AWS bedrock documentation change
Summary
Changed 'In order to use' to 'To use' in cross-account permission explanation
Security assessment
Grammatical simplification without changing security requirements for cross-account guardrail usage.
Diff
diff --git a/bedrock/latest/userguide/guardrails-resource-based-policies.md b/bedrock/latest/userguide/guardrails-resource-based-policies.md index 9a4b2b855..1a966e88d 100644 --- a//bedrock/latest/userguide/guardrails-resource-based-policies.md +++ b//bedrock/latest/userguide/guardrails-resource-based-policies.md @@ -15 +15 @@ You can attach a resource-based policy (RBP) to Guardrails resources (guardrail -Resource-based policies are recommended for use with account-level enforced guardrails, and are required for use of organization-level enforced guardrails, because for organizational enforced guardrails the member accounts are required to apply a guardrail that exists in the organization administrator account. In order to use a guardrail in a different account, the caller identity must have permission to call the `bedrock:ApplyGuardrail` API on the guardrail, and the guardrail must have a resource based policy attached which gives that caller permission. For more information, see [Cross-account policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) and [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html). +Resource-based policies are recommended for use with account-level enforced guardrails, and are required for use of organization-level enforced guardrails, because for organizational enforced guardrails the member accounts are required to apply a guardrail that exists in the organization administrator account. To use a guardrail in a different account, the caller identity must have permission to call the `bedrock:ApplyGuardrail` API on the guardrail, and the guardrail must have a resource based policy attached which gives that caller permission. For more information, see [Cross-account policy evaluation logic](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic-cross-account.html) and [Identity-based policies and resource-based policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html).