AWS bedrock medium security documentation change
Summary
Removed sagemaker:DescribeInferenceComponent and sagemaker:ListEndpoints permissions from AmazonBedrockFullAccess policy definition and associated changelog entry.
Security assessment
Removing unnecessary SageMaker permissions from the managed policy reduces over-privileged access, directly addressing potential privilege escalation risks. This change implements the principle of least privilege, which is a security best practice to minimize attack surface.
Diff
diff --git a/bedrock/latest/userguide/security-iam-awsmanpol.md b/bedrock/latest/userguide/security-iam-awsmanpol.md index cfaeb3fdd..c8d8230ab 100644 --- a//bedrock/latest/userguide/security-iam-awsmanpol.md +++ b//bedrock/latest/userguide/security-iam-awsmanpol.md @@ -165,2 +164,0 @@ This policy includes the following permissions: - "sagemaker:DescribeInferenceComponent", - "sagemaker:ListEndpoints", @@ -321 +318,0 @@ Change | Description | Date -AmazonBedrockFullAccess – Updated policy | Amazon Bedrock updated the AmazonBedrockFullAccess managed policy to include permissions for `sagemaker:DescribeInferenceComponent` and `sagemaker:ListEndpoints`. | May 12th, 2025