AWS Security ChangesHomeSearch

AWS bedrock documentation change

Service: bedrock · 2026-07-10 · Documentation low

File: bedrock/latest/userguide/security_iam_service-with-iam.md

Summary

Updated resource-based policy support from 'No' to 'Yes' and added details about guardrail permissions and cross-account access requirements

Security assessment

This change corrects documentation about resource-based policy support and adds security guidance for guardrails. While it improves access control documentation, there's no evidence of addressing a specific vulnerability.

Diff

diff --git a/bedrock/latest/userguide/security_iam_service-with-iam.md b/bedrock/latest/userguide/security_iam_service-with-iam.md
index fb4970646..ea060b08e 100644
--- a//bedrock/latest/userguide/security_iam_service-with-iam.md
+++ b//bedrock/latest/userguide/security_iam_service-with-iam.md
@@ -16 +16 @@ Identity-based policies |  Yes
-Resource-based policies |  No   
+Resource-based policies |  Yes  
@@ -43 +43 @@ To view examples of Amazon Bedrock identity-based policies, see [Identity-based
-**Supports resource-based policies:** No 
+**Supports resource-based policies:** Yes
@@ -47 +47,5 @@ Resource-based policies are JSON policy documents that you attach to a resource.
-To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the _IAM User Guide_.
+To enable cross-account access, you can specify an entire account or IAM entities in another account as the principal in a resource-based policy. Adding a cross-account principal to a resource-based policy is only half of establishing the trust relationship. When the principal and the resource are in different AWS accounts, an IAM administrator in the trusted account must also grant the principal entity (user or role) permission to access the resource. They grant permission by attaching an identity-based policy to the entity. However, if a resource-based policy grants access to a principal in the same account, no additional identity-based policy is required. For more information, see [Cross account resource access in IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html) in the _IAM User Guide_.
+
+Amazon Bedrock supports resource-based policies for guardrails and guardrail inference profiles. You can attach a resource-based policy to a guardrail or guardrail inference profile to define which principals can perform actions on those resources. Resource-based policies are recommended for use with account-level enforced guardrails, and are required for use of organization-level enforced guardrails.
+
+For more information, see [Using resource-based policies for guardrails](./guardrails-resource-based-policies.html).