AWS bedrock medium security documentation change
Summary
Replaced StringLike with ArnLike and updated ARNs to use specific account ID
Security assessment
Using ArnLike ensures proper ARN validation for KMS policies, preventing misconfigurations. Specific account ID in ARNs restricts encryption context to intended resources.
Diff
diff --git a/bedrock/latest/userguide/model-evaluation-security-kms.md b/bedrock/latest/userguide/model-evaluation-security-kms.md index 97170cd27..0e7c5f87f 100644 --- a//bedrock/latest/userguide/model-evaluation-security-kms.md +++ b//bedrock/latest/userguide/model-evaluation-security-kms.md @@ -78,3 +78,3 @@ JSON - "StringLike": { - "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*", - "aws:SourceArn": "arn:aws:bedrock:{{region}}:{{accountId}}:evaluation-job/*" + "ArnLike": { + "kms:EncryptionContext:evaluationJobArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*", + "aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*" @@ -134 +134 @@ JSON - "arn:aws:kms:us-east-1:account-id:key/keyYouUse" + "arn:aws:kms:us-east-1:123456789012:key/keyYouUse"