AWS bedrock documentation change
Summary
Updated API key revocation guidance and added documentation for new bedrock-mantle:CallWithBearerToken IAM action
Security assessment
Changes clarify API key invalidation procedures and introduce a new IAM action for Mantle endpoint security controls. While this enhances security documentation, there's no evidence of addressing a specific vulnerability.
Diff
diff --git a/bedrock/latest/userguide/api-keys.md b/bedrock/latest/userguide/api-keys.md index 263076c2a..e48aa2b4f 100644 --- a//bedrock/latest/userguide/api-keys.md +++ b//bedrock/latest/userguide/api-keys.md @@ -279 +279 @@ Delete | Long-term | Console: **Actions** > **Delete**. API: `DeleteServiceSpeci -Invalidate session | Short-term | Attach an IAM policy to the identity that denies `bedrock:CallWithBearerToken`, or invalidate the session used to generate the key. +Invalidate session | Short-term | Invalidate the session used to generate the key, or attach an IAM policy that denies `CallWithBearerToken` ([Deny an identity the ability to make calls with an Amazon Bedrock API key](./api-keys-revoke.html#api-keys-iam-policies-deny-call-with-bearer-token)). @@ -283 +283 @@ Invalidate session | Short-term | Attach an IAM policy to the identity that deni -Two IAM actions control API key generation and usage: +IAM actions control API key generation and usage: @@ -287 +287,3 @@ Two IAM actions control API key generation and usage: - * `bedrock:CallWithBearerToken` – Controls usage of any API key. Use the `bedrock:bearerTokenType` condition key with values `SHORT_TERM` or `LONG_TERM` to target specific key types. + * `bedrock:CallWithBearerToken` – Controls usage of an API key through the Amazon Bedrock endpoint. Use the `bedrock:bearerTokenType` condition key with values `SHORT_TERM` or `LONG_TERM` to target specific key types. + + * `bedrock-mantle:CallWithBearerToken` – Controls usage of an API key through the Amazon Bedrock Mantle endpoint. Use the `bedrock-mantle:bearerTokenType` condition key with values `SHORT_TERM` or `LONG_TERM` to target specific key types. @@ -302 +304,4 @@ Attach this policy to the identity: - "Action": "bedrock:CallWithBearerToken", + "Action": [ + "bedrock:CallWithBearerToken", + "bedrock-mantle:CallWithBearerToken" + ],