AWS bedrock-agentcore high security documentation change
Summary
Added example KMS key policy configuration for Bedrock AgentCore Identity service with specific encryption context requirements
Security assessment
The change adds a detailed KMS key policy with security-critical conditions: 1) Restricts actions to specific Bedrock AgentCore services via 'kms:ViaService' condition 2) Enforces same-account access through 'aws:ResourceAccount' 3) Requires specific encryption context pattern for token vault access. This directly addresses potential over-permissioning risks by implementing least-privilege access controls.
Diff
diff --git a/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md b/bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md index 6cf5c4880..c4938306f 100644 --- a//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md +++ b//bedrock-agentcore/latest/devguide/kms-key-policy-configuration.md @@ -14,0 +15,45 @@ To use a customer managed key, your key must trust an Amazon Bedrock AgentCore I + + { + "Id": "identity-service-cmk-policy", + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "BedrockAgentCoreIdentityKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:Encrypt", + "kms:Decrypt", + "kms:GenerateDataKeyWithoutPlaintext" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com" + }, + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "ArnLike": { + "kms:EncryptionContext:aws-crypto-ec:aws:bedrock-agentcore-identity:token-vault-arn": "arn:aws:bedrock-agentcore:*:*:token-vault/default" + } + } + }, + { + "Sid": "BedrockAgentCoreIdentityDescribeKeyKMSAccess", + "Effect": "Allow", + "Action": [ + "kms:DescribeKey" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "${aws:PrincipalAccount}" + }, + "StringLike": { + "kms:ViaService": "bedrock-agentcore-identity.*.amazonaws.com" + } + } + } + ] + } +