AWS Security ChangesHomeSearch

AWS bedrock-agentcore medium security documentation change

Service: bedrock-agentcore · 2025-11-01 · Security-related medium

File: bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md

Summary

Removed cloudtrail:CreateServiceLinkedChannel and kms:CreateGrant/ListGrants permissions from managed policy documentation.

Security assessment

Removal of unnecessary KMS and CloudTrail permissions tightens the security posture by reducing over-privileged access risks.

Diff

diff --git a/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md b/bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
index 204b94464..96c350412 100644
--- a//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
+++ b//bedrock-agentcore/latest/devguide/security-iam-awsmanpol.md
@@ -31,2 +30,0 @@ This policy includes the following permissions:
-  * `cloudtrail` (AWS CloudTrail) – Allows principals to create a CloudTrail service-linked channel for the Application Signals feature using `CreateServiceLinkedChannel`. 
-
@@ -35 +33 @@ This policy includes the following permissions:
-  * `kms` (AWS Key Management Service) – Allows principals to list and describe keys, and to decrypt data within the same AWS account when called via the Amazon Bedrock AgentCore service. Also allows for performing `ListGrants` and `CreateGrant` on the KMS key to provide `Decrypt` and `GenerateDataKey` permissions for Amazon Bedrock AgentCore service. 
+  * `kms` (AWS Key Management Service) – Allows principals to list and describe keys, and to decrypt data within the same AWS account when called via the Amazon Bedrock AgentCore service. 
@@ -123 +120,0 @@ Change | Description | Date
-BedrockAgentCoreFullAccess – Updated policy |  Added the `cloudtrail:CreateServiceLinkedChannel` permission to allow Amazon Bedrock AgentCore to create a CloudTrail service-linked channel for the Application Signals feature. Added `kms:CreateGrant` permission to allow the Amazon Bedrock AgentCore Gateway service to create grants on customer managed keys for the S3 vectors service used for semantic search. Also added `kms:ListGrants` permission to check if previously created grants exist. | October 23, 2025