AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-07-16 · Documentation low

File: bedrock/latest/userguide/kb-permissions.md

Summary

Added documentation for Amazon S3 Vectors integration including required permissions policy and security notes about preview status

Security assessment

Added IAM policy requirements for S3 Vectors access and encryption context, but does not address a specific security vulnerability. Enhances security documentation by specifying granular permissions (s3vectors actions) and resource ARN patterns.

Diff

diff --git a/bedrock/latest/userguide/kb-permissions.md b/bedrock/latest/userguide/kb-permissions.md
index 062e4771d..ca73dca5c 100644
--- a//bedrock/latest/userguide/kb-permissions.md
+++ b//bedrock/latest/userguide/kb-permissions.md
@@ -5 +5 @@
-Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your documentPermissions to access your Amazon Kendra GenAI indexPermissions to access your vector database in Amazon OpenSearch ServerlessPermissions to access your vector database in OpenSearch Managed ClustersPermissions to access your Amazon Aurora database clusterPermissions to access your vector database in Amazon Neptune AnalyticsPermissions to access a vector database configured with an AWS Secrets Manager secretPermissions for AWS to manage a AWS KMS key for transient data storage during data ingestionPermissions for AWS to manage a data sources from another user's AWS account.
+Trust relationshipPermissions to access Amazon Bedrock modelsPermissions to access your data sourcesPermissions to chat with your documentPermissions to access your Amazon Kendra GenAI indexPermissions to access your vector database in Amazon OpenSearch ServerlessPermissions to access your vector database in OpenSearch Managed ClustersPermissions to access your Amazon Aurora database clusterPermissions to access your vector database in Amazon Neptune AnalyticsPermissions to access your vector store in Amazon S3 VectorsPermissions to access a vector database configured with an AWS Secrets Manager secretPermissions for AWS to manage a AWS KMS key for transient data storage during data ingestionPermissions for AWS to manage a data sources from another user's AWS account.
@@ -61,0 +62,2 @@ A policy cannot be shared between multiple roles when the service role is used.
+  * Permissions to access your vector store in Amazon S3 Vectors
+
@@ -78,0 +81,6 @@ As a best practice for security purposes, replace the `*` with specific knowledg
+JSON
+    
+
+****
+    
+    
@@ -102,0 +112,6 @@ Attach the following policy to provide permissions for the role to use Amazon Be
+JSON
+    
+
+****
+    
+    
@@ -316,0 +333,6 @@ Attach the following policy to provide permissions for the role to use Amazon Be
+JSON
+    
+
+****
+    
+    
@@ -333,0 +357,6 @@ If you only want to grant a user access to chat with your document (and not to `
+JSON
+    
+
+****
+    
+    
@@ -400,0 +431,6 @@ If you created a vector database in OpenSearch Serverless for your knowledge bas
+JSON
+    
+
+****
+    
+    
@@ -453,0 +491,6 @@ If you created a database (DB) cluster in Amazon Aurora for your knowledge base,
+JSON
+    
+
+****
+    
+    
@@ -484,0 +529,6 @@ If you created an Amazon Neptune Analytics graph for your knowledge base, attach
+JSON
+    
+
+****
+    
+    
@@ -503,0 +554,30 @@ If you created an Amazon Neptune Analytics graph for your knowledge base, attach
+
+## Permissions to access your vector store in Amazon S3 Vectors
+
+If you choose to use Amazon S3 Vectors for your knowledge base, attach the following policy to your Amazon Bedrock Knowledge Bases service role to allow access to the vector index.
+
+###### Important
+
+The Amazon S3 Vectors integration with Amazon Bedrock Knowledge Bases is in preview release and is subject to change.
+
+In the policy, replace `${Region}` and `${AccountId}` with the Region and account ID to which the vector index belongs. Replace `${BucketName}` with the name of your S3 vector bucket and `${IndexName}` with the name of your vector index. For more information about Amazon S3 Vectors, see [Setting up to use Amazon S3 Vectors](https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-vectors-setting-up.html).
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "S3VectorBucketReadAndWritePermission",
+          "Effect": "Allow",
+          "Action": [
+            "s3vectors:PutVectors",
+            "s3vectors:GetVectors",
+            "s3vectors:DeleteVectors",
+            "s3vectors:QueryVectors",
+            "s3vectors:GetIndex"
+          ],
+          "Resource": "arn:aws:s3vectors:${Region}:${AccountId}:bucket/${BucketName}/index/${IndexName}"
+        }
+      ]
+    }
+
@@ -507,0 +588,6 @@ If your vector database is configured with an AWS Secrets Manager secret, attach
+JSON
+    
+
+****
+    
+    
@@ -527,0 +615,6 @@ To allow the creation of a AWS KMS key for transient data storage in the process
+JSON
+    
+
+****
+    
+    
@@ -612,0 +707,6 @@ The bucket in the other account requires the following Amazon S3 bucket policy.
+JSON
+    
+
+****
+    
+