Update Deny-Bedrock-Api-Keys.json

liwadman · web-flow · commit aa862d939336 · 2025-09-04T13:52:06.000-07:00
diff --git a/Service-Specific-Controls/Deny-Bedrock-Api-Keys.json b/Service-Specific-Controls/Deny-Bedrock-Api-Keys.json
@@ -2,15 +2,19 @@
   "Version": "2012-10-17",
   "Statement": [
     {
-      "Sid":"DenyBedrockShortAndLongTermAPIKeys",
       "Effect": "Deny",
-      "Action": [
-        "iam:CreateServiceSpecificCredential",
-        "bedrock:CallWithBearerToken"
-      ],
-      "Resource": [
-        "*"
-      ]
+      "Action": "iam:CreateServiceSpecificCredential",
+      "Resource": "*",
+      "Condition": {
+        "StringEquals": {
+          "iam:ServiceSpecificCredentialServiceName": "bedrock.amazonaws.com"
+        }
+      }
+    },
+    {
+      "Effect": "Deny",
+      "Action": "bedrock:CallWithBearerToken",
+      "Resource": "*"
     }
   ]
 }
