AWS kms documentation change
Summary
Added clarification about CloudTrail being the authoritative source for key usage
Security assessment
The change emphasizes CloudTrail as the authoritative audit source for key usage, reinforcing security best practices for monitoring. This adds to security documentation but doesn't indicate a specific security issue being fixed.
Diff
diff --git a/kms/latest/developerguide/monitoring-keys-determining-usage.md b/kms/latest/developerguide/monitoring-keys-determining-usage.md index de51674d8..6ec6af6c9 100644 --- a//kms/latest/developerguide/monitoring-keys-determining-usage.md +++ b//kms/latest/developerguide/monitoring-keys-determining-usage.md @@ -61 +61 @@ When you check the last usage information for a KMS key, the response includes a -Do not solely rely on last usage information when deleting unused keys. Instead, [disable the key](./enabling-keys.html) first and monitor AWS CloudTrail for `DisabledException` entries, which indicate attempts to use the key while disabled. This helps identify potential dependencies and workload failures. +Do not solely rely on last usage information when deleting unused keys. Instead, [disable the key](./enabling-keys.html) first and monitor AWS CloudTrail for `DisabledException` entries, which indicate attempts to use the key while disabled. This helps identify potential dependencies and workload failures. AWS CloudTrail remains the authoritative source for all API calls made to your key.