AWS bedrock documentation change
Summary
Added detailed IAM policy JSON example with S3 access permissions and resource account conditions
Security assessment
The change provides explicit security policy examples for encrypted data access. While security-related, this is routine documentation improvement rather than addressing a specific vulnerability. The added conditions help enforce proper resource access controls.
Diff
diff --git a/bedrock/latest/userguide/kb-permissions.md b/bedrock/latest/userguide/kb-permissions.md index 11bec2d36..4a3850b3d 100644 --- a//bedrock/latest/userguide/kb-permissions.md +++ b//bedrock/latest/userguide/kb-permissions.md @@ -170,7 +169,0 @@ If you encrypted the data source with a AWS KMS key, attach permissions to decry -JSON - - -**** - - - @@ -177,0 +171,35 @@ JSON + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3ListBucketStatement", + "Effect": "Allow", + "Action": [ + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } + }, + { + "Sid": "S3GetObjectStatement", + "Effect": "Allow", + "Action": [ + "s3:GetObject" + ], + "Resource": [ + "arn:aws:s3:::amzn-s3-demo-bucket/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "123456789012" + } + } + } + ] + }