AWS bedrock medium security documentation change
Summary
Added step 6 with KMS decryption permissions requirement for encrypted data sources
Security assessment
Explicitly addresses encryption key management by requiring kms:Decrypt permissions for encrypted data sources. This change documents security controls for data protection and prevents unauthorized access to encrypted resources.
Diff
diff --git a/bedrock/latest/userguide/knowledge-base-prereq-structured.md b/bedrock/latest/userguide/knowledge-base-prereq-structured.md index fc11cfe51..ffee938c1 100644 --- a//bedrock/latest/userguide/knowledge-base-prereq-structured.md +++ b//bedrock/latest/userguide/knowledge-base-prereq-structured.md @@ -375 +375 @@ Don't grant `CREATE`, `UPDATE`, or `DELETE` access. Granting these actions can l - 5. Depending on the data source you use in AWS Glue Data Catalog, you might need to also add permissions to access that data source (for more information, see [AWS Glue dependency on other AWS services](https://docs.aws.amazon.com/glue/latest/dg/dependency-on-other-services.html)). For example, if your data source is in an Amazon S3 location, you'll need to add the following statement to the policy above. + 5. Depending on the data source you use in AWS Glue Data Catalog, you might need to add permissions to access that data source (for more information, see [AWS Glue dependency on other AWS services](https://docs.aws.amazon.com/glue/latest/dg/dependency-on-other-services.html)). For example, if your data source is in an Amazon S3 location, you'll need to add the following statement to the policy above. @@ -389,0 +390,13 @@ Don't grant `CREATE`, `UPDATE`, or `DELETE` access. Granting these actions can l + 6. (Optional) If you use AWS KMS to encrypt the data in Amazon S3 or AWS Glue Data Catalog, then you need to add permissions to the role to decrypt the data on the KMS key. + + { + "Action": [ + "kms:Decrypt" + ], + "Resource": [ + "arn:aws:kms:${Region}:${Account}:key/{KmsId}", + "arn:aws:kms:${Region}:${Account}:key/{KmsId}" + ], + "Effect": "Allow" + } +