AWS Security ChangesHomeSearch

AWS bedrock medium security documentation change

Service: bedrock · 2025-05-16 · Security-related medium

File: bedrock/latest/userguide/security-iam-awsmanpol.md

Summary

Removed sagemaker:DescribeInferenceComponent and sagemaker:ListEndpoints permissions from AmazonBedrockFullAccess policy definition and associated changelog entry.

Security assessment

Removing unnecessary SageMaker permissions from the managed policy reduces over-privileged access, directly addressing potential privilege escalation risks. This change implements the principle of least privilege, which is a security best practice to minimize attack surface.

Diff

diff --git a/bedrock/latest/userguide/security-iam-awsmanpol.md b/bedrock/latest/userguide/security-iam-awsmanpol.md
index cfaeb3fdd..c8d8230ab 100644
--- a//bedrock/latest/userguide/security-iam-awsmanpol.md
+++ b//bedrock/latest/userguide/security-iam-awsmanpol.md
@@ -165,2 +164,0 @@ This policy includes the following permissions:
-    				"sagemaker:DescribeInferenceComponent",
-    				"sagemaker:ListEndpoints",
@@ -321 +318,0 @@ Change | Description | Date
-AmazonBedrockFullAccess – Updated policy |  Amazon Bedrock updated the AmazonBedrockFullAccess managed policy to include permissions for `sagemaker:DescribeInferenceComponent` and `sagemaker:ListEndpoints`. | May 12th, 2025