AWS Security ChangesHomeSearch

AWS prescriptive-guidance documentation change

Service: prescriptive-guidance · 2026-07-10 · Documentation low

File: prescriptive-guidance/latest/security-reference-architecture-generative-ai/bedrock-integration.md

Summary

Updated image path reference and removed hyperlinks to capability documentation while maintaining security control recommendations

Security assessment

Changes involve image paths and removing internal documentation links without altering security recommendations. Security controls like AWS WAF deployment, encryption, and authentication remain unchanged. No evidence of addressing vulnerabilities or adding new security content.

Diff

diff --git a/prescriptive-guidance/latest/security-reference-architecture-generative-ai/bedrock-integration.md b/prescriptive-guidance/latest/security-reference-architecture-generative-ai/bedrock-integration.md
index 14964b059..c593b4b26 100644
--- a//prescriptive-guidance/latest/security-reference-architecture-generative-ai/bedrock-integration.md
+++ b//prescriptive-guidance/latest/security-reference-architecture-generative-ai/bedrock-integration.md
@@ -16 +16 @@ The scope of this use case is to demonstrate a traditional cloud workload that i
-![Integrating a traditional cloud workload with Amazon Bedrock.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/bedrock-integration.jpeg)
+![Integrating a traditional cloud workload with Amazon Bedrock.](/images/prescriptive-guidance/latest/security-reference-architecture-generative-ai/images/guide-img/a349f18f-a9fd-43a3-9a48-27534bf6412a/images/f90b502b-0043-4fe7-abb1-5ec0fb5b04b2.jpeg)
@@ -70 +70 @@ Implement centralized log aggregation using [Amazon OpenSearch Service](https://
-Depending on the use case, the Generative AI account hosts all generative AI activities. These include model inference (Capability 1), model customization (Capability 2), Retrieval Augmented Generation (RAG) with knowledge bases (Capability 3), tool integration (Capability 4), autonomous agents (Capability 5), and end-user AI applications (Capability 6). For more information about these capabilities, see [Generative AI capabilities](./generative-ai-capabilities.html).
+Depending on the use case, the Generative AI account hosts all generative AI activities. These include model inference (Capability 1), model customization (Capability 2), Retrieval Augmented Generation (RAG) with knowledge bases (Capability 3), tool integration (Capability 4), autonomous agents (Capability 5), and end-user AI applications (Capability 6).
@@ -74 +74 @@ Depending on the use case, the Generative AI account hosts all generative AI act
-Implement the security controls described in [Capability 1](./gen-ai-model-inference.html) for foundation model (FM) inference. Deploy AWS WAF as the first line of defense against malicious requests targeting your AI applications. Configure rate limiting to prevent resource exhaustion attacks and implement AWS Managed Rules for the [Core rule set managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) and the [Known bad inputs managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs).
+Implement the security controls described in Capability 1 for foundation model (FM) inference. Deploy AWS WAF as the first line of defense against malicious requests targeting your AI applications. Configure rate limiting to prevent resource exhaustion attacks and implement AWS Managed Rules for the [Core rule set managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-crs) and the [Known bad inputs managed rule group](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-baseline.html#aws-managed-rule-groups-baseline-known-bad-inputs).
@@ -80 +80 @@ Use [Amazon Bedrock Guardrails](https://docs.aws.amazon.com/bedrock/latest/userg
-If your use case requires model customization, implement the security controls described in [Capability 2](./gen-ai-rag.html). Encrypt the model customization job, output files, and resulting custom model by using customer managed keys in [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (AWS KMS). Store training and validation data in Amazon S3 buckets with encryption, versioning, and access logging enabled.
+If your use case requires model customization, implement the security controls described in Capability 2. Encrypt the model customization job, output files, and resulting custom model by using customer managed keys in [AWS Key Management Service](https://docs.aws.amazon.com/kms/latest/developerguide/overview.html) (AWS KMS). Store training and validation data in Amazon S3 buckets with encryption, versioning, and access logging enabled.
@@ -86 +86 @@ Use a virtual private cloud (VPC) with no internet access for model customizatio
-For applications using RAG, implement the security controls described in [Capability 3](./gen-ai-agents.html). Encrypt knowledge base data in transit and at rest using [customer managed AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html). Configure data ingestion jobs with customer managed keys and implement metadata filtering for secure retrieval based on user attributes.
+For applications using RAG, implement the security controls described in Capability 3. Encrypt knowledge base data in transit and at rest using [customer managed AWS KMS keys](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html). Configure data ingestion jobs with customer managed keys and implement metadata filtering for secure retrieval based on user attributes.
@@ -92 +92 @@ Use [Amazon Macie](https://docs.aws.amazon.com/macie/latest/user/what-is-macie.h
-For applications that extend AI capabilities through tool integration, implement the security controls described in [Capability 4](./gen-ai-customization.html). Use [Amazon Bedrock AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html) to centralize tool discovery and invocation through the Model Context Protocol (MCP). Configure OAuth authorizers for gateway access and use [Amazon Bedrock AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) to manage authentication credentials securely.
+For applications that extend AI capabilities through tool integration, implement the security controls described in Capability 4. Use [Amazon Bedrock AgentCore Gateway](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/gateway.html) to centralize tool discovery and invocation through the Model Context Protocol (MCP). Configure OAuth authorizers for gateway access and use [Amazon Bedrock AgentCore Identity](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/identity.html) to manage authentication credentials securely.
@@ -98 +98 @@ Deploy AI applications and AWS Lambda function tools within private subnets by u
-For agentic applications, implement the security controls described in [Capability 5](./gen-auto-agents.html). Use Amazon Bedrock AgentCore Runtime to host agents with complete session isolation by using dedicated microVMs. Configure customer managed KMS keys for [Amazon Bedrock AgentCore Memory](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory.html) resources, AgentCore Identity [token vaults](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/key-features-and-benefits.html#secure-credential-storage), and AgentCore Gateway configuration.
+For agentic applications, implement the security controls described in Capability 5. Use Amazon Bedrock AgentCore Runtime to host agents with complete session isolation by using dedicated microVMs. Configure customer managed KMS keys for [Amazon Bedrock AgentCore Memory](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/memory.html) resources, AgentCore Identity [token vaults](https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/key-features-and-benefits.html#secure-credential-storage), and AgentCore Gateway configuration.
@@ -104 +104 @@ Implement authentication architecture that addresses user authentication to invo
-For end-user AI applications described in [Capability 6](./ai-apps.html), implement appropriate authentication and authorization controls based on your user population. For internal applications, federate with your corporate identity provider. For external applications, use [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) or another identity provider that meets your requirements.
+For end-user AI applications described in Capability 6, implement appropriate authentication and authorization controls based on your user population. For internal applications, federate with your corporate identity provider. For external applications, use [Amazon Cognito](https://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) or another identity provider that meets your requirements.