AWS bedrock-agentcore documentation change
Summary
Added new IAM permissions for KMS operations (DescribeKey, GenerateDataKey, Decrypt) and explanatory note about KMS key usage
Security assessment
The change documents required permissions for customer-managed KMS keys but doesn't indicate any security vulnerability being fixed. It enhances security documentation by clarifying encryption requirements.
Diff
diff --git a/bedrock-agentcore/latest/devguide/evaluations-prerequisites.md b/bedrock-agentcore/latest/devguide/evaluations-prerequisites.md index 78bb7a63c..5077bcb3c 100644 --- a//bedrock-agentcore/latest/devguide/evaluations-prerequisites.md +++ b//bedrock-agentcore/latest/devguide/evaluations-prerequisites.md @@ -109,0 +110,10 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess] + }, + { + "Sid": "KMSPermissionsForCMKEvaluators", + "Effect": "Allow", + "Action": [ + "kms:DescribeKey", + "kms:GenerateDataKey", + "kms:Decrypt" + ], + "Resource": "arn:aws:kms:*:*:key/*" @@ -113,0 +124,4 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess] +###### Note + +The `KMSPermissionsForCMKEvaluators` statement is only required if you use customer managed KMS keys to encrypt custom evaluators. For more information, see [Encryption at rest for AgentCore Evaluations](./evaluations-encryption.html). +