AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/cross-service-integration-controls.md

Summary

Reformatted security control descriptions into bullet points and maintained existing security content

Security assessment

Change reorganizes existing security controls (AllowOnlyTrustedResources, DenyExternalOrganizationAccess, DenyUnencryptedUploads) into bullet points without altering their security content. No new security features or vulnerabilities are addressed.

Diff

diff --git a/prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/cross-service-integration-controls.md b/prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/cross-service-integration-controls.md
index e393ab4b7..713b49fb9 100644
--- a//prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/cross-service-integration-controls.md
+++ b//prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/cross-service-integration-controls.md
@@ -74 +74,6 @@ Amazon Bedrock integrates with numerous AWS services, each requiring specific re
-**AllowOnlyTrustedResources** – Grants Lambda functions access to specific Amazon Bedrock models, Amazon DynamoDB tables, and Amazon S3 buckets using resource-based restrictions. This statement implements least privilege by limiting access to only resources with the bedrock-agent-* prefix, preventing access to unrelated resources in the account.
+  * **AllowOnlyTrustedResources** – Grants Lambda functions access to specific Amazon Bedrock models, Amazon DynamoDB tables, and Amazon S3 buckets using resource-based restrictions. This statement implements least privilege by limiting access to only resources with the bedrock-agent-* prefix, preventing access to unrelated resources in the account.
+
+  * **DenyExternalOrganizationAccess** – Prevents data exfiltration by explicitly denying Amazon S3 access to any bucket outside your AWS organization. The condition checks for the organization ID and denies access when the bucket belongs to a different organization or has no organization ID set.
+
+  * **DenyUnencryptedUploads** – Enforces encryption-in-transit by denying any Amazon S3 `PutObject` operation that doesn't use AWS KMS encryption. This ensures all data written to Amazon S3 by Lambda functions is encrypted with customer-managed keys.
+
@@ -76 +80,0 @@ Amazon Bedrock integrates with numerous AWS services, each requiring specific re
-**DenyExternalOrganizationAccess** – Prevents data exfiltration by explicitly denying Amazon S3 access to any bucket outside your AWS organization. The condition checks for the organization ID and denies access when the bucket belongs to a different organization or has no organization ID set.
@@ -78 +81,0 @@ Amazon Bedrock integrates with numerous AWS services, each requiring specific re
-**DenyUnencryptedUploads** – Enforces encryption-in-transit by denying any Amazon S3 `PutObject` operation that doesn't use AWS KMS encryption. This ensures all data written to Amazon S3 by Lambda functions is encrypted with customer-managed keys.