AWS today launched three new condition keys that help administrators govern API keys for Amazon Bedrock. The new condition keys help you control the generation, expiration, and the type of API keys allowed. Amazon Bedrock supports two types of API keys: short-term API keys valid for up to 12 hours or long-term API keys which are IAM service-specific credentials for use with Bedrock only.
The new iam:ServiceSpecificCredentialServiceName condition key lets you control what target AWS services are allowed when creating IAM service-specific credentials. For example, you could allow the creation of Bedrock long-term API keys but not credentials for AWS CodeCommit or Amazon Keyspaces. The new iam:ServiceSpecificCredentialAgeDays condition key lets you control the maximum duration of Bedrock long-term API keys at creation. The new bedrock:BearerTokenType condition key let’s you allow or deny Bedrock requests based on whether the API key is short-term or long-term.
These new condition keys are available in all AWS Regions. To learn more about using the new condition keys, visit the IAM User Guide or Amazon Bedrock User Guide.
Categories: general:products/aws-identity-and-access-management,marketing:marchitecture/security-identity-and-compliance,general:products/amazon-bedrock
Source: Amazon Web Services
Latest Posts
- (Updated) Outlook: retiring “Contact Masking” (hide suggested recipients) – March 31, 2026 [MC1234566]
- Copilot extensibility: Microsoft 365 Copilot Declarative Agents model upgrade to GPT‑5.2 [MC1251203]
- (Update)Microsoft Entra ID: General Availability of passkey profiles and migration for existing Passkeys (FIDO2) tenants [MC1221452]
- Microsoft Viva Engage | Email sender domain migration from @yammer.com to @engage.mail.microsoft [MC1251200]
