Ensure that the Amazon S3 buckets configured as data sources for your Amazon Bedrock Knowledge Bases have the Amazon S3 Block Public Access feature enabled and do not grant public access through their bucket policies. An Amazon Bedrock Knowledge Base ingests documents from a configured data source and makes their content available to foundation models for retrieval-augmented generation. When the data source type is Amazon S3, the source location is defined by the "s3Configuration" field of the data source, which references the source bucket through its "bucketArn" (and, for cross-account sources, "bucketOwnerAccountId"). Because these buckets hold the raw proprietary enterprise documents that back the Knowledge Base, the Block Public Access feature must be enabled at the bucket level and no bucket policy statement should grant public access to the stored objects.
Amazon Bedrock Knowledge Base S3 data sources store the raw, unprocessed enterprise documents that are ingested into the Knowledge Base, frequently including sensitive or proprietary business data. If the source bucket is publicly accessible, an attacker with "s3:GetObject" access can bypass the Knowledge Base and the foundation model entirely and download the original documents directly from the underlying bucket, exposing the full corpus of proprietary data. Enabling the Amazon S3 Block Public Access feature and ensuring that no bucket policy grants public access confines access to the source documents to authorized principals and the Knowledge Base service role, closing this direct data-exfiltration path.
Audit
To determine if the Amazon S3 buckets configured as data sources for your Amazon Bedrock Knowledge Bases are publicly accessible, perform the following operations:
Remediation / Resolution
To restrict public access to the Amazon S3 buckets configured as data sources for your Amazon Bedrock Knowledge Bases, perform the following operations:
Note: Block Public Access overrides public access grants in the bucket policy but does not remove them. If specific principals still need access, remove any statement granting access to a wildcard principal ("Principal": "*"), keeping only what the Knowledge Base service role requires. References
- AWS Documentation
- Connect a data source to your knowledge base
- Connect to Amazon S3 for your knowledge base
- GetDataSource
- Blocking public access to your Amazon S3 storage
- AWS Command Line Interface (CLI) Documentation
- list-knowledge-bases
- list-data-sources
- get-data-source
- get-public-access-block
- get-bucket-policy-status
- put-public-access-block
- put-bucket-policy