AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-06-22 · Documentation medium

File: bedrock/latest/userguide/encryption-flows.md

Summary

Added a KMS policy example for flow executions to enforce encryption context and service role permissions

Security assessment

The change documents how to configure encryption with KMS keys for Bedrock flows, which is a security feature. However, there is no evidence of addressing a specific security vulnerability.

Diff

diff --git a/bedrock/latest/userguide/encryption-flows.md b/bedrock/latest/userguide/encryption-flows.md
index 79ebe770e..e00504810 100644
--- a//bedrock/latest/userguide/encryption-flows.md
+++ b//bedrock/latest/userguide/encryption-flows.md
@@ -70,0 +71,23 @@ If you encrypt data with a custom KMS key, you must set up the following identit
+  3. For [flow executions](./flows-create-async.html), attach the following identity-based policy to a [service role with permissions to create and manage flows](./flows-permissions.html). This policy validates that the your service role has AWS KMS permissions. Replace the `region`, `account-id`, `flow-id`, and `key-id` with the appropriate values.
+    
+        {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "Allow data encryption and decryption with flow executions in Amazon Bedrock.",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:GenerateDataKey",
+                    "kms:Decrypt"
+                ],
+                "Resource": "arn:aws:kms:region:account-id:key/key-id",
+                "Condition": {
+                    "StringEquals": {
+                        "kms:EncryptionContext:aws:bedrock-flows:arn": "arn:aws:bedrock:region:account-id:flow/flow-id",
+                        "kms:ViaService": "bedrock.region.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+