AWS prescriptive-guidance high security documentation change
Summary
Restructured encryption layer descriptions and KMS key policy components into bullet points. Added explicit 'DenyExternalAccess' policy to block access from outside the AWS organization.
Security assessment
The change explicitly adds a 'DenyExternalAccess' policy that blocks cross-organization access to encryption keys. This implements defense-in-depth security by preventing external access even if other policies are misconfigured, directly addressing potential data exposure risks.
Diff
diff --git a/prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/kms-key-policies.md b/prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/kms-key-policies.md index e7ae3d925..b1a013f2c 100644 --- a//prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/kms-key-policies.md +++ b//prescriptive-guidance/latest/data-perimeter-for-amazon-bedrock/kms-key-policies.md @@ -21 +21,7 @@ Amazon Bedrock Knowledge Bases encrypts data at multiple layers: -Amazon S3**documents** – Documents uploaded to Amazon S3 buckets (used by Knowledge Base data sources) can be encrypted with customer-managed AWS KMS keys + * Amazon S3**documents** – Documents uploaded to Amazon S3 buckets (used by Knowledge Base data sources) can be encrypted with customer-managed AWS KMS keys + + * **Transient processing** – During data ingestion, Amazon Bedrock encrypts temporary data with a customer-managed key you specify + + * **Vector storage** – Amazon OpenSearch Serverless collections orAmazon S3 Vectors can use customer-managed keys + + * **Retrieval sessions** – `RetrieveAndGenerate `API calls can encrypt session context with a customer-managed key @@ -23 +28,0 @@ Amazon S3**documents** – Documents uploaded to Amazon S3 buckets (used by Know -**Transient processing** – During data ingestion, Amazon Bedrock encrypts temporary data with a customer-managed key you specify @@ -25 +29,0 @@ Amazon S3**documents** – Documents uploaded to Amazon S3 buckets (used by Know -**Vector storage** – Amazon OpenSearch Serverless collections orAmazon S3 Vectors can use customer-managed keys @@ -27 +30,0 @@ Amazon S3**documents** – Documents uploaded to Amazon S3 buckets (used by Know -**Retrieval sessions** – `RetrieveAndGenerate `API calls can encrypt session context with a customer-managed key @@ -100 +103,7 @@ Apply the followingAWS KMS key policy to keys used for Amazon S3 buckets contain -**KMSAdminAccess** – Grants full AWS KMS permissions to a dedicated administrative role rather than the account root. This follows the principle of least privilege by restricting key management to specific roles. + * **KMSAdminAccess** – Grants full AWS KMS permissions to a dedicated administrative role rather than the account root. This follows the principle of least privilege by restricting key management to specific roles. + + * **BedrockKnowledgeBaseAccess** – Allows Amazon Bedrock service to decryptAmazon S3 objects for Knowledge Base operations. The condition restricts access to your account and ensures the request comes throughAmazon S3 , preventing direct key usage. + + * **DocumentUploadRoleAccess** – Grants specific IAM roles permission to encrypt documents when uploading to Amazon S3. Limited to encryption operations only, preventing these roles from accessing existing encrypted data. + + * **DenyExternalAccess** – Explicitly denies all access from principals outside your AWS organization. This creates an organizational boundary that prevents external access even if other conditions are met. @@ -102 +110,0 @@ Apply the followingAWS KMS key policy to keys used for Amazon S3 buckets contain -**BedrockKnowledgeBaseAccess** – Allows Amazon Bedrock service to decryptAmazon S3 objects for Knowledge Base operations. The condition restricts access to your account and ensures the request comes through Amazon S3, preventing direct key usage. @@ -104 +111,0 @@ Apply the followingAWS KMS key policy to keys used for Amazon S3 buckets contain -**DocumentUploadRoleAccess** – Grants specific IAM roles permission to encrypt documents when uploading to Amazon S3. Limited to encryption operations only, preventing these roles from accessing existing encrypted data. @@ -106 +112,0 @@ Apply the followingAWS KMS key policy to keys used for Amazon S3 buckets contain -**DenyExternalAccess** – Explicitly denies all access from principals outside your AWS organization. This creates an organizational boundary that prevents external access even if other conditions are met. @@ -249 +255,7 @@ Apply the following AWS KMS key policy to keys used for OpenSearch Serverless co -**KMSAdminAccess** – Provides full key management capabilities to the designated administrative role, ensuring centralized key governance while avoiding account root access. + * **KMSAdminAccess** – Provides full key management capabilities to the designated administrative role, ensuring centralized key governance while avoiding account root access. + + * **OpenSearchServerlessAccess** – Grants OpenSearch Serverless the encryption operations needed for vector storage. Scoped to your account to prevent cross-account access through the service. + + * **S3VectorsAccess** – Allows Amazon S3 service to perform encryption operations when using Amazon S3 as vector storage backend. Account-scoped to prevent unauthorized cross-account vector access. + + * **DenyExternalAccess** – Creates an organizational perimeter by explicitly denying all access from outside your AWS organization, providing defense-in-depth security. @@ -251 +262,0 @@ Apply the following AWS KMS key policy to keys used for OpenSearch Serverless co -**OpenSearchServerlessAccess** – Grants OpenSearch Serverless the encryption operations needed for vector storage. Scoped to your account to prevent cross-account access through the service. @@ -253 +263,0 @@ Apply the following AWS KMS key policy to keys used for OpenSearch Serverless co -**S3VectorsAccess** – Allows Amazon S3 service to perform encryption operations when using Amazon S3 as vector storage backend. Account-scoped to prevent unauthorized cross-account vector access. @@ -255 +264,0 @@ Apply the following AWS KMS key policy to keys used for OpenSearch Serverless co -**DenyExternalAccess** – Creates an organizational perimeter by explicitly denying all access from outside your AWS organization, providing defense-in-depth security.