AWS lexv2 documentation change
Summary
Added detailed IAM permissions policy including KMS key requirements and ARN formatting fixes
Security assessment
Documents required encryption/decryption permissions (kms:Decrypt, kms:GenerateDataKey) and resource constraints, improving security documentation clarity. However, this appears to be general documentation improvement rather than addressing a disclosed vulnerability. The ARN placeholder fix ({accountId} -> accountId) is a formatting correction.
Diff
diff --git a/lexv2/latest/dg/built-in-intent-qinconnect.md b/lexv2/latest/dg/built-in-intent-qinconnect.md index 353f761a9..77de952b0 100644 --- a//lexv2/latest/dg/built-in-intent-qinconnect.md +++ b//lexv2/latest/dg/built-in-intent-qinconnect.md @@ -90,0 +91,52 @@ The Service Linked Role will get updated with the following permissions if the Q + + { + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Sid": "QInConnectAssistantPolicy", + "Action": [ + "wisdom:CreateSession", + "wisdom:GetAssistant" + ], + "Resource": [ + "arn:aws:wisdom:*:accountId:assistant/assistantId", + "arn:aws:wisdom:*:accountId:assistant/assistantId/*" + ] + }, + { + "Effect": "Allow", + "Sid": "QInConnectSessionsPolicy", + "Action": [ + "wisdom:SendMessage", + "wisdom:GetNextMessage" + ], + "Resource": [ + "arn:aws:wisdom:*:accountId:session/assistantId/*" + ] + }, + { + "Sid": "QInConnectKmsCMKPolicy", + "Effect": "Allow", + "Action": [ + "kms:Decrypt", + "kms:GenerateDataKey" + ], + "Resource": [ + "arn:aws:kms:region:accountId:key/keyId" + ], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "accountId", + "kms:ViaService": "wisdom.region.amazonaws.com", + "kms:EncryptionContext:aws:wisdom:assistant:arn": ["arn:aws:wisdom:region:accountId:assistant/assistantId"] + } + } + } + ] + } + +###### Note + +The `QInConnectKmsCMKPolicy` statement is only required if you are using a customer managed KMS key with the Amazon Q in Connect assistant. + @@ -103 +155 @@ The Service Linked Role will get updated with the following permissions if the Q - "aws:SourceAccount": "{accountId}" + "aws:SourceAccount": "accountId" @@ -106 +158 @@ The Service Linked Role will get updated with the following permissions if the Q - "aws:SourceArn": "arn:aws:lex:*:{accountId}:bot-alias/{botId}/*" + "aws:SourceArn": "arn:aws:lex:*:accountId:bot-alias/botId/*"