AWS bedrock high security documentation change
Summary
Removed '(Optional)' labels from multiple permission sections, added note about policy sharing restriction, updated OpenSearch Service references to OpenSearch Serverless, added Neptune Analytics permissions section, and reorganized database permission policies.
Security assessment
The added note 'A policy cannot be shared between multiple roles when the service role is used' introduces a security best practice to prevent policy misuse. This directly addresses potential privilege escalation risks from shared policies. Other changes are feature updates (Neptune Analytics support) or documentation improvements without explicit security context.
Diff
diff --git a/bedrock/latest/userguide/kb-permissions.md index cef8ce858..7d4475ef4 100644 --- a/bedrock/latest/userguide/kb-permissions.md +++ b/bedrock/latest/userguide/kb-permissions.md @@ -5 +5 @@ -Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your document(Optional) Permissions to access your Amazon Kendra GenAI index(Optional) Permissions to access your vector database in Amazon OpenSearch Service(Optional) Permissions to access your Amazon Aurora database cluster(Optional) Permissions to access a vector database configured with an AWS Secrets Manager secret(Optional) Permissions for AWS to manage a AWS KMS key for transient data storage during data ingestion(Optional) Permissions for AWS to manage a data sources from another user's AWS account. +Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your documentPermissions to access your Amazon Kendra GenAI indexPermissions to access your vector database in Amazon OpenSearch ServerlessPermissions to access your Amazon Aurora database clusterPermissions to access your vector database in Amazon Neptune AnalyticsPermissions to access a vector database configured with an AWS Secrets Manager secretPermissions for AWS to manage a AWS KMS key for transient data storage during data ingestionPermissions for AWS to manage a data sources from another user's AWS account. @@ -10,0 +11,4 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto +###### Note + +A policy cannot be shared between multiple roles when the service role is used. + @@ -48 +52 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions to access your Amazon Kendra GenAI index + * Permissions to access your Amazon Kendra GenAI index @@ -50 +54 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions to access your vector database in Amazon OpenSearch Service + * Permissions to access your vector database in Amazon OpenSearch Serverless @@ -52 +56 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions to access your Amazon Aurora database cluster + * Permissions to access your Amazon Aurora database cluster @@ -54 +58 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions to access a vector database configured with an AWS Secrets Manager secret + * Permissions to access your vector database in Amazon Neptune Analytics @@ -56 +60 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions for AWS to manage a AWS KMS key for transient data storage during data ingestion + * Permissions to access a vector database configured with an AWS Secrets Manager secret @@ -58 +62,3 @@ To use a custom role for a knowledge base instead of the one Amazon Bedrock auto - * (Optional) Permissions for AWS to manage a data sources from another user's AWS account. + * Permissions for AWS to manage a AWS KMS key for transient data storage during data ingestion + + * Permissions for AWS to manage a data sources from another user's AWS account. @@ -370 +376 @@ If you want both chat with your document and use `RetrieveAndGenerate` on a spec -## (Optional) Permissions to access your Amazon Kendra GenAI index +## Permissions to access your Amazon Kendra GenAI index @@ -389 +395 @@ If you created an Amazon Kendra GenAI index for your knowledge base, then attach -## (Optional) Permissions to access your vector database in Amazon OpenSearch Service +## Permissions to access your vector database in Amazon OpenSearch Serverless @@ -391 +397 @@ If you created an Amazon Kendra GenAI index for your knowledge base, then attach -If you created a vector database in Amazon OpenSearch Service for your knowledge base, attach the following policy to your Amazon Bedrock Knowledge Bases service role to allow access to the collection. Replace `${Region}` and `${AccountId}` with the region and account ID to which the database belongs. Input the ID of your Amazon OpenSearch Service collection in `${CollectionId}`. You can allow access to multiple collections by adding them to the `Resource` list. +If you created a vector database in OpenSearch Serverless for your knowledge base, attach the following policy to your Amazon Bedrock Knowledge Bases service role to allow access to the collection. Replace `${Region}` and `${AccountId}` with the region and account ID to which the database belongs. Input the ID of your Amazon OpenSearch Service collection in `${CollectionId}`. You can allow access to multiple collections by adding them to the `Resource` list. @@ -407 +413 @@ If you created a vector database in Amazon OpenSearch Service for your knowledge -## (Optional) Permissions to access your Amazon Aurora database cluster +## Permissions to access your Amazon Aurora database cluster @@ -438 +444,24 @@ If you created a database (DB) cluster in Amazon Aurora for your knowledge base, -## (Optional) Permissions to access a vector database configured with an AWS Secrets Manager secret +## Permissions to access your vector database in Amazon Neptune Analytics + +If you created an Amazon Neptune Analytics graph for your knowledge base, attach the following policy to your Amazon Bedrock Knowledge Bases service role to allow access to the graph. In the policy, replace `${Region}` and `${AccountId}` with the region and account ID to which the database belongs. Replace `${GraphId}` with the values for your graph database. + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "NeptuneAnalyticsAccess", + "Effect": "Allow", + "Action": [ + "neptune-graph:GetGraph", + "neptune-graph:ReadDataViaQuery", + "neptune-graph:WriteDataViaQuery", + "neptune-graph:DeleteDataViaQuery" + ], + "Resource": [ + "arn:aws:neptune-graph:${Region}:${AccountId}:graph/${GraphId}" + ] + }] + } + +## Permissions to access a vector database configured with an AWS Secrets Manager secret @@ -458 +487 @@ If you encrypted your secret with a AWS KMS key, attach permissions to decrypt t -## (Optional) Permissions for AWS to manage a AWS KMS key for transient data storage during data ingestion +## Permissions for AWS to manage a AWS KMS key for transient data storage during data ingestion @@ -479 +508 @@ To allow the creation of a AWS KMS key for transient data storage in the process -## (Optional) Permissions for AWS to manage a data sources from another user's AWS account. +## Permissions for AWS to manage a data sources from another user's AWS account.