AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-09-28 · Documentation low

File: bedrock/latest/userguide/encryption-kb.md

Summary

Updated placeholder value descriptions in KMS key policy examples to emphasize using user-specific values

Security assessment

The changes clarify encryption configuration requirements but do not indicate a security vulnerability. The updates improve documentation about existing security controls (KMS encryption) without addressing a specific incident.

Diff

diff --git a/bedrock/latest/userguide/encryption-kb.md b/bedrock/latest/userguide/encryption-kb.md
index 61edbf3f9..9e36e711b 100644
--- a//bedrock/latest/userguide/encryption-kb.md
+++ b//bedrock/latest/userguide/encryption-kb.md
@@ -58 +58 @@ When you set up a data ingestion job for your knowledge base, you can encrypt th
-To allow the creation of a AWS KMS key for transient data storage in the process of ingesting your data source, attach the following policy to your Amazon Bedrock service role. Replace the `region`, `account-id`, and `key-id` with the appropriate values.
+To allow the creation of a AWS KMS key for transient data storage in the process of ingesting your data source, attach the following policy to your Amazon Bedrock service role. Replace the example values with your own AWS Region, account ID, and AWS KMS key ID.
@@ -98 +98 @@ The Amazon S3 Vectors integration with Amazon Bedrock Knowledge Bases is in prev
-You can encrypt sessions in which you generate responses from querying a knowledge base with a KMS key. To do so, include the ARN of a KMS key in the `kmsKeyArn` field when making a [RetrieveAndGenerate](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent-runtime_RetrieveAndGenerate.html) request. Attach the following policy, replacing the `values` appropriately to allow Amazon Bedrock to encrypt the session context.
+You can encrypt sessions in which you generate responses from querying a knowledge base with a KMS key. To do so, include the ARN of a KMS key in the `kmsKeyArn` field when making a [RetrieveAndGenerate](https://docs.aws.amazon.com/bedrock/latest/APIReference/API_agent-runtime_RetrieveAndGenerate.html) request. Attach the following policy, replacing the example values with your own AWS Region, account ID, and AWS KMS key ID to allow Amazon Bedrock to encrypt the session context.
@@ -131 +131 @@ For more information, see [Protecting data using server-side encryption with Ama
-If you encrypted your data sources in Amazon S3 with a custom AWS KMS key, attach the following policy to your Amazon Bedrock service role to allow Amazon Bedrock to decrypt your key. Replace `region` and `account-id` with the Region and account ID to which the key belongs. Replace `key-id` with the ID of your AWS KMS key.
+If you encrypted your data sources in Amazon S3 with a custom AWS KMS key, attach the following policy to your Amazon Bedrock service role to allow Amazon Bedrock to decrypt your key. Replace the example values with your own AWS Region, account ID, and AWS KMS key ID.
@@ -167 +167 @@ If the vector store containing your knowledge base is configured with an AWS Sec
-If you do so, you attach the following policy to your Amazon Bedrock service role to allow it to decrypt your key. Replace `region` and `account-id` with the Region and account ID to which the key belongs. Replace `key-id` with the ID of your AWS KMS key.
+If you do so, you attach the following policy to your Amazon Bedrock service role to allow it to decrypt your key. Replace the example values with your own AWS Region, account ID, and AWS KMS key ID.