AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-08-01 · Security-related medium

File: bedrock-agentcore/latest/devguide/storage-encryption.md

Summary

Modified KMS policy example to use specific account ID and region in resource ARN

Security assessment

Changed from wildcard account ID ('*') to specific account ID ('123456789012') and concrete region in KMS policy, demonstrating security best practice of least privilege. This prevents potential cross-account access and restricts encryption operations to specific regional endpoints.

Diff

diff --git a/bedrock-agentcore/latest/devguide/storage-encryption.md b/bedrock-agentcore/latest/devguide/storage-encryption.md
index 726684624..061bc0325 100644
--- a//bedrock-agentcore/latest/devguide/storage-encryption.md
+++ b//bedrock-agentcore/latest/devguide/storage-encryption.md
@@ -24 +24 @@ When setting up AgentCore Memory using `CreateMemory` operation, it is important
-          "Resource": "arn:aws:kms:*:${aws:AccountId}:key/*",
+          "Resource": "arn:aws:kms:*:123456789012:key/*",
@@ -27 +27 @@ When setting up AgentCore Memory using `CreateMemory` operation, it is important
-                    “kms:ViaService”: “bedrock-agentcore.{$region}.amazonaws.com”
+              "kms:ViaService": "bedrock-agentcore.us-east-1.amazonaws.com"