AWS bedrock-agentcore medium security documentation change
Summary
Modified KMS key policy configuration - changed principal from IAM role to service principal, updated condition key to use encryption context source ARN instead of ViaService, simplified policy structure
Security assessment
The change restricts KMS key usage to specific service principals (delivery.logs.amazonaws.com) rather than IAM roles, and implements encryption context validation (kms:EncryptionContext:SourceArn) which is a security best practice for cryptographic operations. This prevents potential privilege escalation via IAM role compromise.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-encryption.md b/bedrock-agentcore/latest/devguide/gateway-encryption.md index 1d594eeb1..3458eb255 100644 --- a//bedrock-agentcore/latest/devguide/gateway-encryption.md +++ b//bedrock-agentcore/latest/devguide/gateway-encryption.md @@ -49,8 +48,0 @@ Before encrypting your gateway, ensure that you have fulfilled the following pre - * The AgentCore Gateway service role has permissions to perform the following actions: - - * `kms:Decrypt` - - * `kms:GenerateDataKey` - -For greater security, limit the use of the key to requests from the AgentCore data plane service by using the [kms:ViaService](https://docs.aws.amazon.com/kms/latest/developerguide/conditions-kms.html#conditions-kms-via-service) condition key and specifying one of the [AgentCore data plane endpoints](https://docs.aws.amazon.com/general/latest/gr/bedrock_agentcore.html#bedrock_agentcore_dp) as the value. - @@ -66,8 +58 @@ The following example policy contains the following statements: - * `ManageKMSKey` – Allows the specified account to carry out all AWS KMS actions. - - * `AllowAgentCoreDataplaneServiceToUseKMSKey` – Allows a gateway service role with the ARN `arn:aws:iam::111122223333:role/GatewayServiceRole` to use the key, if the request is made through the AgentCore data plane service from the US West (Oregon) Region. - - - - -JSON + * `ManagedKMSKey` – Allows the specified account to carry out all AWS KMS actions. @@ -76 +60,0 @@ JSON -**** @@ -84 +68 @@ JSON - "Sid": "ManageKMSKey", + "Sid": "ManagedKMSKey", @@ -93 +76,0 @@ JSON - "Sid": "AllowAgentCoreDataplaneServiceToUseKMSKey", @@ -96 +79 @@ JSON - "AWS": "arn:aws:iam::111122223333:role/GatewayServiceRole" + "Service": "delivery.logs.amazonaws.com" @@ -99,2 +82,2 @@ JSON - "kms:Decrypt", - "kms:GenerateDataKey" + "kms:GenerateDataKey", + "kms:Decrypt" @@ -105 +88 @@ JSON - "kms:ViaService": "bedrock-agentcore.us-west-2.amazonaws.com" + "kms:EncryptionContext:SourceArn": "arn:<partition>:logs:<region>:<accountId>:*"