AWS bedrock-agentcore high security documentation change
Summary
Updated KMS key policy requirements to enforce least-privilege permissions for gateway encryption. Added specific kms: actions required by the gateway service role, introduced CloudWatch Logs decryption permissions, and provided detailed policy statements with service-specific conditions and encryption context constraints.
Security assessment
The change replaces a broad 'kms:*' permission with granular actions (kms:CreateGrant, DescribeKey, Decrypt, GenerateDataKey) and adds encryption context conditions. This directly addresses security best practices by reducing overprivileged access to KMS keys. The explicit mention of CloudWatch Logs decryption permissions and context-based restrictions (kms:ViaService, kms:EncryptionContext) demonstrates concrete security hardening measures.
Diff
diff --git a/bedrock-agentcore/latest/devguide/gateway-encryption.md b/bedrock-agentcore/latest/devguide/gateway-encryption.md index 56b3083cd..e1ff38501 100644 --- a//bedrock-agentcore/latest/devguide/gateway-encryption.md +++ b//bedrock-agentcore/latest/devguide/gateway-encryption.md @@ -45 +45,11 @@ Before encrypting your gateway, ensure that you have fulfilled the following pre - * The IAM identity that manages the key has permissions to perform AWS KMS actions. You can use the [Default key policy](https://docs.aws.amazon.com/kms/latest/developerguide/key-policy-default.html). + * Permissions that allow the gateway service role to perform the following actions: + + * kms:CreateGrant + + * kms:DescribeKey + + * kms:Decrypt + + * kms:GenerateDataKey + + * (If you enable CloudWatch Logs for your gateway) Permissions that allow the CloudWatch Logs service to decrypt the key. @@ -54 +64 @@ For more information about controlling IAM permissions for a KMS key, see [KMS k -The following example policy contains the following statements: +The following example policy provides the necessary permissions to encrypt a gateway and use an encrypted gateway. The fourth statement also allows CloudWatch Logs logging of key usage for the encrypted gateway. The policy contains condition keys to conform to security best practices. @@ -56 +66 @@ The following example policy contains the following statements: - * `ManagedKMSKey` – Allows the specified account to carry out all AWS KMS actions. +JSON @@ -58,0 +69 @@ The following example policy contains the following statements: +**** @@ -66 +77,41 @@ The following example policy contains the following statements: - "Sid": "ManagedKMSKey", + "Sid": "AllowServiceRoleDescribeKey", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/GatewayServiceRole" + }, + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": [ + "bedrock-agentcore.us-east-1.amazonaws.com" + ] + } + } + }, + { + "Sid": "AllowServiceRoleDecryptKey", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::123456789012:role/GatewayServiceRole" + }, + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": [ + "bedrock-agentcore.us-east-1.amazonaws.com" + ] + }, + "StringLike": { + "kms:EncryptionContext:aws:bedrock-agentcore-gateway:arn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/GatewayId" + } + } + }, + { + "Sid": "AllowServiceRoleCreateGrant", @@ -69 +120,10 @@ The following example policy contains the following statements: - "AWS": "arn:aws:iam::111122223333:root" + "AWS": "arn:aws:iam::123456789012:role/GatewayServiceRole" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": [ + "bedrock-agentcore.us-east-1.amazonaws.com" + ], + "kms:GrantConstraintType": "EncryptionContextSubset" @@ -71,2 +131,10 @@ The following example policy contains the following statements: - "Action": "kms:*", - "Resource": "*" + "ForAllValues:StringEquals": { + "kms:GrantOperations": [ + "Decrypt", + "GenerateDataKey" + ] + }, + "StringLike": { + "kms:EncryptionContext:aws:bedrock-agentcore-gateway:arn": "arn:aws:bedrock-agentcore:us-east-1:123456789012:gateway/GatewayId" + } + } @@ -74,0 +143 @@ The following example policy contains the following statements: + "Sid": "AllowKMSDecryptionLogging", @@ -86 +155 @@ The following example policy contains the following statements: - "kms:EncryptionContext:SourceArn": "arn:<partition>:logs:<region>:<accountId>:*" + "kms:EncryptionContext:SourceArn": "arn:aws:logs:us-east-1:123456789012:*" @@ -92,0 +162,34 @@ The following example policy contains the following statements: + +The policy contains the following statements: + + * **AllowServiceRoleDescribeKKey** – Allows the specified principal to describe the key if the request is made through the AgentCore service. Replace values in the following fields: + + * `Principal` – Replace the `AWS` value with the actual ARN of your gateway service role. + + * `Condition` – In the `kms:ViaService` array, replace `us-east-1` with the actual AWS Region for which you want to allow the key to be described. + + * **AllowServiceRoleDecryptKey** – Allows the specified principal to decrypt the key if the request is made through the AgentCore service and if the ARN of the gateway to which the request is made matches the one in the `kmsEncryptionContext:aws:bedrock-agentcore-gateway-arn` field. Replace the following values: + + * `Principal` – Replace the `AWS` value with the actual ARN of your gateway service role. + + * `Condition` – Do the following: + + * In the `kms:ViaService` array, replace `us-east-1` with the actual AWS Region for which you want to allow the key to be decrypted. + + * Replace the `kmsEncryptionContext:aws:bedrock-agentcore-gateway-arn` value with the actual ARN of your gateway. + + * **AllowServiceRoleCreateGrant** – Allows the specified principal to create a grant for a key if the request is made through the AgentCore service and if the ARN of the gateway to which the request is made matches the one in the `kmsEncryptionContext:aws:bedrock-agentcore-gateway-arn` field. Replace the following values: + + * `Principal` – Replace the `AWS` value with the actual ARN of your gateway service role. + + * `Condition` – Do the following: + + * In the `kms:ViaService` array, replace `us-east-1` with the actual AWS Region for which you want to allow the key to be decrypted. + + * Replace the `kmsEncryptionContext:aws:bedrock-agentcore-gateway-arn` value with the actual ARN of your gateway (if you want to allow). + + * **AllowKMSDecryptionLogging** – Allows the specified principal to decrypt a customer-managed KMS key for auditing key usage through CloudWatch Logs. In the `kms:EncryptionContext:SourceArn` value, replace `us-east-1` and `123456789012` values with your actual AWS Region and account ID. + + + +