Update README

README.md

@@ -61,18 +61,22 @@ There are a few parameters that need to be configured for CMS to run properly, t
 
 property                                            | required | notes
 ---------------------------                         | -------- | ----------
-JDBC.url                                            | Yes | The JDBC url for the mysql db
-JDBC.username                                       | Yes | The JDBC user name for the mysql db
-JDBC.password                                       | Yes | The JDBC JDBC.password for the mysql db
-root.user.arn                                       | Yes | The arn for the root AWS user, needed to make the KMS keys deletable.
-admin.role.arn                                      | Yes | The arn for an AWS user, needed to make the KMS keys deletable.
-cms.role.arn                                        | Yes | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create.
-cms.admin.group                                     | Yes | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/metadata` see API.md
-cms.admin.roles                                     | No  | Comma seperated list of ARNs that can auth and access admin endpoints.
-cms.auth.connector                                  | Yes | The user authentication connector implementation to use for user auth.
-cms.user.token.ttl.override                         | No  | By default user tokens are created with a TTL of 1h, you can override that with this param
-cms.iam.token.ttl.override                          | No  | By default IAM tokens are created with a TTL of 1h, you can override that with this param
-cms.kms.policy.validation.interval.millis.override  | No  | By default CMS validates KMS key policies no more than once per minute, you can override that with this param
+JDBC.url                                            | Yes      | The JDBC url for the mysql db
+JDBC.username                                       | Yes      | The JDBC user name for the mysql db
+JDBC.password                                       | Yes      | The JDBC JDBC.password for the mysql db
+root.user.arn                                       | Yes      | The arn for the root AWS user, needed to make the KMS keys deletable.
+admin.role.arn                                      | Yes      | The arn for an AWS user, needed to make the KMS keys deletable.
+cms.role.arn                                        | Yes      | The arn for the Instance profile for CMS instances, so they can admin KMS keys that they create.
+cms.admin.group                                     | Yes      | Group that user can be identified by to get admin privileges, currently this just enables users to access `/v1/metadata` see API.md
+cms.admin.roles                                     | No       | Comma separated list of ARNs that can auth and access admin endpoints.
+cms.auth.connector                                  | Yes      | The user authentication connector implementation to use for user auth.
+cms.user.token.ttl.override                         | No       | By default user tokens are created with a TTL of 1h, you can override that with this param
+cms.iam.token.ttl.override                          | No       | By default IAM tokens are created with a TTL of 1h, you can override that with this param
+cms.kms.policy.validation.interval.millis.override  | No       | By default CMS validates KMS key policies no more than once per minute, you can override that with this param
+
+KMS Policies are bound to IAM Principal IDs rather than ARNs themselves. Because of this, we validate the policy at authentication time
+to ensure that if an IAM role has been deleted and re-created, that we grant access to the new principal ID.
+The API limit for this call is low, so the `cms.kms.policy.validation.interval.millis.override` property is used to throttle this validation.
 
 For local dev see `Running CMS Locally`.