AWS wickr documentation change
Summary
Updated documentation to use second-person pronouns ('your' instead of 'customer's') and clarified Nitro Enclave attestation requirements in KMS policy statements
Security assessment
Changes are primarily stylistic (pronoun adjustments) and clarify existing security controls (Nitro Enclave attestation process). No evidence of addressing a specific vulnerability or weakness. Security mechanisms (KMS policies, enclave usage) remain functionally unchanged.
Diff
diff --git a/wickr/latest/adminguide/encryption-rest.md b/wickr/latest/adminguide/encryption-rest.md index 3a1522b0f..37873b86c 100644 --- a//wickr/latest/adminguide/encryption-rest.md +++ b//wickr/latest/adminguide/encryption-rest.md @@ -21 +21 @@ The Data Retention Service encrypts customer data at rest using a customer manag -When the Data Retention Service is deployed, a symmetric customer managed KMS key (RetentionKey) is created in the customer's AWS account. This key is used to encrypt the following resources: +When the Data Retention Service is deployed, a symmetric customer managed KMS key (RetentionKey) is created in your AWS account. This key is used to encrypt the following resources: @@ -23 +23 @@ When the Data Retention Service is deployed, a symmetric customer managed KMS ke - * **Retained messages** — All Wickr messages (text, reactions, and others) captured by the data retention bot are encrypted with the CMK before being stored in the customer's S3 bucket. Messages are encrypted inside a Nitro Enclave using the AWS Encryption SDK, then uploaded to Amazon S3 with SSE-KMS using the same CMK. + * **Retained messages** — All Wickr messages (text, reactions, and others) captured by the data retention bot are encrypted with the CMK before being stored in your S3 bucket. Messages are encrypted inside a Nitro Enclave using the AWS Encryption SDK, then uploaded to Amazon S3 with SSE-KMS using the same CMK. @@ -44 +44 @@ Direct `kms:Decrypt` calls (outside of S3 SSE-KMS) require Nitro Enclave attesta -Messages are processed within AWS Nitro Enclaves, which use your KMS key to decrypt the data retention module's private keys, decrypt the Wickr-encrypted message content, and re-encrypt it with a unique data key per message before storing it in your S3 bucket. +AWS Nitro Enclaves process messages using your KMS key to decrypt the data retention module's private keys, decrypt the Wickr-encrypted message content, and re-encrypt it with a unique data key per message before storing it in your S3 bucket. @@ -141 +141 @@ EnableIAMPolicies -Allows the customer's account root to manage the key. This is the standard key administrator statement. +Allows your account root to manage the key. This is the standard key administrator statement. @@ -146 +146 @@ EnclaveGenerateDataKey -`kms:GenerateDataKey` — Invoked by the Nitro Enclave to to generate data encryption keys for encrypting message content and account state before storing in S3. Only permitted when a valid Nitro Enclave attestation document is provided (PCR0/1/2 conditions) and an encryption context key of aws:wickr:network:id or aws:wickr:app:id is present. +`kms:GenerateDataKey` — Invoked by the Nitro Enclave to to generate data encryption keys for encrypting message content and account state before storing in S3. Only permitted when the enclave provides a valid Nitro Enclave attestation document (PCR0/1/2 conditions) and an encryption context key of aws:wickr:network:id or aws:wickr:app:id is present. @@ -156 +156 @@ EnclaveDecryptWithAttestation -`kms:Decrypt` — Invoked by the Nitro Enclave to decrypt account state (private keys) needed for Wickr message decryption. This is only permitted when a valid Nitro Enclave attestation document is provided (PCR0/1/2 conditions), and the encryption context key aws:wickr:app:id is present, ensuring decryption cannot occur outside the enclave. +`kms:Decrypt` — Invoked by the Nitro Enclave to decrypt account state (private keys) needed for Wickr message decryption. This is only permitted when the enclave provides a valid Nitro Enclave attestation document (PCR0/1/2 conditions), and the encryption context key aws:wickr:app:id is present, ensuring decryption cannot occur outside the enclave. @@ -161 +161 @@ DRSDecryptionLambda -`kms:Decrypt` — Invoked by the on-demand decryption Lambda to decrypt retained messages when the customer triggers the decryption state machine. This role is not accessible by the Wickr service and exists solely for the customer to decrypt their own messages from the encrypted S3 bucket. +`kms:Decrypt` — Invoked by the on-demand decryption Lambda to decrypt retained messages when you trigger the decryption state machine. This role is not accessible by the Wickr service and exists solely for you to decrypt your own messages from the encrypted S3 bucket. @@ -273 +273 @@ Key events to monitor: - * **GetPublicKey** — Occurs on the password recovery key when the customer's `collect.py` script retrieves the public key for local ECDH encryption. + * **GetPublicKey** — Occurs on the password recovery key when your `collect.py` script retrieves the public key for local ECDH encryption.