bedrock API key denial for service specific controls

Author: liwadman

README.md

@@ -30,6 +30,8 @@ The example policies are divided into different categories based on the type of
 
 * **[Sensitive data protection](Sensitive-data-protection/README.md)**: Implement controls that protect your sensitive data, that should not be made publicly accessible or deleted intentionally or unintentionally.
 
+* **[Service Specific Controls](Service-Specific-Controls/README.md)**: Controls for specific AWS services
+
 
 
 

Service-Specific-Controls/Deny-Bedrock-Api-Keys.json

@@ -0,0 +1,16 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Sid":"DenyBedRockShortAndLongTermAPIKeys",
+      "Effect": "Deny",
+      "Action": [
+        "iam:CreateServiceSpecificCredential",
+        "bedrock:CallWithBearerToken"
+      ],
+      "Resource": [
+        "*"
+      ]
+    }
+  ]
+}

Service-Specific-Controls/README.md

@@ -0,0 +1,8 @@
+## Service Specific Controls
+
+These policies provide guidance on how to accomplish security objectives for specific AWS services.
+
+
+| Included Policy | Rational | 
+|------|-------------|
+|[Deny users from creating short term or long term Amazon Bedrock API keys.](Deny-Bedrock-Api-Keys.json)| Used to help enforce that users within your AWS organization cannot create service specific credentials for an IAM user for use with Amazon Bedrock, and denies the usage of Bedrock API keys with the Amazon Bedrock Service.|