AWS bedrock documentation change
Summary
Clarified IAM policy requirements for restricting access to non-Marketplace models in Amazon Bedrock
Security assessment
The changes improve documentation about access control mechanisms for AI models, specifically explaining how to scope permissions using Resource fields rather than product keys. While this enhances security documentation, there's no evidence of addressing a specific vulnerability - rather it's refining existing access control guidance.
Diff
diff --git a/bedrock/latest/userguide/model-access-modify.md b/bedrock/latest/userguide/model-access-modify.md index d572ba51a..969393ed6 100644 --- a//bedrock/latest/userguide/model-access-modify.md +++ b//bedrock/latest/userguide/model-access-modify.md @@ -11 +11 @@ Before you can use a foundation model in Amazon Bedrock, you must request access -Models from the following providers don't have product keys, so you can't remove request access from them: +Models from the following providers aren't sold through AWS Marketplace and don't have product keys, so you can't scope the `aws-marketplace` actions to them: @@ -24 +24 @@ Models from the following providers don't have product keys, so you can't remove -You can prevent users from making inference calls to these models by using an IAM policy and specifying the model ID. For more information, see [Deny access for inference of foundation models](./security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-deny-inference). +You can, however, prevent the usage of these models by denying Amazon Bedrock actions and specifying these model IDs in the `Resource` field. For an example, see [Prevent an identity from using a model after access has already been granted](./model-access-permissions.html#model-access-prevent-usage.title). @@ -92 +92 @@ To use the Amazon Web Services Documentation, Javascript must be enabled. Please -Grant permissions to request access to foundation models +Use product ID condition keys to control access