisabledException` entries, which indicate attempts to use the key while disabled. This helps identify potential dependencies and workload failures. AWS CloudTrail remains the authoritative source for all API calls made to your key. + @@ -2073 +2077 @@ Amazon AppFlow | `appflow.`AWS_region`.amazonaws.com` -AWS Application Migration Service | `mgn.`AWS_region`.amazonaws.com` +AWS Transform MGN | `mgn.`AWS_region`.amazonaws.com`