AWS Security ChangesHomeSearch

AWS bedrock high security documentation change

Service: bedrock · 2026-05-13 · Security-related high

File: bedrock/latest/userguide/model-evaluation-security-cors.md

Summary

Significantly restricted CORS permissions: now only required for human-based jobs, only allows GET method, and specifies a single allowed origin.

Security assessment

Change hardens security by reducing CORS permissions from permissive (*) to minimal required (GET only, specific origin). This directly mitigates potential cross-origin attacks by limiting exposure surface.

Diff

diff --git a/bedrock/latest/userguide/model-evaluation-security-cors.md b/bedrock/latest/userguide/model-evaluation-security-cors.md
index 41e9d4272..eeb0b26c4 100644
--- a//bedrock/latest/userguide/model-evaluation-security-cors.md
+++ b//bedrock/latest/userguide/model-evaluation-security-cors.md
@@ -11 +11 @@
-All console-based model evaluation jobs require Cross Origin Resource Sharing (CORS) permissions to be enabled on any Amazon S3 buckets specified in the model evaluation job. To learn more, see Required Cross Origin Resource Sharing (CORS) permissions on S3 buckets
+CORS permissions are only required on the Amazon S3 output bucket for **human-based** model evaluation jobs created using the Amazon Bedrock console. This is necessary to allow displaying prompts and inference results to human annotators in the annotation portal. Automated model evaluation jobs do not require CORS configuration.
@@ -13 +13 @@ All console-based model evaluation jobs require Cross Origin Resource Sharing (C
-When you create a model evaluation job that uses the Amazon Bedrock console, you must specify a CORS configuration on the S3 bucket.
+When you create a human-based model evaluation job using the Amazon Bedrock console, you must specify a CORS configuration on the S3 output bucket.
@@ -17 +17 @@ A CORS configuration is a document that defines rules that identify the origins
-The following is the minimal required CORS configuration for S3 buckets.
+The following is the minimal required CORS configuration for the S3 output bucket in human-based evaluation jobs:
@@ -22,3 +21,0 @@ The following is the minimal required CORS configuration for S3 buckets.
-            "AllowedHeaders": [
-                "*"
-            ],
@@ -26,4 +23 @@ The following is the minimal required CORS configuration for S3 buckets.
-                "GET",
-                "PUT",
-                "POST",
-                "DELETE"
+                "GET"
@@ -32,4 +26 @@ The following is the minimal required CORS configuration for S3 buckets.
-                "*"
-            ],
-            "ExposeHeaders": [
-                "Access-Control-Allow-Origin"
+                "https://mturk-console-template-preview-hooks.s3.amazonaws.com"