AWS bedrock-agentcore documentation change
Summary
Added kms:ReEncrypt* permission requirements for KMS key rotation support.
Security assessment
Explicitly documents required permissions for encryption key rotation (security maintenance task) but doesn't address a specific vulnerability. Enhances security documentation clarity.
Diff
diff --git a/bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md b/bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md index 8cc565c61..193f2ee1d 100644 --- a//bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md +++ b//bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md @@ -17 +17 @@ Configuration bundle encryption uses envelope encryption with caller credentials -The caller must have `kms:GenerateDataKey`, `kms:Decrypt`, and `kms:DescribeKey` permissions on the key. +The caller must have `kms:GenerateDataKey`, `kms:Decrypt`, `kms:DescribeKey`, and `kms:ReEncrypt*` permissions on the key. @@ -27 +27 @@ The following key policy provides the minimum permissions required for configura - * **AllowCallerCryptoOps** – Allows the IAM user or role to generate data keys and decrypt, scoped by encryption context. + * **AllowCallerCryptoOps** – Allows the IAM user or role to generate data keys, decrypt, and re-encrypt (for key rotation), scoped by encryption context. @@ -53 +53,2 @@ The following key policy provides the minimum permissions required for configura - "kms:Decrypt" + "kms:Decrypt", + "kms:ReEncrypt*" @@ -69 +70 @@ The policy contains the following statements: - * **AllowCallerCryptoOps** – Grants the IAM role `kms:GenerateDataKey` and `kms:Decrypt` permissions, scoped by the `aws:bedrock-agentcore:configurationBundleArn` encryption context. Replace `111122223333`, `MyConfigBundleRole`, and `us-east-1` with your values. To allow access to all configuration bundles in your account, use a wildcard with `StringLike`: `arn:aws:bedrock-agentcore:us-east-1:111122223333:configuration-bundle/*`. + * **AllowCallerCryptoOps** – Grants the IAM role `kms:GenerateDataKey`, `kms:Decrypt`, and `kms:ReEncrypt*` permissions, scoped by the `aws:bedrock-agentcore:configurationBundleArn` encryption context. The `kms:ReEncrypt*` permission is required for key rotation (changing the KMS key on an existing bundle). Replace `111122223333`, `MyConfigBundleRole`, and `us-east-1` with your values. To allow access to all configuration bundles in your account, use a wildcard with `StringLike`: `arn:aws:bedrock-agentcore:us-east-1:111122223333:configuration-bundle/*`.