AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2026-06-10 · Documentation low

File: IAM/latest/UserGuide/id_credentials_api_keys_for_aws_services.md

Summary

Updated documentation for API key support across AWS services. Expanded short-term API key support beyond Amazon Bedrock to include Claude Platform on AWS. Added Claude Platform on AWS and Amazon CloudWatch to service table with new managed policies. Updated CLI examples for new services and added service-specific documentation links.

Security assessment

Changes primarily expand documentation coverage for API key authentication across additional services (Claude Platform, CloudWatch). While API keys are security features, these updates don't address any specific vulnerability but rather document expanded service support. No evidence of security incident response in changes.

Diff

diff --git a/IAM/latest/UserGuide/id_credentials_api_keys_for_aws_services.md b/IAM/latest/UserGuide/id_credentials_api_keys_for_aws_services.md
index 4afcd982d..5af4bce10 100644
--- a//IAM/latest/UserGuide/id_credentials_api_keys_for_aws_services.md
+++ b//IAM/latest/UserGuide/id_credentials_api_keys_for_aws_services.md
@@ -7 +7 @@
-Supported servicesPrerequisites for long-term API keysGenerating a long-term API key (console)Generating a long-term API key (AWS CLI)Generating a long-term API key (AWS API)Short-term API keys (Amazon Bedrock)Service-specific information
+Services that support API keysPrerequisites for long-term API keysGenerating a long-term API key (console)Generating a long-term API key (AWS CLI)Generating a long-term API key (AWS API)Short-term API keys (select services)Service-specific information
@@ -11 +11 @@ Supported servicesPrerequisites for long-term API keysGenerating a long-term API
-You can access AWS services through the AWS Management Console and programmatically using the AWS CLI or AWS API. When making programmatic requests to services like Amazon Bedrock and Amazon CloudWatch Logs, you can authenticate using IAM credentials (for example, temporary security credentials or long-term access keys) or API keys. There are two types of API keys:
+Some AWS services support API keys for authenticating programmatic requests in addition to standard IAM credentials such as temporary security credentials and long-term access keys. AWS offers two types of API keys:
@@ -13 +13 @@ You can access AWS services through the AWS Management Console and programmatica
-  * **Long-term API keys** – Long-term API keys are associated with an IAM user and generated using IAM [service-specific credentials](./id_credentials_service-specific-creds.html). These credentials are designed for use with only a single AWS service, enhancing security by limiting credential scope. You can set an expiration time for the long-term API key. You can use the IAM or service-specific console (for example, Amazon Bedrock or CloudWatch Logs console), the AWS CLI, or AWS API to generate long-term API keys.
+  * **Long-term API keys** – Long-term API keys are associated with an IAM user and generated using IAM [service-specific credentials](./id_credentials_service-specific-creds.html). These credentials are designed for use with only a single AWS service, enhancing security by limiting credential scope. You can set an expiration time for when the long-term API key expires. To generate long-term API keys, you can use the IAM or service-specific console, the AWS CLI, or AWS API.
@@ -15 +15 @@ You can access AWS services through the AWS Management Console and programmatica
-  * **Short-term API keys** (only supported by Amazon Bedrock) – A short-term API key is a pre-signed URL that uses AWS Signature Version 4. Short-term API keys share the same permissions and expiration as the credentials of the identity that generates the API key and are valid for up to 12 hours or the remaining time of your console session, whichever is shorter. You can use the Amazon Bedrock console, Python package `aws-bedrock-token-generator`, and packages for other programming languages to generate short-term API keys. For more information, see [Generate Amazon Bedrock API keys for easy access to the Amazon Bedrock API](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html) in the _Amazon Bedrock User Guide_.
+  * **Short-term API keys** – A short-term API key is a pre-signed URL that uses AWS Signature Version 4. Short-term API keys share the same permissions and expiration as the credentials of the identity that generates the API key and are valid for up to 12 hours or the remaining time of your console session, whichever is shorter. You can use the Amazon Bedrock/Claude Platform on AWS console, Python, and packages for other programming languages to generate short-term API keys. For more information, see [Generate Amazon Bedrock API keys for easy access to the Amazon Bedrock API](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys.html) in the _Amazon Bedrock User Guide_ and [Authentication](https://docs.aws.amazon.com/claude-platform/latest/userguide/authentication.html) in the _Claude Platform on AWS User Guide_.
@@ -24 +24 @@ Long-term API keys have a higher security risk compared to short-term API keys.
-## Supported services
+## Services that support API keys
@@ -28,4 +28,6 @@ The following table lists the AWS services that support API keys and the type of
-# | Service | Long-term API keys | Short-term API keys | Managed policy auto-attached  
----|---|---|---|---  
-1 | Amazon Bedrock | Yes | Yes | [AmazonBedrockLimitedAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockLimitedAccess.html)  
-2 | Amazon CloudWatch Logs | Yes | N/A | [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html)  
+# | Service | Long-term API keys | Short-term API keys | Managed policy auto-attached | Service-specific documentation  
+---|---|---|---|---|---  
+1 | Amazon Bedrock | Yes | Yes | [AmazonBedrockLimitedAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonBedrockLimitedAccess.html) | [Use an Amazon Bedrock API key](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html)  
+2 | Claude Platform on AWS | Yes | Yes | [AnthropicInferenceAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AnthropicInferenceAccess.html) | [Authentication](https://docs.aws.amazon.com/claude-platform/latest/userguide/authentication.html)  
+3 | Amazon CloudWatch | Yes | N/A | [CloudWatchAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchAPIKeyAccess.html) | [Setting up bearer token authentication for Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLP-MetricsBearerTokenAuth.html)  
+4 | Amazon CloudWatch Logs | Yes | N/A | [CloudWatchLogsAPIKeyAccess](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/CloudWatchLogsAPIKeyAccess.html) | [Setting up bearer token authentication](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html)  
@@ -33 +35,3 @@ The following table lists the AWS services that support API keys and the type of
-When you generate a long-term API key for a service, the corresponding AWS managed policy is automatically attached to the IAM user, granting access to core operations for that service. If you require additional access, you can modify the permissions for the IAM user. For information about modifying permissions, see [Adding and removing IAM identity permissions](./access_policies_manage-attach-detach.html). For more information on how to use an Amazon Bedrock key, see [Use an Amazon Bedrock API key](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-use.html) in the _Amazon Bedrock User Guide_. For more information on how to use bearer token for Amazon CloudWatch Logs, see [Bearer token authentication](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html) in the _CloudWatch Logs User Guide_.
+When you generate a long-term API key for a service, the corresponding AWS managed policy is automatically attached to the IAM user, granting access to core operations for that service. If you require additional access, you can modify the permissions for the IAM user. For information about modifying permissions, see [Adding and removing IAM identity permissions](./access_policies_manage-attach-detach.html).
+
+To learn more about API keys for specific services, refer to the Service-specific documentation links in the table above.
@@ -110 +114 @@ To generate a long-term API key using the AWS CLI, use the following steps:
-  1. Create an IAM user that will be used with Amazon Bedrock or Amazon CloudWatch Logs using the [ create-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html) command:
+  1. Create an IAM user that will be used with the service using the [ create-user](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/create-user.html) command:
@@ -121,0 +126,10 @@ For Amazon Bedrock:
+For Claude Platform on AWS:
+    
+        aws iam attach-user-policy --user-name APIKeyUser_1 \
+        --policy-arn arn:aws:iam::aws:policy/AnthropicInferenceAccess
+
+For Amazon CloudWatch:
+    
+        aws iam attach-user-policy --user-name APIKeyUser_1 \
+        --policy-arn arn:aws:iam::aws:policy/CloudWatchAPIKeyAccess
+
@@ -135,0 +150,14 @@ For Amazon Bedrock:
+For Claude Platform on AWS:
+    
+        aws iam create-service-specific-credential \
+        --user-name APIKeyUser_1 \
+        --service-name aws-external-anthropic.amazonaws.com \
+        --credential-age-days 30
+
+For Amazon CloudWatch:
+    
+        aws iam create-service-specific-credential \
+        --user-name APIKeyUser_1 \
+        --service-name cloudwatch.amazonaws.com \
+        --credential-age-days 30
+
@@ -163 +191 @@ To list long-term API keys metadata for a specific user, use the [ list-service-
-Replace `bedrock.amazonaws.com` with the appropriate service name (for example, `logs.amazonaws.com` for Amazon CloudWatch Logs).
+Replace `bedrock.amazonaws.com` with the appropriate service name (for example, `logs.amazonaws.com` for Amazon CloudWatch Logs or `aws-external-anthropic.amazonaws.com` for Claude Platform on AWS).
@@ -199 +227,5 @@ You can use the following IAM API operations to manage long-term API keys for an
-## Short-term API keys (Amazon Bedrock)
+## Short-term API keys (select services)
+
+Short-term API keys are currently supported by select services.
+
+For information on generating and using short-term API keys with Amazon Bedrock, see [Generate an API key](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html) in the _Amazon Bedrock User Guide_.
@@ -201 +233 @@ You can use the following IAM API operations to manage long-term API keys for an
-Short-term API keys are currently supported by Amazon Bedrock only. For information on generating and using short-term API keys, see [Generate an API key](https://docs.aws.amazon.com/bedrock/latest/userguide/api-keys-generate.html) in the _Amazon Bedrock User Guide_.
+For information on generating and using short-term API keys for Claude Platform on AWS, see [Authentication](https://docs.aws.amazon.com/claude-platform/latest/userguide/authentication.html) in the _Claude Platform on AWS User Guide_.
@@ -207 +239,5 @@ Short-term API keys are currently supported by Amazon Bedrock only. For informat
-  * For more information about using API keys with Amazon CloudWatch Logs, see [Log ingestion through HTTP endpoints](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints.html) in the _Amazon CloudWatch Logs User Guide_.
+  * For more information about using API keys with Claude Platform on AWS, see [Authentication](https://docs.aws.amazon.com/claude-platform/latest/userguide/authentication.html) in the _Claude Platform on AWS User Guide_.
+
+  * For more information about using API keys with Amazon CloudWatch, see [Setting up bearer token authentication for Metrics](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch-OTLP-MetricsBearerTokenAuth.html) in the _Amazon CloudWatch User Guide_.
+
+  * For more information about using API keys with Amazon CloudWatch Logs, see [Setting up bearer token authentication](https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/CWL_HTTP_Endpoints_BearerTokenAuth.html) in the _Amazon CloudWatch Logs User Guide_.