AWS bedrock documentation change
Summary
Updated KMS policy wording and added documentation for requestMetadata field in invocation logs to support per-request metadata tagging
Security assessment
The change improves clarity for SSE-KMS configuration but doesn't address vulnerabilities. The requestMetadata addition enables operational tagging without introducing security controls. No evidence of patching security flaws or adding security features.
Diff
diff --git a/bedrock/latest/userguide/model-invocation-logging.md b/bedrock/latest/userguide/model-invocation-logging.md index b3f89b31e..a28d359a3 100644 --- a//bedrock/latest/userguide/model-invocation-logging.md +++ b//bedrock/latest/userguide/model-invocation-logging.md @@ -103 +103 @@ JSON - 3. (Optional) If configuring SSE-KMS on the bucket, add the below policy on the KMS key: + 3. (Optional) If configuring SSE-KMS on the bucket, add the following policy on the KMS key: @@ -269,0 +270,4 @@ Each invocation log entry is a JSON object with the following structure. The for + "requestMetadata": { + "team": "orchestrator", + "environment": "production" + }, @@ -293,0 +298 @@ Field | Description +`requestMetadata` | An optional JSON object of key-value tags supplied by the caller. Present only when the caller provides request metadata. For details, see [Per-request metadata tagging](./cost-mgmt-request-metadata.html).