AWS Security ChangesHomeSearch

AWS bedrock medium security documentation change

Service: bedrock · 2025-08-10 · Security-related medium

File: bedrock/latest/userguide/model-evaluation-security-kms.md

Summary

Modified KMS key policy to add DescribeKey permission with conditions and restructure decrypt permissions

Security assessment

Adds granular KMS permissions (DescribeKey with ARN conditions) to enforce least privilege. Fixes potential misconfiguration by scoping permissions to specific evaluation jobs, addressing a security best practice.

Diff

diff --git a/bedrock/latest/userguide/model-evaluation-security-kms.md b/bedrock/latest/userguide/model-evaluation-security-kms.md
index 0e7c5f87f..076a4a667 100644
--- a//bedrock/latest/userguide/model-evaluation-security-kms.md
+++ b//bedrock/latest/userguide/model-evaluation-security-kms.md
@@ -66,0 +67 @@ JSON
+                "Sid": "BedrockDataKeyAndDecrypt",
@@ -73,2 +74 @@ JSON
-                    "kms:Decrypt",
-                    "kms:DescribeKey"
+                    "kms:Decrypt"
@@ -82,0 +83,14 @@ JSON
+            },
+            {
+                "Sid": "BedrockDescribeKey",
+                "Effect": "Allow",
+                "Principal": {
+                    "Service": "bedrock.amazonaws.com"
+                },
+                "Action": "kms:DescribeKey",
+                "Resource": "*",
+                "Condition": {
+                    "ArnLike": {
+                        "aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*"
+                    }
+                }