AWS Security ChangesHomeSearch

AWS bedrock medium security documentation change

Service: bedrock · 2025-06-10 · Security-related medium

File: bedrock/latest/userguide/guardrails-permissions-kms.md

Summary

Updated KMS key configuration documentation with clarified encryption requirements, restructured policy setup steps, and corrected policy statement syntax

Security assessment

The change fixes a critical JSON syntax error in the example key policy by adding a missing closing bracket (line 44), which could have led to policy misconfiguration and encryption failures. It also strengthens security documentation by explicitly stating guardrails encryption requirements and providing more detailed KMS permission guidance.

Diff

diff --git a/bedrock/latest/userguide/guardrails-permissions-kms.md b/bedrock/latest/userguide/guardrails-permissions-kms.md
index 20cbb8123..fc4c45970 100644
--- a//bedrock/latest/userguide/guardrails-permissions-kms.md
+++ b//bedrock/latest/userguide/guardrails-permissions-kms.md
@@ -7 +7 @@
-Any user with `CreateKey` permissions can create customer managed keys using either the AWS Key Management Service (AWS KMS) console or the [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation. Make sure to create a symmetric encryption key. After you create your key, set up the following permissions.
+You encrypt your guardrails with customer managed AWS KMS keys. Any user with `CreateKey` permissions can create customer managed keys by using the AWS Key Management Service (AWS KMS) console or [CreateKey](https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateKey.html) operation. In these situations, make sure to create a symmetric encryption key. 
@@ -9 +9,7 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-  1. Follow the steps at [Creating a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) to create a resource-based policy for your KMS key. Add the following policy statements to grant permissions to guardrails users and guardrails creators. Replace each ``role`` with the role that you want to allow to carry out the specified actions.
+After you create your key, configure the following permission policies.
+
+  1. Do the following to create a resource-based key policy:
+
+    1. [Create a key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-overview.html) to create a resource-based policy for your KMS key.
+
+    2. Add the following policy statements to grant permissions to guardrails users and guardrails creators. Replace each ``role`` with the role that you want to allow to carry out the specified actions.
@@ -30 +36 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-                "Sid": "PermissionsForGuardrailsUusers",
+                    "Sid": "PermissionsForGuardrailsUsers",
@@ -37,0 +44 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
+            ]
@@ -46 +53 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-             "Sid": "Allow role to create and manage guardrails",
+             "Sid": "AllowRoleToCreateAndManageGuardrails",
@@ -51 +58 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-                "kms:GenerateDataKey" 
+                "kms:GenerateDataKey", 
@@ -65 +72 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-                "Sid": "Allow role to use an encrypted guardrail during model inference",
+                "Sid": "AllowRoleToUseEncryptedGuardrailDuringInference",
@@ -68 +75 @@ Any user with `CreateKey` permissions can create customer managed keys using eit
-                    "kms:Decrypt",
+                    "kms:Decrypt"