AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2025-06-28 · Security-related high

File: bedrock/latest/userguide/guardrails-permissions-kms.md

Summary

Removed AWS KMS policy conditions enforcing source account and ARN checks

Security assessment

Removal of 'aws:SourceArn' and 'aws:SourceAccount' conditions weakens protection against confused deputy problems by eliminating cross-account and resource boundary enforcement. This could allow unauthorized access if other security controls are insufficient.

Diff

diff --git a/bedrock/latest/userguide/guardrails-permissions-kms.md b/bedrock/latest/userguide/guardrails-permissions-kms.md
index befa865d0..556c36ae8 100644
--- a//bedrock/latest/userguide/guardrails-permissions-kms.md
+++ b//bedrock/latest/userguide/guardrails-permissions-kms.md
@@ -9 +9 @@ You encrypt your guardrails with customer managed AWS KMS keys. Any user with `C
-After you create your key, configure the following permission policies. To prevent the [confused deputy problem](./cross-service-confused-deputy-prevention.html), each policy includes the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys.
+After you create your key, configure the following permission policies.
@@ -33,9 +33 @@ After you create your key, configure the following permission policies. To preve
-                    "Resource": "*",
-                    "Condition": {
-                       "StringEquals": {
-                           "aws:SourceAccount": "account-id"
-                       },
-                       "ArnEquals": {
-                           "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
-                       }
-                   }
+                    "Resource": "*"
@@ -50,9 +42 @@ After you create your key, configure the following permission policies. To preve
-                    "Resource": "*",
-                    "Condition": {
-                        "StringEquals": {
-                            "aws:SourceAccount": "account-id"
-                        },
-                        "ArnEquals": {
-                            "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
-                        }
-                    }
+                    "Resource": "*"
@@ -76,9 +60 @@ After you create your key, configure the following permission policies. To preve
-            "Resource": "arn:aws:kms:region:account-id:key/key-id",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": "account-id"
-                },
-                "ArnEquals": {
-                    "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
-                }
-            }
+            "Resource": "arn:aws:kms:region:account-id:key/key-id"
@@ -98,9 +74 @@ After you create your key, configure the following permission policies. To preve
-            "Resource": "arn:aws:kms:region:account-id:key/key-id",
-            "Condition": {
-                "StringEquals": {
-                    "aws:SourceAccount": "account-id"
-                },
-                "ArnEquals": {
-                    "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id"
-                }
-            }
+            "Resource": "arn:aws:kms:region:account-id:key/key-id"