AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2025-06-22 · Security-related high

File: bedrock/latest/userguide/guardrails-permissions-kms.md

Summary

Added confused deputy prevention controls using aws:SourceArn and aws:SourceAccount conditions in KMS key policies

Security assessment

Explicitly addresses confused deputy problem by adding granular resource conditions, which prevents cross-account privilege escalation through KMS key misuse. The change adds specific ARN and account validation in IAM policies.

Diff

diff --git a/bedrock/latest/userguide/guardrails-permissions-kms.md b/bedrock/latest/userguide/guardrails-permissions-kms.md
index fc4c45970..6c1e7ebbe 100644
--- a//bedrock/latest/userguide/guardrails-permissions-kms.md
+++ b//bedrock/latest/userguide/guardrails-permissions-kms.md
@@ -9 +9 @@ You encrypt your guardrails with customer managed AWS KMS keys. Any user with `C
-After you create your key, configure the following permission policies.
+After you create your key, configure the following permission policies. To prevent the [confused deputy problem](./cross-service-confused-deputy-prevention.html), each policy includes the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys.
@@ -19 +19 @@ After you create your key, configure the following permission policies.
-            "Id": "KMS Key Policy",
+            "Id": "KMS key policy",
@@ -33 +33,9 @@ After you create your key, configure the following permission policies.
-                    "Resource": "*"
+                    "Resource": "*",
+                    "Condition": {
+                       "StringEquals": {
+                           "aws:SourceAccount": "account-id"
+                       },
+                       "ArnEquals": {
+                           "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
+                       }
+                   }
@@ -42 +50,9 @@ After you create your key, configure the following permission policies.
-                    "Resource": "*"
+                    "Resource": "*",
+                    "Condition": {
+                        "StringEquals": {
+                            "aws:SourceAccount": "account-id"
+                        },
+                        "ArnEquals": {
+                            "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
+                        }
+                    }
@@ -51,2 +67 @@ After you create your key, configure the following permission policies.
-        "Statement": [
-            {
+        "Statement": [{
@@ -61 +76,7 @@ After you create your key, configure the following permission policies.
-             "Resource": "arn:aws:kms:region:account-id:key/key-id"
+            "Resource": "arn:aws:kms:region:account-id:key/key-id",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": "account-id"
+                },
+                "ArnEquals": {
+                    "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
@@ -63 +84,2 @@ After you create your key, configure the following permission policies.
-        ]
+            }
+        }]
@@ -70,2 +92 @@ After you create your key, configure the following permission policies.
-        "Statement": [
-            {
+        "Statement": [{
@@ -77 +98,7 @@ After you create your key, configure the following permission policies.
-                "Resource": "arn:aws:kms:region:account-id:key/key-id"
+            "Resource": "arn:aws:kms:region:account-id:key/key-id",
+            "Condition": {
+                "StringEquals": {
+                    "aws:SourceAccount": "account-id"
+                },
+                "ArnEquals": {
+                    "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
@@ -79 +106,2 @@ After you create your key, configure the following permission policies.
-        ]
+            }
+        }]