AWS bedrock medium security documentation change
Summary
Added requirement for lakeformation:GetDataAccess permission in IAM policy to prevent authorization errors
Security assessment
Addresses an authorization failure scenario where missing permissions caused queries to fail. Explicitly prevents privilege escalation risks by documenting required IAM actions.
Diff
diff --git a/bedrock/latest/userguide/knowledge-base-prereq-structured.md b/bedrock/latest/userguide/knowledge-base-prereq-structured.md index 673bffc85..d31c1ee0c 100644 --- a//bedrock/latest/userguide/knowledge-base-prereq-structured.md +++ b//bedrock/latest/userguide/knowledge-base-prereq-structured.md @@ -410,0 +411,10 @@ JSON +###### Important + +You must also add the `lakeformation:GetDataAccess` action to your Amazon Bedrock Knowledge Bases service role's IAM policy. Without this permission, queries to the knowledge base will fail with an authorization error. Add the following statement to the service role policy: + + { + "Effect": "Allow", + "Action": "lakeformation:GetDataAccess", + "Resource": "*" + } +