AWS Security ChangesHomeSearch

AWS bedrock-agentcore documentation change

Service: bedrock-agentcore · 2026-06-19 · Documentation medium

File: bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md

Summary

Added kms:ReEncrypt* permission requirements for KMS key rotation support.

Security assessment

Explicitly documents required permissions for encryption key rotation (security maintenance task) but doesn't address a specific vulnerability. Enhances security documentation clarity.

Diff

diff --git a/bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md b/bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md
index 8cc565c61..193f2ee1d 100644
--- a//bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md
+++ b//bedrock-agentcore/latest/devguide/configuration-bundles-encryption.md
@@ -17 +17 @@ Configuration bundle encryption uses envelope encryption with caller credentials
-The caller must have `kms:GenerateDataKey`, `kms:Decrypt`, and `kms:DescribeKey` permissions on the key.
+The caller must have `kms:GenerateDataKey`, `kms:Decrypt`, `kms:DescribeKey`, and `kms:ReEncrypt*` permissions on the key.
@@ -27 +27 @@ The following key policy provides the minimum permissions required for configura
-  * **AllowCallerCryptoOps** – Allows the IAM user or role to generate data keys and decrypt, scoped by encryption context.
+  * **AllowCallerCryptoOps** – Allows the IAM user or role to generate data keys, decrypt, and re-encrypt (for key rotation), scoped by encryption context.
@@ -53 +53,2 @@ The following key policy provides the minimum permissions required for configura
-            "kms:Decrypt"
+            "kms:Decrypt",
+            "kms:ReEncrypt*"
@@ -69 +70 @@ The policy contains the following statements:
-  * **AllowCallerCryptoOps** – Grants the IAM role `kms:GenerateDataKey` and `kms:Decrypt` permissions, scoped by the `aws:bedrock-agentcore:configurationBundleArn` encryption context. Replace `111122223333`, `MyConfigBundleRole`, and `us-east-1` with your values. To allow access to all configuration bundles in your account, use a wildcard with `StringLike`: `arn:aws:bedrock-agentcore:us-east-1:111122223333:configuration-bundle/*`.
+  * **AllowCallerCryptoOps** – Grants the IAM role `kms:GenerateDataKey`, `kms:Decrypt`, and `kms:ReEncrypt*` permissions, scoped by the `aws:bedrock-agentcore:configurationBundleArn` encryption context. The `kms:ReEncrypt*` permission is required for key rotation (changing the KMS key on an existing bundle). Replace `111122223333`, `MyConfigBundleRole`, and `us-east-1` with your values. To allow access to all configuration bundles in your account, use a wildcard with `StringLike`: `arn:aws:bedrock-agentcore:us-east-1:111122223333:configuration-bundle/*`.