AWS bedrock documentation change
Summary
Updated permissions requirements for creating knowledge bases with OpenSearch Service
Security assessment
Clarifies IAM permissions needed for service operations but doesn't address any specific security vulnerability.
Diff
diff --git a/bedrock/latest/userguide/knowledge-base-prereq.md b/bedrock/latest/userguide/knowledge-base-prereq.md index e0306e73d..4e0f8d1d5 100644 --- a//bedrock/latest/userguide/knowledge-base-prereq.md +++ b//bedrock/latest/userguide/knowledge-base-prereq.md @@ -21 +21 @@ Before you can create a knowledge base, you must fulfill the following prerequis -If you're creating a knowledge base with Amazon OpenSearch Service (including Amazon OpenSearch Serverless), the service role requires additional permissions beyond those covered by the AWS-managed BedrockFullAccess policy. These include `aoss:CreateAccessPolicy`, `iam:CreateServiceLinkedRole`, and `iam:CreateRole` permissions. +If you choose to have Amazon Bedrock create a new service role for you, the user or role creating the knowledge base requires `iam:CreateRole` and `iam:CreatePolicy` permissions. If you're creating a knowledge base with Amazon OpenSearch Service (including Amazon OpenSearch Serverless), additional permissions are required, including `aoss:CreateAccessPolicy` and `iam:CreateServiceLinkedRole`.