AWS today launched three new condition keys that help administrators govern API keys for Amazon Bedrock . The new condition keys help you control the generation, expiration, and the type of API keys allowed. Amazon Bedrock supports two types of API keys: short-term API keys valid for up to 12 hours or long-term API keys which are IAM service-specific credentials for use with Bedrock only.
The new iam:ServiceSpecificCredentialServiceName condition key lets you control what target AWS services are allowed when creating IAM service-specific credentials. For example, you could allow the creation of Bedrock long-term API keys but not credentials for AWS CodeCommit or Amazon Keyspaces. The new iam:ServiceSpecificCredentialAgeDays condition key lets you control the maximum duration of Bedrock long-term API keys at creation. The new bedrock:BearerTokenType condition key let’s you allow or deny Bedrock requests based on whether the API key is short-term or long-term.
These new condition keys are available in all AWS Regions. To learn more about using the new condition keys, visit the IAM User Guide or Amazon Bedrock User Guide .