AWS bedrock documentation change
Summary
Updated encryption documentation for Amazon Bedrock Data Automation to include new CreateDataAutomationLibrary API, expanded encryption context details for different resource types, and updated key policy examples with more granular permissions and conditions.
Security assessment
This change enhances security documentation by providing more detailed encryption context specifications for different resource types (libraries, projects, blueprints) and clarifies KMS grant operations for different APIs. It adds security documentation about proper key policy configuration with specific conditions (kms:ViaService, kms:GrantOperations, kms:EncryptionContext) which improves security posture by enabling more precise access controls. No evidence of addressing a specific security vulnerability is present.
Diff
diff --git a/bedrock/latest/userguide/encryption-bda.md b/bedrock/latest/userguide/encryption-bda.md index a957e7d67..26ee2b3b2 100644 --- a//bedrock/latest/userguide/encryption-bda.md +++ b//bedrock/latest/userguide/encryption-bda.md @@ -5 +5 @@ -How Amazon Bedrock uses grants in AWS KMSCreating a customer managed key and attaching a key policyPermissions and key policies for Amazon Bedrock Data Automation resourcesAmazon Bedrock Automation encryption contextMonitoring your encryption keys for Amazon Bedrock Data Automation +How Amazon Bedrock uses grants in AWS KMSCreating a customer managed key and attaching a key policyPermissions and key policies for Amazon Bedrock Data Automation resourcesAmazon Bedrock Data Automation encryption contextMonitoring your encryption keys for Amazon Bedrock Data Automation @@ -9 +9 @@ How Amazon Bedrock uses grants in AWS KMSCreating a customer managed key and att -Amazon Bedrock Data Automation (BDA) uses encryption to protect your data at rest. This includes the blueprints, projects, and extracted insights stored by the service. BDA offers two options for encrypting your data: +Amazon Bedrock Data Automation (BDA) uses encryption to protect your data at rest. This includes the blueprints, projects, libraries, and extracted insights stored by the service. BDA offers two options for encrypting your data: @@ -22 +22 @@ Amazon Bedrock Data Automation automatically enables encryption at rest using AW -If you specify a customer managed key for encryption of your BDA when calling invokeDataAutomationAsync, the service creates a grant associated with your resources on your behalf by sending a CreateGrant request to AWS KMS. This grant allows BDA to access and use your customer managed key. +If you specify a customer managed key for encryption of your BDA when calling invokeDataAutomationAsync or CreateDataAutomationLibrary, the service creates a grant associated with your resources on your behalf by sending a CreateGrant request to AWS KMS. This grant allows BDA to access and use your customer managed key. The grant created by CreateDataAutomationLibrary is not utilized if the customer ingests vocabulary entities into the library. @@ -30 +30,5 @@ BDA uses the grant for your customer managed key for the following internal oper - * CreateGrant — Send requests to AWS KMS to create scoped down grants with a subset of the above operations (DescribeKey, GenerateDataKey, Decrypt), for the asynchronous execution of operations. + * CreateGrant — Send requests to AWS KMS to create scoped down grants for the asynchronous execution of operations. The grant operations vary by API: + + * InvokeDataAutomationAsync: DescribeKey, GenerateDataKey, Decrypt + + * CreateDataAutomationLibrary: DescribeKey, GenerateDataKey, Decrypt, CreateGrant @@ -37 +41,5 @@ You have full access to your customer managed AWS KMS key. You can revoke access -If you initiate a new invokeDataAutomationAsync call after revoking a grant, BDA will recreate the grant. The grants are retired by BDA after 30 hours. +If you initiate a new invokeDataAutomationAsync call after revoking a grant, BDA will recreate the grant. + +The grants created by invokeDataAutomationAsync are retired by BDA after 30 hours. + +The grants created by CreateDataAutomationLibrary are retired by BDA when the library is deleted. @@ -58 +66 @@ After you create a AWS KMS key, you attach a key policy to it. The following AWS - 1. kms:CreateGrant – Creates a grant for a customer managed key by allowing the BDA service access to the specified AWS KMS key through grant operations, needed for InvokeDataAutomationAsync. + 1. kms:CreateGrant – Creates a grant for a customer managed key by allowing the BDA service access to the specified AWS KMS key through grant operations, needed for InvokeDataAutomationAsync and CreateDataAutomationLibrary. @@ -73,6 +80,0 @@ To use your customer managed key to encrypt BDA resources, include the following -JSON - - -**** - - @@ -85 +87 @@ JSON - "Sid": "Permissions for encryption of data for BDA resources", + "Sid": "Enable DescribeKey, Decrypt, GenerateDataKey", @@ -91,2 +92,0 @@ JSON - "kms:Decrypt", - "kms:GenerateDataKey", @@ -94 +94,2 @@ JSON - "kms:CreateGrant" + "kms:GenerateDataKey", + "kms:Decrypt" @@ -98,3 +99,23 @@ JSON - "StringLike": { - "kms:ViaService": [ - "bedrock.us-east-1.amazonaws.com" + "StringEquals": { + "kms:ViaService": "bedrock.us-east-1.amazonaws.com" + } + } + }, + { + "Sid": "Enable CreateGrant", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/Role" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "StringEquals": { + "kms:ViaService": "bedrock.us-east-1.amazonaws.com" + }, + "ForAllValues:StringEquals": { + "kms:GrantOperations": [ + "CreateGrant", + "GenerateDataKey", + "Decrypt", + "DescribeKey" @@ -144 +164 @@ JSON -## Amazon Bedrock Automation encryption context +## Amazon Bedrock Data Automation encryption context @@ -146 +166 @@ JSON -BDA uses the same encryption context in all AWS KMS cryptographic operations, where the key is `aws:bedrock:data-automation-customer-account-id` and the value is your AWS account ID. An example of the encryption context is below. +For all DataAutomationLibrary operations including InvokeDataAutomationLibraryIngestionJob, BDA uses below encryption context in all AWS KMS cryptographic operations, where the key is `aws:bedrock:data-automation-library-arn` and the value is the `libraryArn`. @@ -150 +170 @@ BDA uses the same encryption context in all AWS KMS cryptographic operations, wh - "bedrock:data-automation-customer-account-id": "account id" + "aws:bedrock:data-automation-library-arn": "<LibraryArn>" @@ -152,0 +173,2 @@ BDA uses the same encryption context in all AWS KMS cryptographic operations, wh +For DataAutomationProject operations, BDA uses below encryption context: + @@ -153,0 +176,17 @@ BDA uses the same encryption context in all AWS KMS cryptographic operations, wh + "encryptionContext": { + "DataAutomationProjectArn": "<DataAutomationProjectArn>" + } + +For Blueprint operations, BDA uses below encryption context: + + + "encryptionContext": { + "BlueprintArn": "<BlueprintArn>" + } + +For all other operations, BDA uses below encryption context: + + + "encryptionContext": { + "aws:bedrock:data-automation-customer-account-id": "111122223333" + } @@ -168 +207 @@ The following are example key policy statements to grant access to a customer ma - "Sid": "Enable DescribeKey, Decrypt, GenerateDataKey", + "Sid": "Enable DescribeKey", @@ -173,2 +212,29 @@ The following are example key policy statements to grant access to a customer ma - "Action": ["kms:DescribeKey", "kms:Decrypt", "kms:GenerateDataKey"], - "Resource": "*" + "Action": ["kms:DescribeKey"], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "bedrock.${region}.amazonaws.com" + ] + } + } + }, + { + "Sid": "Enable Decrypt, GenerateDataKey", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": [ + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "bedrock.${region}.amazonaws.com" + ], + "kms:EncryptionContext:aws:bedrock:data-automation-customer-account-id": "111122223333" + } + } @@ -185,0 +252,3 @@ The following are example key policy statements to grant access to a customer ma + "kms:ViaService": [ + "bedrock.${region}.amazonaws.com" + ], @@ -194,0 +264,24 @@ The following are example key policy statements to grant access to a customer ma +When calling `CreateDataAutomationLibrary`, attach the following policy to grant BDA the necessary permission for accessing your customer managed key. + + + [ + { + "Sid": "Enable CreateGrant for CreateDataAutomationLibrary", + "Effect": "Allow", + "Principal": { + "AWS": "arn:aws:iam::111122223333:role/ExampleRole" + }, + "Action": "kms:CreateGrant", + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": [ + "bedrock.${region}.amazonaws.com" + ] + }, + "StringEquals": { + "kms:GrantOperations": ["Decrypt", "DescribeKey", "GenerateDataKey", "CreateGrant"] + } + } + } + ]