AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-03-23 · Documentation medium

File: bedrock/latest/userguide/kb-permissions.md

Summary

Added documentation for permissions to access vector databases in OpenSearch Managed Clusters, including required IAM policy configuration

Security assessment

The change adds guidance for configuring IAM permissions to access OpenSearch Managed Clusters, which is a security-related configuration but does not address a specific vulnerability or incident.

Diff

diff --git a/bedrock/latest/userguide/kb-permissions.md b/bedrock/latest/userguide/kb-permissions.md
index 7d4475ef4..b3e98c084 100644
--- a/bedrock/latest/userguide/kb-permissions.md
+++ b/bedrock/latest/userguide/kb-permissions.md
@@ -5 +5 @@
-Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your documentPermissions to access your Amazon Kendra GenAI indexPermissions to access your vector database in Amazon OpenSearch ServerlessPermissions to access your Amazon Aurora database clusterPermissions to access your vector database in Amazon Neptune AnalyticsPermissions to access a vector database configured with an AWS Secrets Manager secretPermissions for AWS to manage a AWS KMS key for transient data storage during data ingestionPermissions for AWS to manage a data sources from another user's AWS account.
+Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your documentPermissions to access your Amazon Kendra GenAI indexPermissions to access your vector database in Amazon OpenSearch ServerlessPermissions to access your vector database in OpenSearch Managed ClustersPermissions to access your Amazon Aurora database clusterPermissions to access your vector database in Amazon Neptune AnalyticsPermissions to access a vector database configured with an AWS Secrets Manager secretPermissions for AWS to manage a AWS KMS key for transient data storage during data ingestionPermissions for AWS to manage a data sources from another user's AWS account.
@@ -55,0 +56,2 @@ A policy cannot be shared between multiple roles when the service role is used.
+  * Permissions to access your vector database in OpenSearch Managed Clusters
+
@@ -412,0 +415,31 @@ If you created a vector database in OpenSearch Serverless for your knowledge bas
+## Permissions to access your vector database in OpenSearch Managed Clusters
+
+If you created a vector database in OpenSearch Managed Cluster for your knowledge base, attach the following policy to your Amazon Bedrock Knowledge Bases service role to allow access to the domain. Replace `<region>` and `<accountId>` with the region and account ID to which the database belongs. You can allow access to multiple domains by adding them to the `Resource` list. For more information about configuring permissions, see [Prerequisites and permissions required for using OpenSearch Managed Clusters with Amazon Bedrock Knowledge Bases](./kb-osm-permissions-prereq.html).
+    
+    
+    {
+        "Version": "2012-10-17",
+        "Statement": [{
+            "Effect": "Allow",        
+            "Action": [
+                "es:ESHttpGet", 
+                "es:ESHttpPost", 
+                "es:ESHttpPut", 
+                "es:ESHttpDelete" 
+            ],
+            "Resource": [
+                "arn:<partition>:es:<region>:<accountId>:domain/<domainName>/<indexName>"
+            ]       
+        }, 
+        {
+            "Effect": "Allow"        
+            },
+            "Action": [
+                "es:DescribeDomain" 
+            ],
+            "Resource": [
+                "arn:<partition>:es:<region>:<accountId>:domain/<domainName>"
+            ]       
+        ]
+    }
+