AWS bedrock high security documentation change
Summary
Removed AWS KMS policy conditions enforcing source account and ARN checks
Security assessment
Removal of 'aws:SourceArn' and 'aws:SourceAccount' conditions weakens protection against confused deputy problems by eliminating cross-account and resource boundary enforcement. This could allow unauthorized access if other security controls are insufficient.
Diff
diff --git a/bedrock/latest/userguide/guardrails-permissions-kms.md b/bedrock/latest/userguide/guardrails-permissions-kms.md index befa865d0..556c36ae8 100644 --- a//bedrock/latest/userguide/guardrails-permissions-kms.md +++ b//bedrock/latest/userguide/guardrails-permissions-kms.md @@ -9 +9 @@ You encrypt your guardrails with customer managed AWS KMS keys. Any user with `C -After you create your key, configure the following permission policies. To prevent the [confused deputy problem](./cross-service-confused-deputy-prevention.html), each policy includes the [`aws:SourceArn`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourcearn) and [`aws:SourceAccount`](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceaccount) global condition context keys. +After you create your key, configure the following permission policies. @@ -33,9 +33 @@ After you create your key, configure the following permission policies. To preve - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "account-id" - }, - "ArnEquals": { - "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" - } - } + "Resource": "*" @@ -50,9 +42 @@ After you create your key, configure the following permission policies. To preve - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "account-id" - }, - "ArnEquals": { - "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" - } - } + "Resource": "*" @@ -76,9 +60 @@ After you create your key, configure the following permission policies. To preve - "Resource": "arn:aws:kms:region:account-id:key/key-id", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "account-id" - }, - "ArnEquals": { - "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" - } - } + "Resource": "arn:aws:kms:region:account-id:key/key-id" @@ -98,9 +74 @@ After you create your key, configure the following permission policies. To preve - "Resource": "arn:aws:kms:region:account-id:key/key-id", - "Condition": { - "StringEquals": { - "aws:SourceAccount": "account-id" - }, - "ArnEquals": { - "aws:SourceArn": "arn:aws:bedrock:region:account-id:guardrail/guardrail-id" - } - } + "Resource": "arn:aws:kms:region:account-id:key/key-id"