AWS bedrock medium security documentation change
Summary
Updated documentation for API key types with more precise validity periods, permission inheritance details, and stronger warnings about long-term key usage
Security assessment
Added explicit region restriction for short-term keys and clarified session-based permissions inheritance. Strengthened warning to recommend switching from long-term to short-term credentials for production use, promoting security best practices for credential management.
Diff
diff --git a/bedrock/latest/userguide/api-keys-how.md b/bedrock/latest/userguide/api-keys-how.md index bfafa0e69..c65c541da 100644 --- a//bedrock/latest/userguide/api-keys-how.md +++ b//bedrock/latest/userguide/api-keys-how.md @@ -15 +15 @@ The blue nodes indicate two more flows to authenticate specifically to Amazon Be - * **Short-term key** – A secure option that inherits the permissions and expiration time of your session (and up to 12 hours). The short-term key is a pre-signed URL that uses [AWS Signature Version 4](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_sigv.html). + * **Short-term key** – A secure option that allows temporary access to using Amazon Bedrock. @@ -17 +17 @@ The blue nodes indicate two more flows to authenticate specifically to Amazon Be - * **Long-term key** – Recommended only for exploration of Amazon Bedrock. You can set the time after which the key expires. When you generate a long-term key, it underlyingly creates an IAM user that's for you, attaches the IAM policies that you select, and associates the key with the user. After you generate the key, you can use the IAM service to [modify permissions for the IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). +Short term keys have the following properties: @@ -19 +19,5 @@ The blue nodes indicate two more flows to authenticate specifically to Amazon Be -###### Warning + * Valid for the shorter of the following values: + + * 12 hours + + * The duration of the session generated by the IAM principal used to generate the key. @@ -21 +25 @@ The blue nodes indicate two more flows to authenticate specifically to Amazon Be -We strongly recommend restricting the use of long-term keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should review the following documentation: + * Inherit the permissions attached to the principal used to generate the key. @@ -23 +27,5 @@ We strongly recommend restricting the use of long-term keys for exploration of A - * To learn about preferable alternatives to long-term keys, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html#security-creds-alternatives-to-long-term-access-keys) in the IAM User Guide. + * Can be used only in the AWS Region from which you generated it. + + * **Long-term key** – Recommended only for exploration of Amazon Bedrock. You can set the time after which the key expires. When you generate a long-term key, it underlyingly creates an IAM user that's for you, attaches the IAM policies that you select, and associates the key with the user. After you generate the key, you can use the IAM service to [modify permissions for the IAM user](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html). + +###### Warning @@ -25 +33 @@ We strongly recommend restricting the use of long-term keys for exploration of A - * To learn how to monitor long-term keys to prevent security breaches, see [Manage access keys for IAM users](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) in the IAM User Guide. +We strongly recommend restricting the use of Amazon Bedrock API keys for exploration of Amazon Bedrock. When you're ready to incorporate Amazon Bedrock into applications with greater security requirements, you should switch to short-term credentials. For more information, see [Alternatives to long-term access keys](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds-programmatic-access.html#security-creds-alternatives-to-long-term-access-keys) in the IAM User Guide.