AWS bedrock documentation change
Summary
Added new section about Amazon Bedrock Automation encryption context, including details about using encryption context for monitoring and controlling access to customer managed keys.
Security assessment
The changes add detailed documentation about encryption context usage, which is a security feature for monitoring and controlling access to encryption keys. However, there is no evidence this addresses a specific security issue.
Diff
diff --git a/bedrock/latest/userguide/encryption-bda.md index d08426708..8377117de 100644 --- a/bedrock/latest/userguide/encryption-bda.md +++ b/bedrock/latest/userguide/encryption-bda.md @@ -5 +5 @@ -How Amazon Bedrock uses grants in AWS KMSCreating a customer managed key and attaching a key policyPermissions and key policies for Amazon Bedrock Data Automation resourcesMonitoring your encryption keys for Amazon Bedrock Data Automation +How Amazon Bedrock uses grants in AWS KMSCreating a customer managed key and attaching a key policyPermissions and key policies for Amazon Bedrock Data Automation resourcesAmazon Bedrock Automation encryption contextMonitoring your encryption keys for Amazon Bedrock Data Automation @@ -36,0 +37,2 @@ You have full access to your customer managed AWS KMS key. You can revoke access +If you initiate a new invokeDataAutomationAsync call after revoking a grant, BDA will recreate the grant. The grants are retired by BDA after 30 hours. + @@ -127,0 +130,52 @@ The IAM role used to interact with BDA and AWS KMS should have the following per +## Amazon Bedrock Automation encryption context + +BDA uses the same encryption context in all AWS KMS cryptographic operations, where the key is `aws:bedrock:data-automation-customer-account-id` and teh value is your AWS account ID an example of the encryption context is below. + + + "encryptionContext": { + "bedrock:data-automation-customer-account-id": "account id" + } + + + +###### Using encryption context for monitoring + +When you use a symmetric customer managed key to encrypt your data, you can also use the encryption context in audit records and logs to identify how the customer managed key is being used. The encryption context also appears in logs generated by AWS CloudTrail or Amazon CloudWatch Logs. + +###### Using encryption context to control access to your customer managed key + +ou can use the encryption context in key policies and IAM policies as conditions to control access to your symmetric customer managed key. You can also use encryption context constraints in a grant. BDA uses an encryption context constraint in grants to control access to the customer managed key in your account or region. The grant constraint requires that the operations that the grant allows use the specified encryption context. + +The following are example key policy statements to grant access to a customer managed key for a specific encryption context. The condition in this policy statement requires that the grants have an encryption context constraint that specifies the encryption context. + + + [ + { + "Sid": "Enable DescribeKey, Decrypt, GenerateDataKey", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": ["kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey"], + "Resource": "*" + }, + { + "Sid": "Enable CreateGrant", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "StringLike": { + "kms:EncryptionContext:aws:bedrock:data-automation-customer-account-id": "111122223333" + }, + "StringEquals": { + "kms:GrantOperations": ["Decrypt", "DescribeKey", "GenerateDataKey"] + } + } + } + ] + +