AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-05-01 · Documentation medium

File: bedrock-agentcore/latest/devguide/evaluations-prerequisites.md

Summary

Added new IAM permissions for KMS operations (DescribeKey, GenerateDataKey, Decrypt) and explanatory note about KMS key usage

Security assessment

The change documents required permissions for customer-managed KMS keys but doesn't indicate any security vulnerability being fixed. It enhances security documentation by clarifying encryption requirements.

Diff

diff --git a/bedrock-agentcore/latest/devguide/evaluations-prerequisites.md b/bedrock-agentcore/latest/devguide/evaluations-prerequisites.md
index 78bb7a63c..5077bcb3c 100644
--- a//bedrock-agentcore/latest/devguide/evaluations-prerequisites.md
+++ b//bedrock-agentcore/latest/devguide/evaluations-prerequisites.md
@@ -109,0 +110,10 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess]
+            },
+            {
+                "Sid": "KMSPermissionsForCMKEvaluators",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:DescribeKey",
+                    "kms:GenerateDataKey",
+                    "kms:Decrypt"
+                ],
+                "Resource": "arn:aws:kms:*:*:key/*"
@@ -113,0 +124,4 @@ To use Amazon Bedrock AgentCore, you can attach the [BedrockAgentCoreFullAccess]
+###### Note
+
+The `KMSPermissionsForCMKEvaluators` statement is only required if you use customer managed KMS keys to encrypt custom evaluators. For more information, see [Encryption at rest for AgentCore Evaluations](./evaluations-encryption.html).
+