AWS bedrock-agentcore documentation change
Summary
Removed KMS key policy example with encryption/decryption permissions and resource conditions
Security assessment
Removal of KMS policy documentation affects security guidance but doesn't indicate a resolved security issue. No evidence of insecure policy being corrected.
Diff
diff --git a/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md b/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md index d9c6fddaa..528df863e 100644 --- a//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md +++ b//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md @@ -15,52 +14,0 @@ To use a customer managed key, your key must trust an Amazon Bedrock AgentCore I -JSON - - -**** - - - - { - "Id": "identity-service-cmk-policy", - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "BedrockAgentCoreIdentityKMSAccess", - "Effect": "Allow", - "Action": [ - "kms:Encrypt", - "kms:Decrypt", - "kms:GenerateDataKeyWithoutPlaintext" - ], - "Resource": "*", - "Condition": { - "StringLike": { - "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com" - }, - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "ArnLike": { - "kms:EncryptionContext:aws-crypto-ec:aws:bedrock-agentcore-identity:token-vault-arn": "arn:aws:bedrock-agentcore:*:*:token-vault/default" - } - } - }, - { - "Sid": "BedrockAgentCoreIdentityDescribeKeyKMSAccess", - "Effect": "Allow", - "Action": [ - "kms:DescribeKey" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceAccount": "${aws:PrincipalAccount}" - }, - "StringLike": { - "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com" - } - } - } - ] - } - -