AWS bedrock documentation change
Summary
Added new section 'Multimodal storage destination permissions' with IAM policy granting S3 read/write/delete permissions for multimodal content buckets
Security assessment
This change documents required IAM permissions for a new feature (multimodal storage) but doesn't address any security vulnerability. It enhances security documentation by specifying granular S3 permissions with account ID conditions.
Diff
diff --git a/bedrock/latest/userguide/kb-permissions.md b/bedrock/latest/userguide/kb-permissions.md index b588074fb..1d685cc69 100644 --- a//bedrock/latest/userguide/kb-permissions.md +++ b//bedrock/latest/userguide/kb-permissions.md @@ -690,0 +691,37 @@ If you use customer-managed AWS KMS keys with BDA, also attach the following pol +### Multimodal storage destination permissions + +When you configure a multimodal storage destination bucket for your knowledge base, attach the following JSON IAM policy. Replace `amzn-s3-demo-bucket` with the name of your multimodal storage bucket and `account-id` with your AWS account ID. This policy grants your knowledge base read, write, and delete permissions for parsed multimodal content in Amazon S3: + + + { + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "S3MultimodalStorageListStatement", + "Effect": "Allow", + "Action": ["s3:ListBucket"], + "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket"], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "account-id" + } + } + }, + { + "Sid": "S3MultimodalStorageObjectStatement", + "Effect": "Allow", + "Action": [ + "s3:PutObject", + "s3:GetObject", + "s3:DeleteObject" + ], + "Resource": ["arn:aws:s3:::amzn-s3-demo-bucket/*"], + "Condition": { + "StringEquals": { + "aws:ResourceAccount": "account-id" + } + } + } + ] + } +