Handle compromised long-term and short-term Amazon Bedrock API keys - Amazon Bedrock
Change the status of a long-term API keyReset a long-term API keyDelete a long-term API keyAttach IAM policies to remove permissions for using an API key

Handle compromised long-term and short-term Amazon Bedrock API keys

If your API key becomes compromised, you should revoke permissions to use it. There are various methods that you can use to revoke permissions for an Amazon Bedrock API key:

  • For long-term Amazon Bedrock API keys, you can use the UpdateServiceSpecificCredential, ResetServiceSpecificCredential, or DeleteServiceSpecificCredential to revoke permissions in the following ways:

    • Set the status of the key to inactive. You can reactivate the key later.

    • Reset the key. This action generates a new password for the key.

    • Delete the key permanently.

    Note

    To carry out these actions through the API, you must authenticate with AWS credentials and not with a Amazon Bedrock API key.

  • For both long-term and short-term Amazon Bedrock API keys, you can attach IAM policies to revoke permissions.

Change the status of a long-term Amazon Bedrock API key

Choose the tab for your preferred method, and then follow the steps:

Console
To deactivate a key

  1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.

  2. In the left navigation pane, select API keys.

  3. In the API keys for Amazon Bedrock section, choose a key.

  4. Choose Actions.

  5. Select Deactivate.

To reactivate a key

  1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.

  2. In the left navigation pane, select API keys.

  3. In the API keys for Amazon Bedrock section, choose a key.

  4. Choose Actions.

  5. Select Reactivate.

Python

To deactivate a key using the API, send an UpdateServiceSpecificCredential request with an IAM endpoint and specify the Status as Inactive. You can use the following code snippet to deactivate a key, replacing ${ServiceSpecificCredentialId} with the value returned when you created the key.

import boto3
                        
iam_client = boto3.client("iam")
                      
iam_client.update_service_specific_credential(
    service_specific_credential_id=${ServiceSpecificCredentialId},
    status="Inactive"
)

To reactivate a key using the API, send an UpdateServiceSpecificCredential request with an IAM endpoint and specify the Status as Active. You can use the following code snippet to reactivate a key, replacing ${ServiceSpecificCredentialId} with the value returned when you created the key.

import boto3
                        
iam_client = boto3.client("iam")
                      
iam_client.update_service_specific_credential(
    service_specific_credential_id=${ServiceSpecificCredentialId},
    status="Active"
)

Reset a long-term Amazon Bedrock API key

Choose the tab for your preferred method, and then follow the steps:

Console
To reset a key

  1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.

  2. In the left navigation pane, select API keys.

  3. In the API keys for Amazon Bedrock section, choose a key.

  4. Choose Actions.

  5. Select Reset key.

Python

To reset a key using the API, send a ResetServiceSpecificCredential request with an IAM endpoint. You can use the following code snippet to reset a key, replacing ${ServiceSpecificCredentialId} with the value returned when you created the key.

import boto3
            
iam_client = boto3.client("iam")
          
iam_client.reset_service_specific_credential(
    service_specific_credential_id=${ServiceSpecificCredentialId}
)

Delete a long-term Amazon Bedrock API key

Choose the tab for your preferred method, and then follow the steps:

Console
To delete a key

  1. Sign in to the AWS Management Console with an IAM identity that has permissions to use the Amazon Bedrock console. Then, open the Amazon Bedrock console at https://console.aws.amazon.com/bedrock/.

  2. In the left navigation pane, select API keys.

  3. In the API keys for Amazon Bedrock section, choose a key.

  4. Choose Actions.

  5. Select Delete.

Python

To delete a key using the API, send a DeleteServiceSpecificCredential request with an IAM endpoint. You can use the following code snippet to delete a key, replacing ${ServiceSpecificCredentialId} with the value returned when you created the key.

import boto3
            
iam_client = boto3.client("iam")
          
iam_client.delete_service_specific_credential(
    service_specific_credential_id=${ServiceSpecificCredentialId}
)

Attach IAM policies to remove permissions for using an Amazon Bedrock API key

This section provides some IAM policies that you can use to restrict access to an Amazon Bedrock API key.

Deny an identity the ability to make calls with an Amazon Bedrock API key

The action that allows an identity to make calls with an Amazon Bedrock API key is bedrock:CallWithBearerToken. To prevent an identity from making calls with the Amazon Bedrock API key, you can attach an IAM policy on an identity depending the type of key:

  • Long-term key – Attach the policy to the IAM user associated with the key.

  • Short-term key – Attach the policy to the IAM role used to generate the key.

The IAM policy that you can attach to the IAM identity is as follows:

JSON
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "bedrock:CallWithBearerToken",
    "Resource": "*"
  }
}

Invalidate an IAM role session

If a short-term key becomes compromised, you can prevent its usage by invalidating the role session that was used to generate the key. To invalidate the role session, attach the following policy to the IAM identity that generated the key. Replace 2014-05-07T23:47:00Z with the time after which you want the session to be invalidated.

JSON
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {
      "DateLessThan": {"aws:TokenIssueTime": "2014-05-07T23:47:00Z"}
    }
  }
}