AWS bedrock medium security documentation change
Summary
Modified KMS key policy to add DescribeKey permission with conditions and restructure decrypt permissions
Security assessment
Adds granular KMS permissions (DescribeKey with ARN conditions) to enforce least privilege. Fixes potential misconfiguration by scoping permissions to specific evaluation jobs, addressing a security best practice.
Diff
diff --git a/bedrock/latest/userguide/model-evaluation-security-kms.md b/bedrock/latest/userguide/model-evaluation-security-kms.md index 0e7c5f87f..076a4a667 100644 --- a//bedrock/latest/userguide/model-evaluation-security-kms.md +++ b//bedrock/latest/userguide/model-evaluation-security-kms.md @@ -66,0 +67 @@ JSON + "Sid": "BedrockDataKeyAndDecrypt", @@ -73,2 +74 @@ JSON - "kms:Decrypt", - "kms:DescribeKey" + "kms:Decrypt" @@ -82,0 +83,14 @@ JSON + }, + { + "Sid": "BedrockDescribeKey", + "Effect": "Allow", + "Principal": { + "Service": "bedrock.amazonaws.com" + }, + "Action": "kms:DescribeKey", + "Resource": "*", + "Condition": { + "ArnLike": { + "aws:SourceArn": "arn:aws:bedrock:us-east-1:123456789012:evaluation-job/*" + } + }