AWS bedrock high security documentation change
Summary
Added confused deputy prevention controls using aws:SourceArn and aws:SourceAccount conditions in KMS key policies
Security assessment
Explicitly addresses confused deputy problem by adding granular resource conditions, which prevents cross-account privilege escalation through KMS key misuse. The change adds specific ARN and account validation in IAM policies.
Diff
diff --git a/bedrock/latest/userguide/guardrails-permissions-kms.md b/bedrock/latest/userguide/guardrails-permissions-kms.md index fc4c45970..6c1e7ebbe 100644 --- a//bedrock/latest/userguide/guardrails-permissions-kms.md +++ b//bedrock/latest/userguide/guardrails-permissions-kms.md @@ -9 +9 @@ You encrypt your guardrails with customer managed AWS KMS keys. Any user with `C -After you create your key, configure the following permission policies. +After you create your key, configure the following permission policies. To prevent the [confused deputy problem](./cross-service-confused-deputy-prevention.html), each policy includes the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys. @@ -19 +19 @@ After you create your key, configure the following permission policies. - "Id": "KMS Key Policy", + "Id": "KMS key policy", @@ -33 +33,9 @@ After you create your key, configure the following permission policies. - "Resource": "*" + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "account-id" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" + } + } @@ -42 +50,9 @@ After you create your key, configure the following permission policies. - "Resource": "*" + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "account-id" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" + } + } @@ -51,2 +67 @@ After you create your key, configure the following permission policies. - "Statement": [ - { + "Statement": [{ @@ -61 +76,7 @@ After you create your key, configure the following permission policies. - "Resource": "arn:aws:kms:region:account-id:key/key-id" + "Resource": "arn:aws:kms:region:account-id:key/key-id", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "account-id" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" @@ -63 +84,2 @@ After you create your key, configure the following permission policies. - ] + } + }] @@ -70,2 +92 @@ After you create your key, configure the following permission policies. - "Statement": [ - { + "Statement": [{ @@ -77 +98,7 @@ After you create your key, configure the following permission policies. - "Resource": "arn:aws:kms:region:account-id:key/key-id" + "Resource": "arn:aws:kms:region:account-id:key/key-id", + "Condition": { + "StringEquals": { + "aws:SourceAccount": "account-id" + }, + "ArnEquals": { + "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" @@ -79 +106,2 @@ After you create your key, configure the following permission policies. - ] + } + }]