AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2025-10-28 · Documentation medium

File: bedrock/latest/userguide/create-automated-reasoning-policy.md

Summary

Added documentation about KMS encryption for Automated Reasoning policies including key selection, required permissions, and encryption context details

Security assessment

The changes introduce documentation about using KMS encryption for policy data, which is a security feature. While this enhances security documentation, there's no evidence of addressing a specific existing vulnerability.

Diff

diff --git a/bedrock/latest/userguide/create-automated-reasoning-policy.md b/bedrock/latest/userguide/create-automated-reasoning-policy.md
index db8966b36..3cab8c61b 100644
--- a//bedrock/latest/userguide/create-automated-reasoning-policy.md
+++ b//bedrock/latest/userguide/create-automated-reasoning-policy.md
@@ -5 +5 @@
-Create your Automated Reasoning policy in the consoleCreate your Automated Reasoning policy using the APIView Automated Reasoning policy detailsPolicy creation best practices
+Create your Automated Reasoning policy in the consoleCreate your Automated Reasoning policy using the APIKMS permissions for Automated Reasoning policiesView Automated Reasoning policy detailsPolicy creation best practices
@@ -10,0 +11,2 @@ When you create an Automated Reasoning policy, your input source document is tra
+Amazon Bedrock encrypts your Automated Reasoning policy using AWS Key Management Service (KMS). By default, Amazon Bedrock uses a service-owned key. You can optionally specify a customer managed KMS key for additional control over the encryption of your policy data.
+
@@ -49 +51,3 @@ Instructions should explain what type of questions the policy will be validating
-  6. Choose **Create policy**.
+  6. (Optional) For **Encryption** , choose a KMS key to encrypt your policy. You can use the default service-owned key or select a customer managed key from your account.
+
+  7. Choose **Create policy**.
@@ -86,0 +91,5 @@ A list of tags to associate with the Automated Reasoning policy. Tags help you o
+`kmsKeyId` (optional)
+    
+
+The KMS key identifier for encrypting the Automated Reasoning policy. You can use the key ID, key ARN, alias name, or alias ARN. If you don't specify a KMS key, Amazon Bedrock uses a service-owned key to encrypt your policy.
+
@@ -114 +123,2 @@ The following example shows how to create an Automated Reasoning policy using th
-      --source-document file://policy-document.pdf
+      --source-document file://policy-document.pdf \
+      --kms-key-id arn:aws:kms:us-east-1:111122223333:key/12345678-1234-1234-1234-123456789012
@@ -128,0 +139,75 @@ Example response:
+## KMS permissions for Automated Reasoning policies
+
+If you specify a customer managed KMS key to encrypt your Automated Reasoning policy, you must configure permissions that allow Amazon Bedrock to use the key on your behalf.
+
+### Key policy permissions
+
+Add the following statement to your KMS key policy to allow Amazon Bedrock to use the key for Automated Reasoning policies:
+    
+    
+    {
+      "Sid": "PermissionsForAutomatedReasoningPolicy",
+      "Effect": "Allow",
+      "Principal": {
+        "AWS": "arn:aws:iam::111122223333:user/role"
+      },
+      "Action": [
+        "kms:Decrypt",
+        "kms:DescribeKey",
+        "kms:GenerateDataKey"
+      ],
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "kms:EncryptionContext:aws:bedrock:automated-reasoning-policy": [
+            "arn:aws:bedrock:us-east-1:111122223333:automated-reasoning-policy/policy-id",
+            "arn:aws:bedrock:us-east-1:111122223333:automated-reasoning-policy/policy-id:*"
+          ],
+          "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
+        }
+      }
+    }
+
+### IAM permissions
+
+Your IAM principal must have the following permissions to use a customer managed KMS key with Automated Reasoning policies:
+    
+    
+    {
+      "Version": "2012-10-17",
+      "Statement": [
+        {
+          "Sid": "AllowKMSForAutomatedReasoningPolicy",
+          "Effect": "Allow",
+          "Action": [
+            "kms:Decrypt",
+            "kms:DescribeKey",
+            "kms:GenerateDataKey"
+          ],
+          "Resource": "arn:aws:kms:us-east-1:111122223333:key/key-id",
+          "Condition": {
+            "StringEquals": {
+              "kms:EncryptionContext:aws:bedrock:automated-reasoning-policy": [
+                "arn:aws:bedrock:us-east-1:111122223333:automated-reasoning-policy/policy-id",
+                "arn:aws:bedrock:us-east-1:111122223333:automated-reasoning-policy/policy-id:*"
+              ],
+              "kms:ViaService": "bedrock.us-east-1.amazonaws.com"
+            }
+          }
+        }
+      ]
+    }
+
+### Encryption context
+
+Amazon Bedrock uses encryption context to provide additional security for your Automated Reasoning policies. The encryption context is a set of key-value pairs that Amazon Bedrock uses as additional authenticated data when encrypting and decrypting your policy.
+
+For Automated Reasoning policies, Amazon Bedrock uses the following encryption context:
+
+  * **Key:** `aws:bedrock:automated-reasoning-policy`
+
+  * **Value:** The ARN of your Automated Reasoning policy
+
+
+
+