AWS bedrock-agentcore medium security documentation change
Summary
Removed cloudtrail:CreateServiceLinkedChannel and kms:CreateGrant/ListGrants permissions from managed policy documentation.
Security assessment
Removal of unnecessary KMS and CloudTrail permissions tightens the security posture by reducing over-privileged access risks.
Diff
diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md index 204b94464..96c350412 100644 --- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md +++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md @@ -31,2 +30,0 @@ This policy includes the following permissions: - * `cloudtrail` (AWS CloudTrail) – Allows principals to create a CloudTrail service-linked channel for the Application Signals feature using `CreateServiceLinkedChannel`. - @@ -35 +33 @@ This policy includes the following permissions: - * `kms` (AWS Key Management Service) – Allows principals to list and describe keys, and to decrypt data within the same AWS account when called via the Amazon Bedrock AgentCore service. Also allows for performing `ListGrants` and `CreateGrant` on the KMS key to provide `Decrypt` and `GenerateDataKey` permissions for Amazon Bedrock AgentCore service. + * `kms` (AWS Key Management Service) – Allows principals to list and describe keys, and to decrypt data within the same AWS account when called via the Amazon Bedrock AgentCore service. @@ -123 +120,0 @@ Change | Description | Date -BedrockAgentCoreFullAccess – Updated policy | Added the `cloudtrail:CreateServiceLinkedChannel` permission to allow Amazon Bedrock AgentCore to create a CloudTrail service-linked channel for the Application Signals feature. Added `kms:CreateGrant` permission to allow the Amazon Bedrock AgentCore Gateway service to create grants on customer managed keys for the S3 vectors service used for semantic search. Also added `kms:ListGrants` permission to check if previously created grants exist. | October 23, 2025