AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2025-08-13 · Security-related high

File: bedrock/latest/userguide/api-keys-modify.md

Summary

Added detailed example workflow for modifying API key permissions with emphasis on removing default policies and implementing least-privilege access

Security assessment

Provides concrete guidance for replacing the permissive AmazonBedrockLimitedAccess policy with more restrictive permissions, directly addressing potential over-privilege risks. The explicit warning about permission removal and step-by-step least-privilege implementation helps prevent insecure configurations.

Diff

diff --git a/bedrock/latest/userguide/api-keys-modify.md b/bedrock/latest/userguide/api-keys-modify.md
index 3cfa58496..17301d9f4 100644
--- a//bedrock/latest/userguide/api-keys-modify.md
+++ b//bedrock/latest/userguide/api-keys-modify.md
@@ -4,0 +5,2 @@
+Example of modifying permissions for API keys
+
@@ -7 +9,19 @@
-When you generate a long-term Amazon Bedrock API key, the [AmazonBedrockLimitedAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonBedrockLimitedAccess) AWS-managed policy, which grants access to core Amazon Bedrock API operations, and any other policies that you selected, are attached to the IAM user associated with the key. To allow the user of the Amazon Bedrock API key to perform more Amazon Bedrock API operations or to remove permissions from API operations, modify permissions for the IAM user through the IAM service. For more information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the IAM User Guide.
+When you generate a long-term Amazon Bedrock API key, you create an IAM user associated with the key. To change the permissions associated with the key, modify permissions for the IAM user through the IAM service. For more information, see [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) in the IAM User Guide.
+
+###### Note
+
+If you generated the long-term key in the AWS Management Console, the [AmazonBedrockLimitedAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonBedrockLimitedAccess) is attached to it by default. If you plan to modify permissions, remove this policy first before setting custom permissions.
+
+## Example of modifying permissions for API keys
+
+The following procedure shows how you can replace the [AmazonBedrockLimitedAccess](./security-iam-awsmanpol.html#security-iam-awsmanpol-AmazonBedrockLimitedAccess) with a more restrictive one:
+
+  1. Sign in to the AWS Management Console with an [IAM principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction_identity-management.html#intro-structure-terms) that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at [https://console.aws.amazon.com/bedrock/](https://console.aws.amazon.com/bedrock/).
+
+  2. From the left navigation pane, select **API keys**.
+
+  3. Select the **Long-term API keys** tab.
+
+  4. Select your API key and choose **Manage in IAM Console**.
+
+  5. Select the **Permissions** tab, choose the **AmazonBedrockLimitedAccess** policy, and choose **Remove**.
@@ -9 +29,7 @@ When you generate a long-term Amazon Bedrock API key, the [AmazonBedrockLimitedA
-For example, you could replace the policies attached to the IAM user associated with the key with the following policy to only allow the user to run inference with the US Anthropic Claude 3 Haiku inference profile in US West (Oregon), using the Amazon Bedrock API key that you generated:
+###### Note
+
+At this point, you've removed all permissions from the APi key and you won't be able to do anything with it.
+
+  6. In the **Permissions policies** section, select **Create inline policy** from the **Add permissions** dropdown.
+
+  7. In the **Policy editor** , select **JSON**. Then paste the following policy into the editor:
@@ -55,0 +81,7 @@ JSON
+  8. Choose **Next** , provide a **Policy name** , and then choose **Create policy**.
+
+  9. With this API key, a user now can only run inference with the US Anthropic Claude 3 Haiku inference profile in US West (Oregon).
+
+
+
+