AWS Security ChangesHomeSearch

AWS bedrock medium security documentation change

Service: bedrock · 2025-08-01 · Security-related medium

File: bedrock/latest/userguide/model-evaluation-security-kms.md

Summary

Replaced StringLike with ArnLike and updated ARNs to use specific account ID

Security assessment

Using ArnLike ensures proper ARN validation for KMS policies, preventing misconfigurations. Specific account ID in ARNs restricts encryption context to intended resources.

Diff

diff --git a/bedrock/latest/userguide/model-evaluation-security-kms.md b/bedrock/latest/userguide/model-evaluation-security-kms.md
index 97170cd27..0e7c5f87f 100644
--- a//bedrock/latest/userguide/model-evaluation-security-kms.md
+++ b//bedrock/latest/userguide/model-evaluation-security-kms.md
@@ -78,3 +78,3 @@ JSON
-                    "StringLike": {
-                        "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*",
-                        "aws:SourceArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*"
+                    "ArnLike": {
+                        "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*",
+                        "aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*"
@@ -134 +134 @@ JSON
-                    "arn:aws:kms:us-east-1:account-id:key/keyYouUse"
+                    "arn:aws:kms:us-east-1:123456789012:key/keyYouUse"