AWS Security ChangesHomeSearch

AWS organizations documentation change

Service: organizations · 2026-04-04 · Documentation low

File: organizations/latest/userguide/orgs_manage_policies_bedrock_best_practices.md

Summary

Added three new best practice sections: 'Use a valid guardrail identifier', 'Exclude automated reasoning policies', and 'Grant the necessary IAM permissions' to Amazon Bedrock policy management documentation.

Security assessment

The changes add security best practices documentation for Amazon Bedrock policies, including warnings about misconfigurations causing API failures and guidance on IAM permissions. However, there is no concrete evidence that this addresses a specific, recently discovered security vulnerability; it appears to be proactive security guidance.

Diff

diff --git a/organizations/latest/userguide/orgs_manage_policies_bedrock_best_practices.md b/organizations/latest/userguide/orgs_manage_policies_bedrock_best_practices.md
index a7a330879..25f200b16 100644
--- a//organizations/latest/userguide/orgs_manage_policies_bedrock_best_practices.md
+++ b//organizations/latest/userguide/orgs_manage_policies_bedrock_best_practices.md
@@ -5 +5 @@
-Review Amazon Bedrock Service Limits for GuardrailsStart small, then scaleValidate changes to your Amazon Bedrock policies using DescribeEffectivePolicyCommunicate and train
+Use a valid guardrail identifierExclude automated reasoning policiesGrant the necessary IAM permissionsReview Amazon Bedrock Service Limits for GuardrailsStart small, then scaleValidate changes to your Amazon Bedrock policies using DescribeEffectivePolicyCommunicate and train
@@ -8,0 +9,12 @@ Review Amazon Bedrock Service Limits for GuardrailsStart small, then scaleValida
+## Use a valid guardrail identifier
+
+An incorrect or malformed identifier will cause all Amazon Bedrock API calls across the target organization to fail. [Monitor CloudTrail for invalid effective policy alerts to detect misconfigurations quickly](https://docs.aws.amazon.com/organizations/latest/userguide/invalid-policy-alerts.html).
+
+## Exclude automated reasoning policies
+
+Guardrails that include an automated reasoning policy are not supported for organization-level enforcement. Verify that your selected Amazon Bedrock Guardrail does not contain one.
+
+## Grant the necessary IAM permissions
+
+Use [Amazon Bedrock Guardrails resource-based policies](https://docs.aws.amazon.com/bedrock/latest/userguide/guardrails-resource-based-policies.html) to grant the organization and its member accounts permissions to evaluate the enforced guardrail at runtime.
+