AWS Security ChangesHomeSearch

AWS bedrock medium security documentation change

Service: bedrock · 2025-07-16 · Security-related medium

File: bedrock/latest/userguide/security_iam_id-based-policy-examples.md

Summary

Added JSON formatting markers and modified a resource ARN pattern from including a specific account ID to a wildcard (::)

Security assessment

The ARN change from 'arn:aws:bedrock:aws-region:111122223333:provisioned-model/${my-provisioned-model}' to 'arn:aws:bedrock:aws-region::provisioned-model/${my-provisioned-model}' removes account specificity, potentially allowing cross-account access if deployed without proper context. This could lead to unintended resource exposure if users copy this policy without understanding the wildcard implications.

Diff

diff --git a/bedrock/latest/userguide/security_iam_id-based-policy-examples.md b/bedrock/latest/userguide/security_iam_id-based-policy-examples.md
index b3f9e27ec..3536e51fa 100644
--- a//bedrock/latest/userguide/security_iam_id-based-policy-examples.md
+++ b//bedrock/latest/userguide/security_iam_id-based-policy-examples.md
@@ -110,0 +111,6 @@ The following example shows an identity-based policy to allow a role to subscrib
+JSON
+    
+
+****
+    
+    
@@ -165,0 +173,6 @@ To prevent a user from invoking foundation models, you need to deny access to AP
+JSON
+    
+
+****
+    
+    
@@ -186,0 +201,6 @@ The following is a sample policy that you can attach to an IAM role to allow it
+JSON
+    
+
+****
+    
+    
@@ -198 +218 @@ The following is a sample policy that you can attach to an IAM role to allow it
-                "Resource": "arn:aws:bedrock:aws-region:111122223333:provisioned-model/${my-provisioned-model}"
+                "Resource": "arn:aws:bedrock:aws-region::provisioned-model/${my-provisioned-model}"