AWS bedrock medium security documentation change
Summary
Added JSON formatting markers and modified a resource ARN pattern from including a specific account ID to a wildcard (::)
Security assessment
The ARN change from 'arn:aws:bedrock:aws-region:111122223333:provisioned-model/${my-provisioned-model}' to 'arn:aws:bedrock:aws-region::provisioned-model/${my-provisioned-model}' removes account specificity, potentially allowing cross-account access if deployed without proper context. This could lead to unintended resource exposure if users copy this policy without understanding the wildcard implications.
Diff
diff --git a/bedrock/latest/userguide/security_iam_id-based-policy-examples.md b/bedrock/latest/userguide/security_iam_id-based-policy-examples.md index b3f9e27ec..3536e51fa 100644 --- a//bedrock/latest/userguide/security_iam_id-based-policy-examples.md +++ b//bedrock/latest/userguide/security_iam_id-based-policy-examples.md @@ -110,0 +111,6 @@ The following example shows an identity-based policy to allow a role to subscrib +JSON + + +**** + + @@ -165,0 +173,6 @@ To prevent a user from invoking foundation models, you need to deny access to AP +JSON + + +**** + + @@ -186,0 +201,6 @@ The following is a sample policy that you can attach to an IAM role to allow it +JSON + + +**** + + @@ -198 +218 @@ The following is a sample policy that you can attach to an IAM role to allow it - "Resource": "arn:aws:bedrock:aws-region:111122223333:provisioned-model/${my-provisioned-model}" + "Resource": "arn:aws:bedrock:aws-region::provisioned-model/${my-provisioned-model}"