AWS bedrock-agentcore medium security documentation change
Summary
Modified KMS policy example to use specific account ID and region in resource ARN
Security assessment
Changed from wildcard account ID ('*') to specific account ID ('123456789012') and concrete region in KMS policy, demonstrating security best practice of least privilege. This prevents potential cross-account access and restricts encryption operations to specific regional endpoints.
Diff
diff --git a/bedrock-agentcore/latest/devguide/storage-encryption.md b/bedrock-agentcore/latest/devguide/storage-encryption.md index 726684624..061bc0325 100644 --- a//bedrock-agentcore/latest/devguide/storage-encryption.md +++ b//bedrock-agentcore/latest/devguide/storage-encryption.md @@ -24 +24 @@ When setting up AgentCore Memory using `CreateMemory` operation, it is important - "Resource": "arn:aws:kms:*:${aws:AccountId}:key/*", + "Resource": "arn:aws:kms:*:123456789012:key/*", @@ -27 +27 @@ When setting up AgentCore Memory using `CreateMemory` operation, it is important - “kms:ViaService”: “bedrock-agentcore.{$region}.amazonaws.com” + "kms:ViaService": "bedrock-agentcore.us-east-1.amazonaws.com"