AWS aws-backup documentation change
Summary
Added new section 'Using an S3 bucket encrypted with a cross-account KMS key' with detailed configuration steps
Security assessment
The change documents how to properly configure KMS key policies and grants for cross-account access when using encrypted S3 buckets for Backup reports. This improves security documentation but doesn't address a specific vulnerability.
Diff
diff --git a/aws-backup/latest/devguide/create-report-plan-console.md b/aws-backup/latest/devguide/create-report-plan-console.md index f1d2fa40d..781660026 100644 --- a//aws-backup/latest/devguide/create-report-plan-console.md +++ b//aws-backup/latest/devguide/create-report-plan-console.md @@ -6,0 +7,2 @@ +Using an S3 bucket encrypted with a cross-account KMS key + @@ -139,0 +142,53 @@ If you use a custom AWS Key Management Service to encrypt your target S3 bucket +## Using an S3 bucket encrypted with a cross-account KMS key + +If your S3 bucket (in Account A) is encrypted with a customer managed KMS key from a different account (Account B), complete the following additional steps to allow AWS Backup to deliver reports to the bucket. + +###### To configure a cross-account KMS key for Backup reports + + 1. Add the S3 bucket policy as described in the preceding section. + + 2. Update the KMS key policy in Account B to grant permissions to the `AWSServiceRoleForBackupReports` service-linked role in Account A and to the IAM entity that creates the report plan: + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "Allow Backup Reports service-linked role to use the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::AccountA-ID:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Encrypt" + ], + "Resource": "*" + }, + { + "Sid": "Allow IAM entity to create grants on the key", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::AccountA-ID:role/IAM-role-name" + }, + "Action": "kms:CreateGrant", + "Resource": "*" + } + ] + } + +Replace `AccountA-ID` with the AWS account ID where the S3 bucket and AWS Backup report plan reside. Replace `IAM-role-name` with the IAM role you use to create the report plan. + + 3. From Account A, create a KMS grant for the service-linked role by running the following AWS CLI command with an IAM entity that has `kms:CreateGrant` permission on the key: + + aws kms create-grant \ + --key-id arn:aws:kms:region:AccountB-ID:key/key-id \ + --grantee-principal arn:aws:iam::AccountA-ID:role/aws-service-role/reports.backup.amazonaws.com/AWSServiceRoleForBackupReports \ + --operations GenerateDataKey + +Replace `region`, `AccountB-ID`, `key-id`, and `AccountA-ID` with your values. + + 4. Create your on-demand or scheduled report plan. Reports will be delivered to the S3 bucket encrypted with the cross-account KMS key. + + + +