You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Right now the cfn template allows any key ARN to be used for encrypting job information. We should instead include an AWS::KMS::Key resource in the template with a key policy that:
Explicitly restricts kms:Decrypt to a principal listed in the encryption context
Includes a timestamp in the encryption context. kms:Decrypt should only be allowed if the current time is less than this timestamp.
Maybe include repo information for record-keeping in CloudTrail
The text was updated successfully, but these errors were encountered:
Right now the cfn template allows any key ARN to be used for encrypting job information. We should instead include an
AWS::KMS::Keyresource in the template with a key policy that:kms:Decryptto a principal listed in the encryption contextkms:Decryptshould only be allowed if the current time is less than this timestamp.The text was updated successfully, but these errors were encountered: