AWS Security ChangesHomeSearch

AWS securityagent medium security documentation change

Service: securityagent · 2026-06-13 · Security-related medium

File: securityagent/latest/userguide/customer-managed-keys.md

Summary

Updated KMS permissions to replace wildcard ReEncrypt* with specific ReEncryptTo/From actions and added new key policy documentation for security requirement packs

Security assessment

The change replaces broad kms:ReEncrypt* permissions with granular kms:ReEncryptTo/From actions, reducing potential overprivileged access. This directly addresses least privilege security best practices. Additionally, the new security requirement pack key policy introduces mandatory encryption controls for security resources, explicitly defining IAM conditions and access paths to protect sensitive security requirement pack data.

Diff

diff --git a/securityagent/latest/userguide/customer-managed-keys.md b/securityagent/latest/userguide/customer-managed-keys.md
index c5998b90d..e87ab31df 100644
--- a//securityagent/latest/userguide/customer-managed-keys.md
+++ b//securityagent/latest/userguide/customer-managed-keys.md
@@ -148 +148,2 @@ Replace the following placeholder values in the policy:
-            "kms:ReEncrypt*",
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom",
@@ -190 +191,2 @@ Replace the following placeholder values in the policy:
-            "kms:ReEncrypt*"
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom"
@@ -219 +221 @@ Replace the following placeholder values in the policy:
-To rotate branch keys, your KMS key policy must grant `kms:GenerateDataKeyWithoutPlaintext` and `kms:ReEncrypt*` permissions to the AWS Security Agent service principal (`securityagent.amazonaws.com`), or branch key rotation will fail. For more information about the required permissions, see [Rotate a branch key](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/rotate-branch-key.html).
+To rotate branch keys, your KMS key policy must grant `kms:GenerateDataKeyWithoutPlaintext`, `kms:ReEncryptTo`, and `kms:ReEncryptFrom` permissions to the AWS Security Agent service principal (`securityagent.amazonaws.com`), or branch key rotation will fail. For more information about the required permissions, see [Rotate a branch key](https://docs.aws.amazon.com/database-encryption-sdk/latest/devguide/rotate-branch-key.html).
@@ -250 +252,2 @@ Replace the following placeholder values in the policy:
-            "kms:ReEncrypt*"
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom"
@@ -281 +284,2 @@ Replace the following placeholder values in the policy:
-            "kms:ReEncrypt*"
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom"
@@ -298 +302,107 @@ Replace the following placeholder values in the policy:
-You can combine the Agent Space and integration key policy statements into a single key policy if you want to use the same KMS key for both resource types.
+You can combine the Agent Space, integration, and security requirement pack key policy statements into a single key policy if you want to use the same KMS key for multiple resource types.
+
+#### Key policy for security requirement packs
+
+The following key policy grants AWS Security Agent the permissions required to encrypt and decrypt security requirement pack data. Security requirement packs do not use a web application role. The policy uses two access paths:
+
+  * **Synchronous path** – When you call the API, the service uses your forwarded credentials to call AWS KMS on your behalf (via the `kms:ViaService` condition).
+
+  * **Asynchronous path** – For asynchronous operations where the packs can be used, the service uses its own service principal to call AWS KMS directly.
+
+
+
+
+Replace the following values in the policy:
+
+  * ` _111122223333_ ` – Your AWS account ID
+
+  * ` _MyRole_ ` – The IAM role you use to invoke security requirement pack operations
+
+  * ` _us-east-1_ ` – The AWS Region where you use AWS Security Agent
+
+
+
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AllowKeyMetadataValidation",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:role/MyRole"
+          },
+          "Action": [
+            "kms:DescribeKey"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:ViaService": "securityagent.us-east-1.amazonaws.com"
+            }
+          }
+        },
+        {
+          "Sid": "AllowUseOfHierarchicalKeyringForSecurityPacks",
+          "Effect": "Allow",
+          "Principal": {
+            "AWS": "arn:aws:iam::111122223333:role/MyRole"
+          },
+          "Action": [
+            "kms:GenerateDataKeyWithoutPlaintext",
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom",
+            "kms:Decrypt"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringEquals": {
+              "kms:ViaService": "securityagent.us-east-1.amazonaws.com"
+            },
+            "StringLike": {
+              "kms:EncryptionContext:aws:securityagent:security-requirement-pack": "arn:aws:securityagent:us-east-1:111122223333:security-requirement-pack/*"
+            }
+          }
+        },
+        {
+          "Sid": "AllowAsynchronousDataAccessForSecurityPacks",
+          "Effect": "Allow",
+          "Principal": {
+            "Service": "securityagent.amazonaws.com"
+          },
+          "Action": [
+            "kms:GenerateDataKeyWithoutPlaintext",
+            "kms:Decrypt",
+            "kms:ReEncryptTo",
+            "kms:ReEncryptFrom"
+          ],
+          "Resource": "*",
+          "Condition": {
+            "StringLike": {
+              "kms:EncryptionContext:aws:securityagent:security-requirement-pack": "arn:aws:securityagent:us-east-1:111122223333:security-requirement-pack/*"
+            },
+            "ArnLike": {
+              "aws:SourceArn": "arn:aws:securityagent:us-east-1:111122223333:security-requirement-pack/*"
+            }
+          }
+        }
+      ]
+    }
+
+The policy contains three statements:
+
+  * **AllowKeyMetadataValidation** – Grants `kms:DescribeKey` so that AWS Security Agent can validate that your customer managed key exists, is enabled, and uses symmetric encryption when you specify a CMK during resource creation. Uses the `kms:ViaService` condition to ensure the call originates through the service.
+
+  * **AllowUseOfHierarchicalKeyringForSecurityPacks** – Grants `kms:GenerateDataKeyWithoutPlaintext` (create new branch keys), `kms:ReEncryptTo` and `kms:ReEncryptFrom` (rotate existing branch keys), and `kms:Decrypt` (retrieve existing branch keys) for hierarchical keyring operations. These operations use your forwarded credentials through the synchronous path and are scoped to security requirement pack resources by the encryption context condition.
+
+  * **AllowAsynchronousDataAccessForSecurityPacks** – Grants `kms:GenerateDataKeyWithoutPlaintext`, `kms:Decrypt`, `kms:ReEncryptTo`, and `kms:ReEncryptFrom` to the AWS Security Agent service principal for asynchronous operations when no caller credentials are available.
+
+
+
+
+Unlike the Agent Spaces key policy, the security requirement pack policy does not include a web application role principal. Security requirement packs are accessed through the AWS Management Console using your administrator role, not through the AWS Security Agent web application. All synchronous operations use the single caller role (via `kms:ViaService`).
+
+###### Note
+
+If you use the same KMS key for both Agent Spaces and security requirement packs, you can combine the key policy statements from both sections into a single key policy.