AWS Security ChangesHomeSearch

AWS bedrock-agentcore high security documentation change

Service: bedrock-agentcore · 2026-06-04 · Security-related high

File: bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md

Summary

Added example KMS key policy configuration for Bedrock AgentCore Identity service with specific encryption context requirements

Security assessment

The change adds a detailed KMS key policy with security-critical conditions: 1) Restricts actions to specific Bedrock AgentCore services via 'kms:ViaService' condition 2) Enforces same-account access through 'aws:ResourceAccount' 3) Requires specific encryption context pattern for token vault access. This directly addresses potential over-permissioning risks by implementing least-privilege access controls.

Diff

diff --git a/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md b/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md
index 6cf5c4880..c4938306f 100644
--- a//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md
+++ b//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md
@@ -14,0 +15,45 @@ To use a customer managed key, your key must trust an Amazon Bedrock AgentCore I
+    
+    {
+        "Id": "identity-service-cmk-policy",
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "BedrockAgentCoreIdentityKMSAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:Encrypt",
+                    "kms:Decrypt",
+                    "kms:GenerateDataKeyWithoutPlaintext"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringLike": {
+                        "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com"
+                    },
+                    "StringEquals": {
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    },
+                    "ArnLike": {
+                        "kms:EncryptionContext:aws-crypto-ec:aws:bedrock-agentcore-identity:token-vault-arn": "arn:aws:bedrock-agentcore:*:*:token-vault/default"
+                    }
+                }
+            },
+            {
+                "Sid": "BedrockAgentCoreIdentityDescribeKeyKMSAccess",
+                "Effect": "Allow",
+                "Action": [
+                    "kms:DescribeKey"
+                ],
+                "Resource": "*",
+                "Condition": {
+                    "StringEquals": {
+                        "aws:ResourceAccount": "${aws:PrincipalAccount}"
+                    },
+                    "StringLike": {
+                        "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com"
+                    }
+                }
+            }
+        ]
+    }
+